AWS Security Hub

Integration version: 7.0

Use Cases

  1. Ingest findings into Google Security Operations SOAR for investigation
  2. Active actions - create insights, update insights, update findings, get insight details

Configure AWS Security Hub integration in Google Security Operations SOAR

For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.

Integration parameters

Use the following parameters to configure the integration:

Parameter Display Name Type Default Value Is Mandatory Description
Instance Name String N/A No Name of the Instance you intend to configure integration for.
Description String N/A No Description of the Instance.
AWS Access Key ID String N/A Yes AWS Access Key ID to use in integration.
AWS Secret Key Password N/A Yes AWS Secret Key to use in integration.
AWS Default Region String N/A Yes AWS default region to use in integration, for example us-west-2.
Run Remotely Checkbox Unchecked No Check the field in order to run the configured integration remotely. Once checked, the option appears to select the remote user (agent).

Actions

Ping

Description

Test connectivity to AWS Security Hub with parameters provided at the integration configuration page in the Google Security Operations Marketplace tab.

Parameters

N/A

Run On

This action doesn't run on entities.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
Case Wall
Result Type Value / Description Type
Output message*

The action should not fail nor stop a playbook execution:

If successful: "Successfully connected to the AWS Security Hub server with the provided connection parameters!"

The action should fail and stop a playbook execution:

If not successful: "Failed to connect to the AWS Security Hub! Error is {0}".format(exception.stacktrace)

Genera

Update Finding

Description

Update findings in AWS Security Hub.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
ID String N/A Yes Specify ID of the finding that you want to update.
Product ARN String N/A Yes Specify the product ARN of the finding that you want to update.
Note String N/A No Specify new text for the note on the finding. Note: If the "Note" parameter has a value, you should also fill out the "Note Author" parameter. This is an AWS Security Hub limitation.
Note Author String N/A No Specify the author of the note. Note: If the "Note Author" parameter has a value, you should also fill out the "Note" parameter. This is an AWS Security Hub limitation.
Severity DDL

Select One

Possible Value

Critical

High

Medium

Low

Informational

No Specify new severity for the finding.
Verification State DDL

Select One

Possible values

Unknown

True Positive

False Positive

Benign Positive

No Specify a new verification state for the finding.
Confidence Integer N/A No Specify new confidence for the finding. Maximum is 100.
Criticality Integer N/A No Specify new criticality for the finding. Maximum is 100.
Types CSV N/A No Specify a comma-separated list of types for the finding. Example: type1,type2
Workflow Status DDL

Select One

Possible values

New

Notified

Resolved

Suppressed

No Specify new workflow status for the finding.
Custom Fields CSV N/A No

Specify custom fields that should be updated in the finding.

Format: Custom_field_1:value,Custom_field_2:value

Run On

This action doesn't run on entities.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
Case Wall
Result Type Value / Description Type
Output message\*

The action should not fail nor stop a playbook execution:

If no entries in the 'Unprocessed Findings'(is_success = true) "Successfully updated finding with ID '{0}' and Product ARN '{1}' in AWS Security Hub".format(Finding ID, Product Arn)

If "ErrorCode" in the response (is_success=false): "Action wasn't able to update finding with ID '{0}' and Product ARN '{1}' in AWS Security Hub. Reason: {2}".format(ID, Product,ErrorMessage)

The action should fail and stop a playbook execution:

if fatal error, SDK error, like wrong credentials, no connection to server, other: "Error executing action "Update Finding". Reason: {0}''.format(error.Stacktrace)

If "Note" parameter is specified without "Note Author" and vice versa: "Error executing action "Update Finding". Reason: "Note" and "Note Author" should be both specified.''.format(error.Stacktrace)

General

Create Insight

Description

Create an insight in AWS Security Hub.

How to work with Filter JSON Object parameter

In order to create insight in AWS Security Hub, you need to apply filters for the findings that are available in the system.

The structure of the filter with all possible configurations looks like this:

