Les traductions sont fournies par des outils de traduction automatique. En cas de conflit entre le contenu d'une traduction et celui de la version originale en anglais, la version anglaise prévaudra.
Exemples de règles d'automatisation
Cette section fournit des exemples de règles d'automatisation pour les cas d'utilisation courants de Security Hub CSPM. Ces exemples correspondent à des modèles de règles disponibles sur la console Security Hub CSPM.
Atteignez le niveau de gravité à Critique lorsqu'une ressource spécifique, telle qu'un compartiment S3, est menacée
Dans cet exemple, les critères des règles sont mis ResourceId en correspondance lorsque le résultat correspond à un compartiment Amazon Simple Storage Service (Amazon S3) spécifique. L'action de la règle consiste à modifier la gravité des résultats correspondants enCRITICAL. Vous pouvez modifier ce modèle pour l'appliquer à d'autres ressources.
Exemple de demande d'API :
{ "IsTerminal":true, "RuleName": "Elevate severity of findings that relate to important resources", "RuleOrder":1, "RuleStatus": "ENABLED", "Description": "Elevate finding severity to", "Criteria": { "ProductName": [{ "Value": "CRITICALwhen specific resource such as an S3 bucket is at riskSecurity Hub CSPM", "Comparison": "EQUALS" }], "ComplianceStatus": [{ "Value": "FAILED", "Comparison": "EQUALS" }], "RecordState": [{ "Value": "ACTIVE", "Comparison": "EQUALS" }], "WorkflowStatus": [{ "Value": "NEW", "Comparison": "EQUALS" }], "ResourceId": [{ "Value": "arn:aws:s3:::amzn-s3-demo-bucket/developers/design_info.doc", "Comparison": "EQUALS" }] }, "Actions": [{ "Type": "FINDING_FIELDS_UPDATE", "FindingFieldsUpdate": { "Severity": { "Label": "CRITICAL" }, "Note": { "Text": "This is a critical resource. Please review ASAP.", "UpdatedBy": "sechub-automation" } } }] }
Exemple de commande CLI :
$aws securityhub create-automation-rule \ --is-terminal \ --rule-name "\ --criteria '{ "ProductName": [{ "Value": "Elevate severity of findings that relate to important resources" \ --rule-order1\ --rule-status "ENABLED" \ --description "Elevate finding severity to"CRITICALwhen specific resource such as an S3 bucket is at riskSecurity Hub CSPM", "Comparison":"EQUALS" }], "ComplianceStatus": [{ "Value": "FAILED", "Comparison": "EQUALS" }], "RecordState": [{ "Value": "ACTIVE", "Comparison": "EQUALS" }], "WorkflowStatus": [{ "Value": "NEW", "Comparison": "EQUALS" }], "ResourceId": [{ "Value": "arn:aws:s3:::amzn-s3-demo-bucket/developers/design_info.doc", "Comparison": "EQUALS" }] }' \ --actions '[{ "Type": "FINDING_FIELDS_UPDATE", "FindingFieldsUpdate": { "Severity": { "Label": "CRITICAL" }, "Note": { "Text": "This is a critical resource. Please review ASAP.", "UpdatedBy": "sechub-automation" } } }]' \ --regionus-east-1
Accroître la sévérité des constatations relatives aux ressources dans les comptes de production
Dans cet exemple, les critères des règles sont mis en correspondance lorsqu'une constatation de HIGH gravité est générée dans des comptes de production spécifiques. L'action de la règle consiste à modifier la gravité des résultats correspondants enCRITICAL.
