Table Of Contents

Feedback

User Guide

First time using the AWS CLI? See the User Guide for help getting started.

[ aws . securityhub ]

batch-import-findings

Description

Imports security findings generated from an integrated third-party product into Security Hub. This action is requested by the integrated product to import its findings into Security Hub. The maximum allowed size for a finding is 240 Kb. An error is returned for any finding larger than 240 Kb.

See also: AWS API Documentation

See 'aws help' for descriptions of global parameters.

Synopsis

  batch-import-findings
--findings <value>
[--cli-input-json <value>]
[--generate-cli-skeleton <value>]

Options

--findings (list)

A list of findings to import. To successfully import a finding, it must follow the AWS Security Finding Format .

JSON Syntax:

[
  {
    "SchemaVersion": "string",
    "Id": "string",
    "ProductArn": "string",
    "GeneratorId": "string",
    "AwsAccountId": "string",
    "Types": ["string", ...],
    "FirstObservedAt": "string",
    "LastObservedAt": "string",
    "CreatedAt": "string",
    "UpdatedAt": "string",
    "Severity": {
      "Product": double,
      "Normalized": integer
    },
    "Confidence": integer,
    "Criticality": integer,
    "Title": "string",
    "Description": "string",
    "Remediation": {
      "Recommendation": {
        "Text": "string",
        "Url": "string"
      }
    },
    "SourceUrl": "string",
    "ProductFields": {"string": "string"
      ...},
    "UserDefinedFields": {"string": "string"
      ...},
    "Malware": [
      {
        "Name": "string",
        "Type": "ADWARE"|"BLENDED_THREAT"|"BOTNET_AGENT"|"COIN_MINER"|"EXPLOIT_KIT"|"KEYLOGGER"|"MACRO"|"POTENTIALLY_UNWANTED"|"SPYWARE"|"RANSOMWARE"|"REMOTE_ACCESS"|"ROOTKIT"|"TROJAN"|"VIRUS"|"WORM",
        "Path": "string",
        "State": "OBSERVED"|"REMOVAL_FAILED"|"REMOVED"
      }
      ...
    ],
    "Network": {
      "Direction": "IN"|"OUT",
      "Protocol": "string",
      "SourceIpV4": "string",
      "SourceIpV6": "string",
      "SourcePort": integer,
      "SourceDomain": "string",
      "SourceMac": "string",
      "DestinationIpV4": "string",
      "DestinationIpV6": "string",
      "DestinationPort": integer,
      "DestinationDomain": "string"
    },
    "Process": {
      "Name": "string",
      "Path": "string",
      "Pid": integer,
      "ParentPid": integer,
      "LaunchedAt": "string",
      "TerminatedAt": "string"
    },
    "ThreatIntelIndicators": [
      {
        "Type": "DOMAIN"|"EMAIL_ADDRESS"|"HASH_MD5"|"HASH_SHA1"|"HASH_SHA256"|"HASH_SHA512"|"IPV4_ADDRESS"|"IPV6_ADDRESS"|"MUTEX"|"PROCESS"|"URL",
        "Value": "string",
        "Category": "BACKDOOR"|"CARD_STEALER"|"COMMAND_AND_CONTROL"|"DROP_SITE"|"EXPLOIT_SITE"|"KEYLOGGER",
        "LastObservedAt": "string",
        "Source": "string",
        "SourceUrl": "string"
      }
      ...
    ],
    "Resources": [
      {
        "Type": "string",
        "Id": "string",
        "Partition": "aws"|"aws-cn"|"aws-us-gov",
        "Region": "string",
        "Tags": {"string": "string"
          ...},
        "Details": {
          "AwsEc2Instance": {
            "Type": "string",
            "ImageId": "string",
            "IpV4Addresses": ["string", ...],
            "IpV6Addresses": ["string", ...],
            "KeyName": "string",
            "IamInstanceProfileArn": "string",
            "VpcId": "string",
            "SubnetId": "string",
            "LaunchedAt": "string"
          },
          "AwsS3Bucket": {
            "OwnerId": "string",
            "OwnerName": "string"
          },
          "AwsIamAccessKey": {
            "UserName": "string",
            "Status": "Active"|"Inactive",
            "CreatedAt": "string"
          },
          "Container": {
            "Name": "string",
            "ImageId": "string",
            "ImageName": "string",
            "LaunchedAt": "string"
          },
          "Other": {"string": "string"
            ...}
        }
      }
      ...
    ],
    "Compliance": {
      "Status": "PASSED"|"WARNING"|"FAILED"|"NOT_AVAILABLE"
    },
    "VerificationState": "UNKNOWN"|"TRUE_POSITIVE"|"FALSE_POSITIVE"|"BENIGN_POSITIVE",
    "WorkflowState": "NEW"|"ASSIGNED"|"IN_PROGRESS"|"DEFERRED"|"RESOLVED",
    "RecordState": "ACTIVE"|"ARCHIVED",
    "RelatedFindings": [
      {
        "ProductArn": "string",
        "Id": "string"
      }
      ...
    ],
    "Note": {
      "Text": "string",
      "UpdatedBy": "string",
      "UpdatedAt": "string"
    }
  }
  ...
]

--cli-input-json (string) Performs service operation based on the JSON string provided. The JSON string follows the format provided by --generate-cli-skeleton. If other arguments are provided on the command line, the CLI values will override the JSON-provided values. It is not possible to pass arbitrary binary values using a JSON-provided value as the string will be taken literally.

--generate-cli-skeleton (string) Prints a JSON skeleton to standard output without sending an API request. If provided with no value or the value input, prints a sample input JSON that can be used as an argument for --cli-input-json. If provided with the value output, it validates the command inputs and returns a sample output JSON for that command.

See 'aws help' for descriptions of global parameters.

Output

FailedCount -> (integer)

The number of findings that failed to import.

SuccessCount -> (integer)

The number of findings that were successfully imported.

FailedFindings -> (list)

The list of the findings that failed to import.

(structure)

Includes details of the list of the findings that can't be imported.

Id -> (string)

The ID of the error made during the BatchImportFindings operation.

ErrorCode -> (string)

The code of the error made during the BatchImportFindings operation.

ErrorMessage -> (string)

The message of the error made during the BatchImportFindings operation.