{
    "ProductArn": [
        {
            "Value": "string",
            "Comparison": "EQUALS"|"PREFIX"|"NOT_EQUALS"|"PREFIX_NOT_EQUALS"
        }
    ],
    "AwsAccountId": [
        {
            "Value": "string",
            "Comparison": "EQUALS"|"PREFIX"|"NOT_EQUALS"|"PREFIX_NOT_EQUALS"
        }
    ],
    "Id": [
        {
            "Value": "string",
            "Comparison": "EQUALS"|"PREFIX"|"NOT_EQUALS"|"PREFIX_NOT_EQUALS"
        }
    ],
    "GeneratorId": [
        {
            "Value": "string",
            "Comparison": "EQUALS"|"PREFIX"|"NOT_EQUALS"|"PREFIX_NOT_EQUALS"
        }
    ],
    "Type": [
        {
            "Value": "string",
            "Comparison": "EQUALS"|"PREFIX"|"NOT_EQUALS"|"PREFIX_NOT_EQUALS"
        }
    ],
    "FirstObservedAt": [
        {
            "Start": "string",
            "End": "string",
            "DateRange": {
                "Value": 123,
                "Unit": "DAYS"
            }
        }
    ],
    "LastObservedAt": [
        {
            "Start": "string",
            "End": "string",
            "DateRange": {
                "Value": 123,
                "Unit": "DAYS"
            }
        }
    ],
    "CreatedAt": [
        {
            "Start": "string",
            "End": "string",
            "DateRange": {
                "Value": 123,
                "Unit": "DAYS"
            }
        }
    ],
    "UpdatedAt": [
        {
            "Start": "string",
            "End": "string",
            "DateRange": {
                "Value": 123,
                "Unit": "DAYS"
            }
        }
    ],
    "SeverityProduct": [
        {
            "Gte": 123.0,
            "Lte": 123.0,
            "Eq": 123.0
        }
    ],
    "SeverityNormalized": [
        {
            "Gte": 123.0,
            "Lte": 123.0,
            "Eq": 123.0
        }
    ],
    "SeverityLabel": [
        {
            "Value": "string",
            "Comparison": "EQUALS"|"PREFIX"|"NOT_EQUALS"|"PREFIX_NOT_EQUALS"
        }
    ],
    "Confidence": [
        {
            "Gte": 123.0,
            "Lte": 123.0,
            "Eq": 123.0
        }
    ],
    "Criticality": [
        {
            "Gte": 123.0,
            "Lte": 123.0,
            "Eq": 123.0
        }
    ],
    "Title": [
        {
            "Value": "string",
            "Comparison": "EQUALS"|"PREFIX"|"NOT_EQUALS"|"PREFIX_NOT_EQUALS"
        }
    ],
    "Description": [
        {
            "Value": "string",
            "Comparison": "EQUALS"|"PREFIX"|"NOT_EQUALS"|"PREFIX_NOT_EQUALS"
        }
    ],
    "RecommendationText": [
        {
            "Value": "string",
            "Comparison": "EQUALS"|"PREFIX"|"NOT_EQUALS"|"PREFIX_NOT_EQUALS"
        }
    ],
    "SourceUrl": [
        {
            "Value": "string",
            "Comparison": "EQUALS"|"PREFIX"|"NOT_EQUALS"|"PREFIX_NOT_EQUALS"
        }
    ],
    "ProductFields": [
        {
            "Key": "string",
            "Value": "string",
            "Comparison": "EQUALS"|"NOT_EQUALS"
        }
    ],
    "ProductName": [
        {
            "Value": "string",
            "Comparison": "EQUALS"|"PREFIX"|"NOT_EQUALS"|"PREFIX_NOT_EQUALS"
        }
    ],
    "CompanyName": [
        {
            "Value": "string",
            "Comparison": "EQUALS"|"PREFIX"|"NOT_EQUALS"|"PREFIX_NOT_EQUALS"
        }
    ],
    "UserDefinedFields": [
        {
            "Key": "string",
            "Value": "string",
            "Comparison": "EQUALS"|"NOT_EQUALS"
        }
    ],
    "MalwareName": [
        {
            "Value": "string",
            "Comparison": "EQUALS"|"PREFIX"|"NOT_EQUALS"|"PREFIX_NOT_EQUALS"
        }
    ],
    "MalwareType": [
        {
            "Value": "string",
            "Comparison": "EQUALS"|"PREFIX"|"NOT_EQUALS"|"PREFIX_NOT_EQUALS"
        }
    ],
    "MalwarePath": [
        {
            "Value": "string",
            "Comparison": "EQUALS"|"PREFIX"|"NOT_EQUALS"|"PREFIX_NOT_EQUALS"
        }
    ],
    "MalwareState": [
        {
            "Value": "string",
            "Comparison": "EQUALS"|"PREFIX"|"NOT_EQUALS"|"PREFIX_NOT_EQUALS"
        }
    ],
    "NetworkDirection": [
        {
            "Value": "string",
            "Comparison": "EQUALS"|"PREFIX"|"NOT_EQUALS"|"PREFIX_NOT_EQUALS"
        }
    ],
    "NetworkProtocol": [
        {
            "Value": "string",
            "Comparison": "EQUALS"|"PREFIX"|"NOT_EQUALS"|"PREFIX_NOT_EQUALS"
        }
    ],
    "NetworkSourceIpV4": [
        {
            "Cidr": "string"
        }
    ],
    "NetworkSourceIpV6": [
        {
            "Cidr": "string"
        }
    ],
    "NetworkSourcePort": [
        {
            "Gte": 123.0,
            "Lte": 123.0,
            "Eq": 123.0
        }
    ],
    "NetworkSourceDomain": [
        {
            "Value": "string",
            "Comparison": "EQUALS"|"PREFIX"|"NOT_EQUALS"|"PREFIX_NOT_EQUALS"
        }
    ],
    "NetworkSourceMac": [
        {
            "Value": "string",
            "Comparison": "EQUALS"|"PREFIX"|"NOT_EQUALS"|"PREFIX_NOT_EQUALS"
        }
    ],
    "NetworkDestinationIpV4": [
        {
            "Cidr": "string"
        }
    ],
    "NetworkDestinationIpV6": [
        {
            "Cidr": "string"
        }
    ],
    "NetworkDestinationPort": [
        {
            "Gte": 123.0,
            "Lte": 123.0,
            "Eq": 123.0
        }
    ],
    "NetworkDestinationDomain": [
        {
            "Value": "string",
            "Comparison": "EQUALS"|"PREFIX"|"NOT_EQUALS"|"PREFIX_NOT_EQUALS"
        }
    ],
    "ProcessName": [
        {
            "Value": "string",
            "Comparison": "EQUALS"|"PREFIX"|"NOT_EQUALS"|"PREFIX_NOT_EQUALS"
        }
    ],
    "ProcessPath": [
        {
            "Value": "string",
            "Comparison": "EQUALS"|"PREFIX"|"NOT_EQUALS"|"PREFIX_NOT_EQUALS"
        }
    ],
    "ProcessPid": [
        {
            "Gte": 123.0,
            "Lte": 123.0,
            "Eq": 123.0
        }
    ],
    "ProcessParentPid": [
        {
            "Gte": 123.0,
            "Lte": 123.0,
            "Eq": 123.0
        }
    ],
    "ProcessLaunchedAt": [
        {
            "Start": "string",
            "End": "string",
            "DateRange": {
                "Value": 123,
                "Unit": "DAYS"
            }
        }
    ],
    "ProcessTerminatedAt": [
        {
            "Start": "string",
            "End": "string",
            "DateRange": {
                "Value": 123,
                "Unit": "DAYS"
            }
        }
    ],
    "ThreatIntelIndicatorType": [
        {
            "Value": "string",
            "Comparison": "EQUALS"|"PREFIX"|"NOT_EQUALS"|"PREFIX_NOT_EQUALS"
        }
    ],
