Prompt library - Security Insights on AWS

Prompt library

This section provides a list of example queries for the query feature of this solution. It also provides instructions for creating your own queries and customizing the Q topics.

We recommend that you keep your own prompt library customized for your organization.

To help you save time, this solution saves your recent queries, as shown in the following image.

Console showing recently used queries.

Example queries

The following are example queries that you can use with the Q topics feature of this solution.

Note

Enter these queries exactly as written. Deviating from this structure and capitalization could result in errors or incorrect responses.

Replace <abcd1234> with the account ID.

Replace <username> with the user name.

Replace <Jul 1, 2023> with a three letter month, one or two digit date (don’t start with 0), and four digit year.

Replace <x> with the number of days.

Replace <IP address> with the IP address.

Security Hub queries

  • How many findings are not in Status Resolved

  • List all the findings with workflow as New and Severity as Critical

  • List unique findings for product Inspector and account <abcd1234>. Filter by severity as High.

  • List unique findings for product Inspector and account <abcd1234>. Filter by severity as High. Then filter by activity as Create.

  • List unique findings where created time is <Jul 1, 2023>

  • List unique findings where created timestamp is between last <x> days

  • List unique findings where product is Inspector

  • List unique findings where severity is Critical

  • List unique findings where timestamp is <Jul 1, 2023> and status is Resolved

  • Plot bar graph for unique findings vs Region

  • Plot pie chart for unique findings vs Region

  • Plot unique findings by created timestamp is between last <x> days

  • Plot unique findings vs compliance

  • Plot unique findings vs compliance standard vs status

  • Plot unique findings vs working state

  • Plot Unique number of Finding Id by Product

CloudTrail queries

  1. Count all API operation where status is Failure

  2. List activities where operation is GetBucketAcl and Status is Failure

  3. List activities where service name is kms

  4. List all API operation which start with Delete

  5. List API operation where activity is ConsoleLogin and status is Failed

  6. List API operation where IP address is <IP address>

  7. List API operation where MFA used is False

  8. List API operation where service is cloudformation

  9. List API operation where service is ec2 and status is Failure

  10. List API operation where service is sts

  11. List API operation where service is ssm

  12. List API operation where user name is <username>

  13. List API operation with most Status in Failure

  14. List API operations where service name is kms

  15. List distinct activity

  16. List distinct API operation

  17. List records where API operation is ConsoleLogin

  18. List records where API operations is CreateKey

  19. List source IP with most Status in Failure

  20. Plot API operation vs timestamp where status is Failure

  21. Plot API operation where service is 'cloudformation' vs account

  22. Plot ec2 service vs status

  23. Plot Regions vs API operation as bar graph

  24. Plot Regions vs API operation vs status as bar graph

  25. Plot service vs API operation where status is Success

  26. Plot source IP with most Status in Failure

  27. Show results where API operation equals DeleteBucketPolicy

  28. Which Region had most status with Failure

Building your own queries

This section explains how to build your own queries for this solution’s Q topics feature. The following graphic depicts the parts of the query.

Visual of the parts of a query as described in the following sections.

Query structure

Note

If you don’t receive expected results or receive incorrect results, this is due to one of the following:

  • The column you’re asking about isn’t indexed

  • The value provided in the filter isn’t valid

  • There aren’t matching results found

Action word

  • List – To list CloudTrail events or Security Hub findings, use the word list in the query.

  • Plot – If you want to see any graphs for findings, use the word plot when querying the Q topics. You can also specify the kind of plot you want to see, such as a bar graph.

The following images show examples of a list query and response and a plot query and response.

Query: List all the findings with workflow as new and severity as critical

Example query and response: List all the findings with workflow as NEW and Severity as Critical

Query: plot unique findings vs compliance standard

Example query and response: plot unique findings vs compliance standard

Duration

The Systems Manager parameters in the solution create a dataset with the query window duration from the parameters. For example, when the queryWindowDuration is 7 days by default, the solution creates a dataset that filters the records for last 7 days. If your query asks to search findings outside of the queryWindowDuration (for example, if the queryWindowDuration is 7 days and you query about the last 14 days), the solution still only returns finding within the queryWindowDuration.

For information about the queryWindowDuration, see Change the duration.

The following image shows an example query and response using duration.

Query: list unique findings created in last 5 days

Example query and response: list unique findings created in last 5 days

Security Hub search criteria

The Security Hub topic has 32 columns, out of which 15 have been indexed. You can search findings using names of any of the following indexed columns in the Q topic.

Note

These values are not case sensitive.

  • Account ID

  • Activity

  • Compliance Control

  • Compliance Standard

  • Compliance

  • Confidence Score

  • Created Timestamp

  • Finding Id

  • Product

  • Record

  • Region

  • Severity

  • Status

  • Timestamp

  • Workflow

CloudTrail search criteria

The CloudTrail topic has 28 columns, out of which 13 have been indexed. You can search findings using names of any of the following indexed columns in the Q topic.

Note

These values are not case sensitive.

  • Account ID

  • Activity

  • API operation

  • Email address

  • Geo location

  • MFA used

  • Region

  • Service

  • Source IP

  • Status

  • Timestamp

  • UID

  • Username

Data values and serviceID

The data values vary by the search criteria. These values are case sensitive.

The serviceID is a specific type of data value for the Service search criteria for CloudTrail. The serviceID identifies the service that you’re querying about, such as ec2 for Amazon EC2 and ssm for Systems Manager. See Identifiers for service-specific endpoints for a list of serviceIDs.