Prompt library
This section provides a list of example queries for the query feature of this solution. It also provides instructions for creating your own queries and customizing the Q topics.
We recommend that you keep your own prompt library customized for your organization.
To help you save time, this solution saves your recent queries, as shown in the following image.
Example queries
The following are example queries that you can use with the Q topics feature of this solution.
Note
Enter these queries exactly as written. Deviating from this structure and capitalization could result in errors or incorrect responses.
Replace
with the account ID.<abcd1234>
Replace
with the user name.<username>
Replace
with a three letter month,
one or two digit date (don’t start with <Jul 1, 2023>
0
), and four digit year.
Replace
with the number of days.<x>
Replace
with the IP address.<IP address>
Security Hub queries
-
How many findings are not in Status Resolved
-
List all the findings with workflow as New and Severity as Critical
-
List unique findings for product Inspector and account
. Filter by severity as High.<abcd1234>
-
List unique findings for product Inspector and account
. Filter by severity as High. Then filter by activity as Create.<abcd1234>
-
List unique findings where created time is
<Jul 1, 2023>
-
List unique findings where created timestamp is between last
days<x>
-
List unique findings where product is Inspector
-
List unique findings where severity is Critical
-
List unique findings where timestamp is
and status is Resolved<Jul 1, 2023>
-
Plot bar graph for unique findings vs Region
-
Plot pie chart for unique findings vs Region
-
Plot unique findings by created timestamp is between last
days<x>
-
Plot unique findings vs compliance
-
Plot unique findings vs compliance standard vs status
-
Plot unique findings vs working state
-
Plot Unique number of Finding Id by Product
CloudTrail queries
-
Count all API operation where status is Failure
-
List activities where operation is GetBucketAcl and Status is Failure
-
List activities where service name is kms
-
List all API operation which start with Delete
-
List API operation where activity is ConsoleLogin and status is Failed
-
List API operation where IP address is
<IP address>
-
List API operation where MFA used is False
-
List API operation where service is cloudformation
-
List API operation where service is ec2 and status is Failure
-
List API operation where service is sts
-
List API operation where service is ssm
-
List API operation where user name is
<username>
-
List API operation with most Status in Failure
-
List API operations where service name is kms
-
List distinct activity
-
List distinct API operation
-
List records where API operation is ConsoleLogin
-
List records where API operations is CreateKey
-
List source IP with most Status in Failure
-
Plot API operation vs timestamp where status is Failure
-
Plot API operation where service is 'cloudformation' vs account
-
Plot ec2 service vs status
-
Plot Regions vs API operation as bar graph
-
Plot Regions vs API operation vs status as bar graph
-
Plot service vs API operation where status is Success
-
Plot source IP with most Status in Failure
-
Show results where API operation equals DeleteBucketPolicy
-
Which Region had most status with Failure
Building your own queries
This section explains how to build your own queries for this solution’s Q topics feature. The following graphic depicts the parts of the query.
Note
If you don’t receive expected results or receive incorrect results, this is due to one of the following:
-
The column you’re asking about isn’t indexed
-
The value provided in the filter isn’t valid
-
There aren’t matching results found
Action word
-
List – To list CloudTrail events or Security Hub findings, use the word
list
in the query. -
Plot – If you want to see any graphs for findings, use the word
plot
when querying the Q topics. You can also specify the kind of plot you want to see, such as a bar graph.
The following images show examples of a list
query and
response and a plot
query and response.
Duration
The Systems Manager parameters in the solution create a dataset with the query
window duration from the parameters. For example, when the
queryWindowDuration
is 7
days by default,
the solution creates a dataset that filters the records for last 7 days.
If your query asks to search findings outside of the
queryWindowDuration
(for example, if the
queryWindowDuration
is 7 days and you query about
the last 14 days), the solution still only returns finding within
the queryWindowDuration
.
For information about the queryWindowDuration
, see
Change the duration.
The following image shows an example query and response using duration.
Security Hub search criteria
The Security Hub topic has 32 columns, out of which 15 have been indexed. You can search findings using names of any of the following indexed columns in the Q topic.
Note
These values are not case sensitive.
-
Account ID
-
Activity
-
Compliance Control
-
Compliance Standard
-
Compliance
-
Confidence Score
-
Created Timestamp
-
Finding Id
-
Product
-
Record
-
Region
-
Severity
-
Status
-
Timestamp
-
Workflow
CloudTrail search criteria
The CloudTrail topic has 28 columns, out of which 13 have been indexed. You can search findings using names of any of the following indexed columns in the Q topic.
Note
These values are not case sensitive.
-
Account ID
-
Activity
-
API operation
-
Email address
-
Geo location
-
MFA used
-
Region
-
Service
-
Source IP
-
Status
-
Timestamp
-
UID
-
Username
Data values and serviceID
The data values vary by the search criteria. These values are case sensitive.
The serviceID is a specific type of data value
for the Service search
criteria for CloudTrail. The serviceID identifies the service
that you’re querying about, such as ec2
for Amazon EC2
and ssm
for Systems Manager. See
Identifiers for service-specific endpoints
for a list of serviceIDs.