    "ThreatIntelIndicatorValue": [
        {
            "Value": "string",
            "Comparison": "EQUALS"|"PREFIX"|"NOT_EQUALS"|"PREFIX_NOT_EQUALS"
        }
    ],
    "ThreatIntelIndicatorCategory": [
        {
            "Value": "string",
            "Comparison": "EQUALS"|"PREFIX"|"NOT_EQUALS"|"PREFIX_NOT_EQUALS"
        }
    ],
    "ThreatIntelIndicatorLastObservedAt": [
        {
            "Start": "string",
            "End": "string",
            "DateRange": {
                "Value": 123,
                "Unit": "DAYS"
            }
        }
    ],
    "ThreatIntelIndicatorSource": [
        {
            "Value": "string",
            "Comparison": "EQUALS"|"PREFIX"|"NOT_EQUALS"|"PREFIX_NOT_EQUALS"
        }
    ],
    "ThreatIntelIndicatorSourceUrl": [
        {
            "Value": "string",
            "Comparison": "EQUALS"|"PREFIX"|"NOT_EQUALS"|"PREFIX_NOT_EQUALS"
        }
    ],
    "ResourceType": [
        {
            "Value": "string",
            "Comparison": "EQUALS"|"PREFIX"|"NOT_EQUALS"|"PREFIX_NOT_EQUALS"
        }
    ],
    "ResourceId": [
        {
            "Value": "string",
            "Comparison": "EQUALS"|"PREFIX"|"NOT_EQUALS"|"PREFIX_NOT_EQUALS"
        }
    ],
    "ResourcePartition": [
        {
            "Value": "string",
            "Comparison": "EQUALS"|"PREFIX"|"NOT_EQUALS"|"PREFIX_NOT_EQUALS"
        }
    ],
    "ResourceRegion": [
        {
            "Value": "string",
            "Comparison": "EQUALS"|"PREFIX"|"NOT_EQUALS"|"PREFIX_NOT_EQUALS"
        }
    ],
    "ResourceTags": [
        {
            "Key": "string",
            "Value": "string",
            "Comparison": "EQUALS"|"NOT_EQUALS"
        }
    ],
    "ResourceAwsEc2InstanceType": [
        {
            "Value": "string",
            "Comparison": "EQUALS"|"PREFIX"|"NOT_EQUALS"|"PREFIX_NOT_EQUALS"
        }
    ],
    "ResourceAwsEc2InstanceImageId": [
        {
            "Value": "string",
            "Comparison": "EQUALS"|"PREFIX"|"NOT_EQUALS"|"PREFIX_NOT_EQUALS"
        }
    ],
    "ResourceAwsEc2InstanceIpV4Addresses": [
        {
            "Cidr": "string"
        }
    ],
    "ResourceAwsEc2InstanceIpV6Addresses": [
        {
            "Cidr": "string"
        }
    ],
    "ResourceAwsEc2InstanceKeyName": [
        {
            "Value": "string",
            "Comparison": "EQUALS"|"PREFIX"|"NOT_EQUALS"|"PREFIX_NOT_EQUALS"
        }
    ],
    "ResourceAwsEc2InstanceIamInstanceProfileArn": [
        {
            "Value": "string",
            "Comparison": "EQUALS"|"PREFIX"|"NOT_EQUALS"|"PREFIX_NOT_EQUALS"
        }
    ],
    "ResourceAwsEc2InstanceVpcId": [
        {
            "Value": "string",
            "Comparison": "EQUALS"|"PREFIX"|"NOT_EQUALS"|"PREFIX_NOT_EQUALS"
        }
    ],
    "ResourceAwsEc2InstanceSubnetId": [
        {
            "Value": "string",
            "Comparison": "EQUALS"|"PREFIX"|"NOT_EQUALS"|"PREFIX_NOT_EQUALS"
        }
    ],
    "ResourceAwsEc2InstanceLaunchedAt": [
        {
            "Start": "string",
            "End": "string",
            "DateRange": {
                "Value": 123,
                "Unit": "DAYS"
            }
        }
    ],
    "ResourceAwsS3BucketOwnerId": [
        {
            "Value": "string",
            "Comparison": "EQUALS"|"PREFIX"|"NOT_EQUALS"|"PREFIX_NOT_EQUALS"
        }
    ],
    "ResourceAwsS3BucketOwnerName": [
        {
            "Value": "string",
            "Comparison": "EQUALS"|"PREFIX"|"NOT_EQUALS"|"PREFIX_NOT_EQUALS"
        }
    ],
    "ResourceAwsIamAccessKeyUserName": [
        {
            "Value": "string",
            "Comparison": "EQUALS"|"PREFIX"|"NOT_EQUALS"|"PREFIX_NOT_EQUALS"
        }
    ],
    "ResourceAwsIamAccessKeyStatus": [
        {
            "Value": "string",
            "Comparison": "EQUALS"|"PREFIX"|"NOT_EQUALS"|"PREFIX_NOT_EQUALS"
        }
    ],
    "ResourceAwsIamAccessKeyCreatedAt": [
        {
            "Start": "string",
            "End": "string",
            "DateRange": {
                "Value": 123,
                "Unit": "DAYS"
            }
        }
    ],
    "ResourceContainerName": [
        {
            "Value": "string",
            "Comparison": "EQUALS"|"PREFIX"|"NOT_EQUALS"|"PREFIX_NOT_EQUALS"
        }
    ],
    "ResourceContainerImageId": [
        {
            "Value": "string",
            "Comparison": "EQUALS"|"PREFIX"|"NOT_EQUALS"|"PREFIX_NOT_EQUALS"
        }
    ],
    "ResourceContainerImageName": [
        {
            "Value": "string",
            "Comparison": "EQUALS"|"PREFIX"|"NOT_EQUALS"|"PREFIX_NOT_EQUALS"
        }
    ],
    "ResourceContainerLaunchedAt": [
        {
            "Start": "string",
            "End": "string",
            "DateRange": {
                "Value": 123,
                "Unit": "DAYS"
            }
        }
    ],
    "ResourceDetailsOther": [
        {
            "Key": "string",
            "Value": "string",
            "Comparison": "EQUALS"|"NOT_EQUALS"
        }
    ],
    "ComplianceStatus": [
        {
            "Value": "string",
            "Comparison": "EQUALS"|"PREFIX"|"NOT_EQUALS"|"PREFIX_NOT_EQUALS"
        }
    ],
    "VerificationState": [
        {
            "Value": "string",
            "Comparison": "EQUALS"|"PREFIX"|"NOT_EQUALS"|"PREFIX_NOT_EQUALS"
        }
    ],
    "WorkflowState": [
        {
            "Value": "string",
            "Comparison": "EQUALS"|"PREFIX"|"NOT_EQUALS"|"PREFIX_NOT_EQUALS"
        }
    ],
    "WorkflowStatus": [
        {
            "Value": "string",
            "Comparison": "EQUALS"|"PREFIX"|"NOT_EQUALS"|"PREFIX_NOT_EQUALS"
        }
    ],
    "RecordState": [
        {
            "Value": "string",
            "Comparison": "EQUALS"|"PREFIX"|"NOT_EQUALS"|"PREFIX_NOT_EQUALS"
        }
    ],
    "RelatedFindingsProductArn": [
        {
            "Value": "string",
            "Comparison": "EQUALS"|"PREFIX"|"NOT_EQUALS"|"PREFIX_NOT_EQUALS"
        }
    ],
    "RelatedFindingsId": [
        {
            "Value": "string",
            "Comparison": "EQUALS"|"PREFIX"|"NOT_EQUALS"|"PREFIX_NOT_EQUALS"
        }
    ],
    "NoteText": [
        {
            "Value": "string",
            "Comparison": "EQUALS"|"PREFIX"|"NOT_EQUALS"|"PREFIX_NOT_EQUALS"
        }
    ],
    "NoteUpdatedAt": [
        {
            "Start": "string",
            "End": "string",
            "DateRange": {
                "Value": 123,
                "Unit": "DAYS"
            }
        }
    ],
    "NoteUpdatedBy": [
        {
            "Value": "string",
            "Comparison": "EQUALS"|"PREFIX"|"NOT_EQUALS"|"PREFIX_NOT_EQUALS"
        }
    ],
    "Keyword": [
        {
            "Value": "string"
        }
    ]
}