Exemple de demande d'API :
{ "IsTerminal":false, "RuleName": "Elevate severity for production accounts", "RuleOrder":1, "RuleStatus": "ENABLED", "Description": "Elevate finding severity from", "Criteria": { "ProductName": [{ "Value": "HIGHtoCRITICALfor findings that relate to resources in specific production accountsSecurity Hub CSPM", "Comparison": "EQUALS" }], "ComplianceStatus": [{ "Value": "FAILED", "Comparison": "EQUALS" }], "RecordState": [{ "Value": "ACTIVE", "Comparison": "EQUALS" }], "WorkflowStatus": [{ "Value": "NEW", "Comparison": "EQUALS" }], "SeverityLabel": [{ "Value": "HIGH", "Comparison": "EQUALS" }], "AwsAccountId": [ { "Value": "111122223333", "Comparison": "EQUALS" }, { "Value": "123456789012", "Comparison": "EQUALS" }] }, "Actions": [{ "Type": "FINDING_FIELDS_UPDATE", "FindingFieldsUpdate": { "Severity": { "Label": "CRITICAL" }, "Note": { "Text": "A resource in production accounts is at risk. Please review ASAP.", "UpdatedBy": "sechub-automation" } } }] }
Exemple de commande CLI :
aws securityhub create-automation-rule \ --no-is-terminal \ --rule-name"\ --rule-orderElevate severity of findings that relate to resources in production accounts"\ --rule-status1"\ --descriptionENABLED""\ --criteria '{ "ProductName": [{ "Value":Elevate finding severity from"HIGHtoCRITICALfor findings that relate to resources in specific production accounts", "Comparison":Security Hub CSPM""}], "ComplianceStatus": [{ "Value":EQUALS"", "Comparison":FAILED""}], "RecordState": [{ "Value":EQUALS"", "Comparison":ACTIVE""}], "SeverityLabel": [{ "Value":EQUALS"", "Comparison":HIGH""}], "AwsAccountId": [ { "Value":EQUALS"", "Comparison":111122223333""}, { "Value":EQUALS"", "Comparison":123456789012""}] }' \ --actions '[{ "Type":EQUALS""FINDING_FIELDS_UPDATE", "FindingFieldsUpdate": { "Severity": { "Label":"}, "Note": { "Text":CRITICAL"", "UpdatedBy":A resource in production accounts is at risk. Please review ASAP.""} } }]' \ --regionsechub-automation"us-east-1
Supprimer les résultats informationnels
Dans cet exemple, les critères des règles sont mis en correspondance pour les résultats de INFORMATIONAL gravité envoyés à Security Hub CSPM par Amazon. GuardDuty L'action de la règle consiste à modifier le statut du flux de travail des résultats correspondants surSUPPRESSED.
Exemple de demande d'API :
{ "IsTerminal":false, "RuleName": "Suppress informational findings", "RuleOrder":1, "RuleStatus": "ENABLED", "Description": "Suppress GuardDuty findings with", "Criteria": { "ProductName": [{ "Value": "INFORMATIONALseverityGuardDuty", "Comparison": "EQUALS" }], "RecordState": [{ "Value": "ACTIVE", "Comparison": "EQUALS" }], "WorkflowStatus": [{ "Value": "NEW", "Comparison": "EQUALS" }], "SeverityLabel": [{ "Value": "INFORMATIONAL", "Comparison": "EQUALS" }] }, "Actions": [{ "Type": "FINDING_FIELDS_UPDATE", "FindingFieldsUpdate": { "Workflow": { "Status": "SUPPRESSED" }, "Note": { "Text": "Automatically suppress GuardDuty findings with", "UpdatedBy": "INFORMATIONALseveritysechub-automation" } } }] }
Exemple de commande CLI :
aws securityhub create-automation-rule \ --no-is-terminal \ --rule-name"\ --rule-orderSuppress informational findings"\ --rule-status1"\ --descriptionENABLED""\ --criteria '{ "ProductName": [{ "Value":Suppress GuardDuty findings with"INFORMATIONALseverity", "Comparison":GuardDuty""}], "ComplianceStatus": [{ "Value":EQUALS"", "Comparison":FAILED""}], "RecordState": [{ "Value":EQUALS"", "Comparison":ACTIVE""}], "WorkflowStatus": [{ "Value":EQUALS"", "Comparison":NEW""}], "SeverityLabel": [{ "Value":EQUALS"", "Comparison":INFORMATIONAL""}] }' \ --actions '[{ "Type":EQUALS""FINDING_FIELDS_UPDATE", "FindingFieldsUpdate": { "Workflow": { "Status":"}, "Note": { "Text":SUPPRESSED"", "UpdatedBy":Automatically suppress GuardDuty findings with"INFORMATIONALseverity"} } }]' \ --regionsechub-automation"us-east-1