Example of a filter that will return only findings with severity "Critical":

{
    "SeverityLabel": [
        {
            "Value": "CRITICAL",
            "Comparison": "EQUALS"
        }
    ]
}

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Insight Name String N/A Yes

Specify the name of the insight.

Group By Attribute DDL

AWS Account ID

Possible Values

AWS Account ID

Company Name

Status

Generator ID

Malware Name

Process Name

Threat Intel Type

Product ARN

Product Name

Record State

EC2 Instance Image ID

EC2 Instance IPv4

EC2 Instance IPv6

EC2 Instance Key Name

EC2 Instance Subnet ID

EC2 Instance Type

EC2 Instance VPC ID

IAM Access Key User Name

S3 Bucket Owner Name

Container Image ID

Container Image Name

Container Name

Resource ID

Resource Type

Severity Label

Source URL

Type

Verification State

Workflow Status

Yes Specify the name of the attribute by which findings should be grouped under one insight.
Filter JSON Object String N/A Yes Specify a filter for the findings. Filter is represented as a JSON object, where you can specify different attributes and values. Please refer to action documentation for more details.

Run On

This action doesn't run on entities.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result
{
    "InsightArn": "arn:aws:securityhub:us-east-2:962970284126:insight/962970284126/custom/da74bc5f-b024-4d6f-8077-3f8161c1f41d",
}
Case Wall
Result Type Value / Description Type
Output message*

The action should not fail nor stop a playbook execution:

If status code == 200 (is_success = true) "Successfully created '{0}' insight in AWS Security Hub".format("Insight Name")

If other status code (is_success=false): "Action wasn't able to create '{0}' insight.".format(Insight Name)

The action should fail and stop a playbook execution:

if fatal error, SDK error, like wrong credentials, no connection to server, other: "Error executing action "Create Insight". Reason: {0}''.format(error.Stacktrace)

General

Update Insight

Description

Update an insight in AWS Security Hub.

How to work with the Filter JSON Object parameter

In order to create an insight in AWS Security Hub, you need to apply filters for the findings that are available in the system.

The structure of the filter with all possible configurations looks like this:

{
    "ProductArn": [
        {
            "Value": "string",
            "Comparison": "EQUALS"|"PREFIX"|"NOT_EQUALS"|"PREFIX_NOT_EQUALS"
        }
    ],
    "AwsAccountId": [
        {
            "Value": "string",
            "Comparison": "EQUALS"|"PREFIX"|"NOT_EQUALS"|"PREFIX_NOT_EQUALS"
        }
    ],
    "Id": [
        {
            "Value": "string",
            "Comparison": "EQUALS"|"PREFIX"|"NOT_EQUALS"|"PREFIX_NOT_EQUALS"
        }
    ],
    "GeneratorId": [
        {
            "Value": "string",
            "Comparison": "EQUALS"|"PREFIX"|"NOT_EQUALS"|"PREFIX_NOT_EQUALS"
        }
    ],
    "Type": [
        {
            "Value": "string",
            "Comparison": "EQUALS"|"PREFIX"|"NOT_EQUALS"|"PREFIX_NOT_EQUALS"
        }
    ],
    "FirstObservedAt": [
        {
            "Start": "string",
            "End": "string",
            "DateRange": {
                "Value": 123,
                "Unit": "DAYS"
            }
        }
    ],
    "LastObservedAt": [
        {
            "Start": "string",
            "End": "string",
            "DateRange": {
                "Value": 123,
                "Unit": "DAYS"
            }
        }
    ],
    "CreatedAt": [
        {
            "Start": "string",
            "End": "string",
            "DateRange": {
                "Value": 123,
                "Unit": "DAYS"
            }
        }
    ],
    "UpdatedAt": [
        {
            "Start": "string",
            "End": "string",
            "DateRange": {
                "Value": 123,
                "Unit": "DAYS"
            }
        }
    ],
    "SeverityProduct": [
        {
            "Gte": 123.0,
            "Lte": 123.0,
            "Eq": 123.0
        }
    ],
    "SeverityNormalized": [
        {
            "Gte": 123.0,
            "Lte": 123.0,
            "Eq": 123.0
        }
    ],
    "SeverityLabel": [
        {
            "Value": "string",
            "Comparison": "EQUALS"|"PREFIX"|"NOT_EQUALS"|"PREFIX_NOT_EQUALS"
        }
    ],
    "Confidence": [
        {
            "Gte": 123.0,
            "Lte": 123.0,
            "Eq": 123.0
        }
    ],
    "Criticality": [
        {
            "Gte": 123.0,
            "Lte": 123.0,
            "Eq": 123.0
        }
    ],
    "Title": [
        {
            "Value": "string",
            "Comparison": "EQUALS"|"PREFIX"|"NOT_EQUALS"|"PREFIX_NOT_EQUALS"
        }
    ],
    "Description": [
        {
            "Value": "string",
            "Comparison": "EQUALS"|"PREFIX"|"NOT_EQUALS"|"PREFIX_NOT_EQUALS"
        }
    ],
    "RecommendationText": [
        {
            "Value": "string",
            "Comparison": "EQUALS"|"PREFIX"|"NOT_EQUALS"|"PREFIX_NOT_EQUALS"
        }
    ],
    "SourceUrl": [
        {
            "Value": "string",
            "Comparison": "EQUALS"|"PREFIX"|"NOT_EQUALS"|"PREFIX_NOT_EQUALS"
        }
    ],
    "ProductFields": [
        {
            "Key": "string",
            "Value": "string",
            "Comparison": "EQUALS"|"NOT_EQUALS"
        }
    ],
    "ProductName": [
        {
            "Value": "string",
            "Comparison": "EQUALS"|"PREFIX"|"NOT_EQUALS"|"PREFIX_NOT_EQUALS"
        }
    ],
    "CompanyName": [
        {
            "Value": "string",
            "Comparison": "EQUALS"|"PREFIX"|"NOT_EQUALS"|"PREFIX_NOT_EQUALS"
        }
    ],
    "UserDefinedFields": [
        {
            "Key": "string",
            "Value": "string",
            "Comparison": "EQUALS"|"NOT_EQUALS"
        }
    ],
    "MalwareName": [
        {
            "Value": "string",
            "Comparison": "EQUALS"|"PREFIX"|"NOT_EQUALS"|"PREFIX_NOT_EQUALS"
        }
    ],
    "MalwareType": [
        {
            "Value": "string",
            "Comparison": "EQUALS"|"PREFIX"|"NOT_EQUALS"|"PREFIX_NOT_EQUALS"
        }
    ],
    "MalwarePath": [
        {
            "Value": "string",
            "Comparison": "EQUALS"|"PREFIX"|"NOT_EQUALS"|"PREFIX_NOT_EQUALS"
        }
    ],
    "MalwareState": [
        {
            "Value": "string",
            "Comparison": "EQUALS"|"PREFIX"|"NOT_EQUALS"|"PREFIX_NOT_EQUALS"
        }
    ],
    "NetworkDirection": [
        {
            "Value": "string",
            "Comparison": "EQUALS"|"PREFIX"|"NOT_EQUALS"|"PREFIX_NOT_EQUALS"
        }
    ],
    "NetworkProtocol": [
        {
            "Value": "string",
            "Comparison": "EQUALS"|"PREFIX"|"NOT_EQUALS"|"PREFIX_NOT_EQUALS"
        }
    ],
    "NetworkSourceIpV4": [
        {
            "Cidr": "string"
        }
    ],
    "NetworkSourceIpV6": [
        {
            "Cidr": "string"
        }
    ],
    "NetworkSourcePort": [
        {
            "Gte": 123.0,
            "Lte": 123.0,
            "Eq": 123.0
        }
    ],
    "NetworkSourceDomain": [
        {
            "Value": "string",
            "Comparison": "EQUALS"|"PREFIX"|"NOT_EQUALS"|"PREFIX_NOT_EQUALS"
        }
    ],
    "NetworkSourceMac": [
        {
            "Value": "string",
            "Comparison": "EQUALS"|"PREFIX"|"NOT_EQUALS"|"PREFIX_NOT_EQUALS"
        }
    ],
    "NetworkDestinationIpV4": [
        {
            "Cidr": "string"
        }
    ],
    "NetworkDestinationIpV6": [
        {
            "Cidr": "string"
        }
    ],
    "NetworkDestinationPort": [
        {
            "Gte": 123.0,
            "Lte": 123.0,
            "Eq": 123.0
        }
    ],
    "NetworkDestinationDomain": [
        {
            "Value": "string",
            "Comparison": "EQUALS"|"PREFIX"|"NOT_EQUALS"|"PREFIX_NOT_EQUALS"
        }
    ],
    "ProcessName": [
        {
            "Value": "string",
            "Comparison": "EQUALS"|"PREFIX"|"NOT_EQUALS"|"PREFIX_NOT_EQUALS"
        }
    ],
    "ProcessPath": [
        {
            "Value": "string",
            "Comparison": "EQUALS"|"PREFIX"|"NOT_EQUALS"|"PREFIX_NOT_EQUALS"
        }
    ],
    "ProcessPid": [
        {
            "Gte": 123.0,
            "Lte": 123.0,
            "Eq": 123.0
        }
    ],
    "ProcessParentPid": [
        {
            "Gte": 123.0,
            "Lte": 123.0,
            "Eq": 123.0
        }
    ],
    "ProcessLaunchedAt": [
        {
            "Start": "string",
            "End": "string",
            "DateRange": {
                "Value": 123,
                "Unit": "DAYS"
            }
        }
    ],
    "ProcessTerminatedAt": [
        {
            "Start": "string",
            "End": "string",
            "DateRange": {
                "Value": 123,
                "Unit": "DAYS"
            }
        }
    ],
    "ThreatIntelIndicatorType": [
        {
            "Value": "string",
            "Comparison": "EQUALS"|"PREFIX"|"NOT_EQUALS"|"PREFIX_NOT_EQUALS"
        }
    ],
    "ThreatIntelIndicatorValue": [
        {
            "Value": "string",
            "Comparison": "EQUALS"|"PREFIX"|"NOT_EQUALS"|"PREFIX_NOT_EQUALS"
        }
    ],
    "ThreatIntelIndicatorCategory": [
        {
            "Value": "string",
            "Comparison": "EQUALS"|"PREFIX"|"NOT_EQUALS"|"PREFIX_NOT_EQUALS"
        }
    ],
    "ThreatIntelIndicatorLastObservedAt": [
        {
            "Start": "string",
            "End": "string",
            "DateRange": {
                "Value": 123,
                "Unit": "DAYS"
            }
        }
    ],
    "ThreatIntelIndicatorSource": [
        {
            "Value": "string",
            "Comparison": "EQUALS"|"PREFIX"|"NOT_EQUALS"|"PREFIX_NOT_EQUALS"
        }
    ],
    "ThreatIntelIndicatorSourceUrl": [
        {
            "Value": "string",
            "Comparison": "EQUALS"|"PREFIX"|"NOT_EQUALS"|"PREFIX_NOT_EQUALS"
        }
    ],
    "ResourceType": [
        {
            "Value": "string",
            "Comparison": "EQUALS"|"PREFIX"|"NOT_EQUALS"|"PREFIX_NOT_EQUALS"
        }
    ],
    "ResourceId": [
        {
            "Value": "string",
            "Comparison": "EQUALS"|"PREFIX"|"NOT_EQUALS"|"PREFIX_NOT_EQUALS"
        }
    ],
    "ResourcePartition": [
        {
            "Value": "string",
            "Comparison": "EQUALS"|"PREFIX"|"NOT_EQUALS"|"PREFIX_NOT_EQUALS"
        }
    ],
    "ResourceRegion": [
        {
            "Value": "string",
            "Comparison": "EQUALS"|"PREFIX"|"NOT_EQUALS"|"PREFIX_NOT_EQUALS"
        }
    ],
    "ResourceTags": [
        {
            "Key": "string",
            "Value": "string",
            "Comparison": "EQUALS"|"NOT_EQUALS"
        }
    ],
    "ResourceAwsEc2InstanceType": [
        {
            "Value": "string",
            "Comparison": "EQUALS"|"PREFIX"|"NOT_EQUALS"|"PREFIX_NOT_EQUALS"
        }
    ],
    "ResourceAwsEc2InstanceImageId": [
        {
            "Value": "string",
            "Comparison": "EQUALS"|"PREFIX"|"NOT_EQUALS"|"PREFIX_NOT_EQUALS"
        }
    ],
    "ResourceAwsEc2InstanceIpV4Addresses": [
        {
            "Cidr": "string"
        }
    ],
    "ResourceAwsEc2InstanceIpV6Addresses": [
        {
            "Cidr": "string"
        }
    ],
    "ResourceAwsEc2InstanceKeyName": [
        {
            "Value": "string",
            "Comparison": "EQUALS"|"PREFIX"|"NOT_EQUALS"|"PREFIX_NOT_EQUALS"
        }
    ],
    "ResourceAwsEc2InstanceIamInstanceProfileArn": [
        {
            "Value": "string",
            "Comparison": "EQUALS"|"PREFIX"|"NOT_EQUALS"|"PREFIX_NOT_EQUALS"
        }
    ],
    "ResourceAwsEc2InstanceVpcId": [
        {
            "Value": "string",
            "Comparison": "EQUALS"|"PREFIX"|"NOT_EQUALS"|"PREFIX_NOT_EQUALS"
        }
    ],
    "ResourceAwsEc2InstanceSubnetId": [
        {
            "Value": "string",
            "Comparison": "EQUALS"|"PREFIX"|"NOT_EQUALS"|"PREFIX_NOT_EQUALS"
        }
    ],
    "ResourceAwsEc2InstanceLaunchedAt": [
        {
            "Start": "string",
            "End": "string",
            "DateRange": {
                "Value": 123,
                "Unit": "DAYS"
            }
        }
    ],
    "ResourceAwsS3BucketOwnerId": [
        {
            "Value": "string",
            "Comparison": "EQUALS"|"PREFIX"|"NOT_EQUALS"|"PREFIX_NOT_EQUALS"
        }
    ],
    "ResourceAwsS3BucketOwnerName": [
        {
            "Value": "string",
            "Comparison": "EQUALS"|"PREFIX"|"NOT_EQUALS"|"PREFIX_NOT_EQUALS"
        }
    ],
    "ResourceAwsIamAccessKeyUserName": [
        {
            "Value": "string",
            "Comparison": "EQUALS"|"PREFIX"|"NOT_EQUALS"|"PREFIX_NOT_EQUALS"
        }
    ],
    "ResourceAwsIamAccessKeyStatus": [
        {
            "Value": "string",
            "Comparison": "EQUALS"|"PREFIX"|"NOT_EQUALS"|"PREFIX_NOT_EQUALS"
        }
    ],
    "ResourceAwsIamAccessKeyCreatedAt": [
        {
            "Start": "string",
            "End": "string",
            "DateRange": {
                "Value": 123,
                "Unit": "DAYS"
            }
        }
    ],
    "ResourceContainerName": [
        {
            "Value": "string",
            "Comparison": "EQUALS"|"PREFIX"|"NOT_EQUALS"|"PREFIX_NOT_EQUALS"
        }
    ],
    "ResourceContainerImageId": [
        {
            "Value": "string",
            "Comparison": "EQUALS"|"PREFIX"|"NOT_EQUALS"|"PREFIX_NOT_EQUALS"
        }
    ],
    "ResourceContainerImageName": [
        {
            "Value": "string",
            "Comparison": "EQUALS"|"PREFIX"|"NOT_EQUALS"|"PREFIX_NOT_EQUALS"
        }
    ],
    "ResourceContainerLaunchedAt": [
        {
            "Start": "string",
            "End": "string",
            "DateRange": {
                "Value": 123,
                "Unit": "DAYS"
            }
        }
    ],
    "ResourceDetailsOther": [
        {
            "Key": "string",
            "Value": "string",
            "Comparison": "EQUALS"|"NOT_EQUALS"
        }
    ],
    "ComplianceStatus": [
        {
            "Value": "string",
            "Comparison": "EQUALS"|"PREFIX"|"NOT_EQUALS"|"PREFIX_NOT_EQUALS"
        }
    ],
    "VerificationState": [
        {
            "Value": "string",
            "Comparison": "EQUALS"|"PREFIX"|"NOT_EQUALS"|"PREFIX_NOT_EQUALS"
        }
    ],
    "WorkflowState": [
        {
            "Value": "string",
            "Comparison": "EQUALS"|"PREFIX"|"NOT_EQUALS"|"PREFIX_NOT_EQUALS"
        }
    ],
    "WorkflowStatus": [
        {
            "Value": "string",
            "Comparison": "EQUALS"|"PREFIX"|"NOT_EQUALS"|"PREFIX_NOT_EQUALS"
        }
    ],
    "RecordState": [
        {
            "Value": "string",
            "Comparison": "EQUALS"|"PREFIX"|"NOT_EQUALS"|"PREFIX_NOT_EQUALS"
        }
    ],
    "RelatedFindingsProductArn": [
        {
            "Value": "string",
            "Comparison": "EQUALS"|"PREFIX"|"NOT_EQUALS"|"PREFIX_NOT_EQUALS"
        }
    ],
    "RelatedFindingsId": [
        {
            "Value": "string",
            "Comparison": "EQUALS"|"PREFIX"|"NOT_EQUALS"|"PREFIX_NOT_EQUALS"
        }
    ],
    "NoteText": [
        {
            "Value": "string",
            "Comparison": "EQUALS"|"PREFIX"|"NOT_EQUALS"|"PREFIX_NOT_EQUALS"
        }
    ],
    "NoteUpdatedAt": [
        {
            "Start": "string",
            "End": "string",
            "DateRange": {
                "Value": 123,
                "Unit": "DAYS"
            }
        }
    ],
    "NoteUpdatedBy": [
        {
            "Value": "string",
            "Comparison": "EQUALS"|"PREFIX"|"NOT_EQUALS"|"PREFIX_NOT_EQUALS"
        }
    ],
    "Keyword": [
        {
            "Value": "string"
        }
    ]
}

Example of a filter that will return only findings with severity "Critical":

{
    "SeverityLabel": [
        {
            "Value": "CRITICAL",
            "Comparison": "EQUALS"
        }
    ]
}

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Insight ARN String N/A Yes Specify the ARN of the insight.
Insight Name String N/A No Specify the new name of the insight.
Group By Attribute DDL

Select One

Possible Values

AWS Account ID

Company Name

Status

Generator ID

Malware Name

Process Name

Threat Intel Type

Product ARN

Product Name

Record State

EC2 Instance Image ID

EC2 Instance IPv4

EC2 Instance IPv6

EC2 Instance Key Name

EC2 Instance Subnet ID

EC2 Instance Type

EC2 Instance VPC ID

IAM Access Key User Name

S3 Bucket Owner Name

Container Image ID

Container Image Name

Container Name

Resource ID

Resource Type

Severity Label

Source URL

Type

Verification State

Workflow Status

No

Specify a new name of the attribute by which findings should be grouped under one insight.

Filter JSON Object String No

Specify a new filter for the findings. Filter is represented >as a JSON object, where you can specify different attributes and values. Please refer to action documentation for more details.

Run On

This action doesn't run on entities.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
Case Wall
Result Type Value / Description Type
Output message*

The action should not fail nor stop a playbook execution:

If status code == 204 (is_success = true) "Successfully updated '{0}' insight in AWS Security Hub".format("Insight ARN")

If other status code (is_success=false): "Action wasn't able to update '{0}' insight.".format(Insight ARN)

The action should fail and stop a playbook execution:

if fatal error, SDK error, like wrong credentials, no connection to server, other: "Error executing action "Update Insight". Reason: {0}''.format(error.Stacktrace)

Get Insight Details

Description

Return detailed information about insight in AWS Security Hub.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Insight ARN String N/A Yes Specify the ARN of the insight.
Max Results To Return Integer 50 Yes Specify how many results to return.

Run On

This action doesn't run on entities.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result
"InsightResults": {
        "InsightArn": "arn:aws:securityhub:::insight/securityhub/default/1",
        "GroupByAttribute": "ResourceId",
        "ResultValues": [
            {
                "GroupByAttributeValue": "arn:aws:s3:::int-arcsight-v-27-0-getreportstatus",
                "Count": 5
            },
            {
                "GroupByAttributeValue": "arn:aws:s3:::int-arcsight-v-27-0-searchactionbug",
                "Count": 5
            },
            {
                "GroupByAttributeValue": "arn:aws:s3:::int-arcsight-v-27-0-unicodeandlogs",
                "Count": 5
            },
            {
                "GroupByAttributeValue": "arn:aws:s3:::int-automation-v-1-0",
                "Count": 5
            },
            {
                "GroupByAttributeValue": "arn:aws:s3:::int-awss3-v-1-0",
                "Count": 5
            },
            {
                "GroupByAttributeValue": "arn:aws:s3:::int-azureactivedirectory-v-4-0",
                "Count": 5
            },
            {
                "GroupByAttributeValue": "arn:aws:s3:::int-bootcamp-v-1-0",
                "Count": 5
            },
            {
                "GroupByAttributeValue": "arn:aws:s3:::int-categories",
                "Count": 5
            }
        ]
    }
Case Wall
Result Type Value / Description Type
Output message*

The action should not fail nor stop a playbook execution:

If status code == 200 (is_success = true) "Successfully returned details about Insight with ARN '{0}' in AWS Security Hub".format(Insight ARN)

If other status code (is_success=false): "Error executing action "Get Insight Details". Reason: {0}''.format(error.Stacktrace)

The action should fail and stop a playbook execution:

If fatal error, SDK error, like wrong credentials, no connection to server, other: "Error executing action "Get Insight Details". Reason: {0}''.format(error.Stacktrace)

General
Case Wall Table

Table Name: '{0}' Bucket Objects

Columns:

  • Name (mapped as GroupByAttributeValue)
  • Count (mapped as Count)
General

Connectors

AWS Security Hub - Findings Connector

Description

Pull findings from AWS Security Hub.

Configure AWS Security Hub - Findings Connector in Google Security Operations SOAR

For detailed instructions on how to configure a connector in Google Security Operations SOAR, see Configuring the connector.

Connector parameters

Use the following parameters to configure the connector:

Parameter Display Name Type Default Value Is Mandatory Description
Product Field Name String Product Name Yes Enter the source field name in order to retrieve the Product Field name.
Event Field Name String alertType Yes Enter the source field name in order to retrieve the Event Field name.
Environment Field Name String "" No

Describes the name of the field where the environment name is stored.

If the environment field isn't found, the environment is the default environment.

Environment Regex Pattern

String .* No

A regex pattern to run on the value found in the "Environment Field Name" field.

Default is .* to catch all and return the value unchanged.

Used to allow the user to manipulate the environment field via regex logic.

If the regex pattern is null or empty, or the environment value is null, the final environment result is the default environment.

Script Timeout (Seconds) Integer 180 Yes Timeout limit for the python process running the current script.
AWS Access Key ID String N/A True AWS Access Key ID to use in integration.
AWS Secret Key Password N/A True AWS Secret Key to use in integration.
AWS Default Region String N/A True AWS default region to use in integration, for example us-west-2.
Lowest Severity To Fetch String Medium Yes

Lowest severity that will be used to fetch findings.

Possible values:

  • Informational
  • Low
  • Medium
  • High
  • Critical
Fetch Max Hours Backwards Integer 1 No Amount of hours from where to fetch findings.
Max Findings To Fetch Integer 50 No How many findings to process per one connector iteration.
Use whitelist as a blacklist Checkbox Unchecked Yes If enabled, whitelist will be used as a blacklist.
Verify SSL Checkbox Unchecked Yes If enabled, verify the SSL certificate for the connection to the Anomali Staxx server is valid.
Proxy Server Address String N/A No The address of the proxy server to use.
Proxy Username String N/A No The proxy username to authenticate with.
Proxy Password Password N/A No The proxy password to authenticate with.

Connector Rules

Proxy Support

The connector supports Proxy.