Skip to main content

AWS-SecurityLake

This Integration is part of the AWS - Security Lake Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.10.0 and later.

Amazon Security Lake is a fully managed security data lake service. This integration was integrated and tested with version 1.34.20 of AWS Security Lake SDK (boto3).

Configure AWS-SecurityLake on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for AWS-SecurityLake.

  3. Click Add instance to create and configure a new integration instance.

    ParameterDescriptionRequired
    NameUser nameTrue
    Role ArnRole ARNFalse
    Role Session NameRole Session NameFalse
    Role Session DurationRole Session DurationFalse
    AWS Default RegionAWS Default RegionFalse
    Access KeyAccess KeyFalse
    Secret KeySecret KeyFalse
    TimeoutThe time in seconds until a timeout exception is reached. You can specify just the read timeout (for example 60) or also the connect timeout followed after a comma (for example 60,10). If a connect timeout is not specified, a default of 10 second will be used.False
    RetriesThe maximum number of retry attempts when connection or throttling errors are encountered. Set to 0 to disable retries. The default value is 5 and the limit is 10. Note: Increasing the number of retries will increase the execution time.False
    Trust any certificate (not secure)False
    Use system proxy settingsFalse
  4. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

aws-security-lake-query-execute#


Execute a new query, wait for the query to complete (using polling), and return query's execution information, and query's results (if successful). Either 'OutputLocation' or 'WorkGroup' must be specified for the query to run.

Base Command#

aws-security-lake-query-execute

Input#

Argument NameDescriptionRequired
query_stringThe SQL query statements to be executed.Required
query_limitA limit (number) to use for the query. If the keyword 'LIMIT' exists within 'QueryString', this parameter will be ignored. Default is 50.Optional
client_request_tokenA unique case-sensitive string used to ensure the request to create the query is idempotent (executes only once). If another StartQueryExecution request is received, the same response is returned and another query is not created.Optional
databaseThe name of the database.Optional
output_locationThe location in Amazon S3 where your query results are stored, such as s3://path/to/query/bucket/.Optional
encryption_optionIndicates whether Amazon S3 server-side encryption with Amazon S3-managed keys (SSE-S3 ), server-side encryption with KMS-managed keys (SSE-KMS ), or client-side encryption with KMS-managed keys (CSE-KMS) is used.Optional
kms_keyFor SSE-KMS and CSE-KMS , this is the KMS key ARN or ID.Optional
work_groupThe name of the workgroup in which the query is being started.Optional
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional
regionThe AWS region. If not specified, the default region will be used.Optional
QueryExecutionIdID of the newly created query. Used internally for polling.Optional
hide_polling_outputOptional

Context Output#

PathTypeDescription
AWS.SecurityLake.Query.QueryExecutionIdStringThe unique identifier for each query execution.
AWS.SecurityLake.Query.QueryStringThe SQL query statements which the query execution ran.
AWS.SecurityLake.Query.StatementTypeStringThe type of query statement that was run.
AWS.SecurityLake.Query.ResultConfiguration.OutputLocationStringThe location in Amazon S3 where your query and calculation results are stored, such as 's3://path/to/query/bucket/'.
AWS.SecurityLake.Query.ResultConfiguration.EncryptionConfiguration.EncryptionOptionStringIf query and calculation results are encrypted in Amazon S3, indicates the encryption option used (for example, SSE_KMS or CSE_KMS) and key information.
AWS.SecurityLake.Query.ResultConfiguration.EncryptionConfiguration.KmsKeyStringFor SSE_KMS and CSE_KMS, this is the KMS key ARN or ID.
AWS.SecurityLake.Query.ResultConfiguration.ExpectedBucketOwnerStringThe Amazon Web Services account ID that you expect to be the owner of the Amazon S3 bucket specified by ResultConfiguration.OutputLocation.
AWS.SecurityLake.Query.ResultConfiguration.AclConfiguration.S3AclOptionStringThe Amazon S3 canned ACL that Athena should specify when storing query results.
AWS.SecurityLake.Query.ResultReuseConfiguration.ResultReuseByAgeConfiguration.EnabledBooleanTrue if previous query results can be reused when the query is run; otherwise, false. The default is false.
AWS.SecurityLake.Query.ResultReuseConfiguration.ResultReuseByAgeConfiguration.MaxAgeInMinutesNumberSpecifies, in minutes, the maximum age of a previous query result that Athena should consider for reuse. The default is 60.
AWS.SecurityLake.Query.QueryExecutionContext.DatabaseStringThe name of the database used in the query execution.
AWS.SecurityLake.Query.QueryExecutionContext.CatalogStringThe name of the data catalog used in the query execution.
AWS.SecurityLake.Query.Status.StateStringThe state of the query execution.
AWS.SecurityLake.Query.Status.StateChangeReasonStringFurther detail about the status of the query.
AWS.SecurityLake.Query.Status.SubmissionDateTimeStringThe date and time that the query was submitted.
AWS.SecurityLake.Query.Status.CompletionDateTimeStringThe date and time that the query completed.
AWS.SecurityLake.Query.Status.AthenaError.ErrorCategoryNumberAn integer value that specifies the category of a query failure error.
AWS.SecurityLake.Query.Status.AthenaError.ErrorTypeNumberAn integer value that provides specific information about an Athena query error. For the meaning of specific values, see the Error Type Reference in the Amazon Athena User Guide.
AWS.SecurityLake.Query.Status.AthenaError.RetryableBooleanTrue if the query might succeed if resubmitted.
AWS.SecurityLake.Query.Status.AthenaError.ErrorMessageStringContains a short description of the error that occurred.
AWS.SecurityLake.Query.Statistics.EngineExecutionTimeInMillisNumberThe number of milliseconds that the query took to execute.
AWS.SecurityLake.Query.Statistics.DataScannedInBytesNumberThe number of bytes in the data that was queried.
AWS.SecurityLake.Query.Statistics.DataManifestLocationStringThe location and file name of a data manifest file. The manifest file is saved to the Athena query results location in Amazon S3.
AWS.SecurityLake.Query.Statistics.TotalExecutionTimeInMillisNumberThe number of milliseconds that Athena took to run the query.
AWS.SecurityLake.Query.Statistics.QueryQueueTimeInMillisNumberThe number of milliseconds that the query was in your query queue waiting for resources.
AWS.SecurityLake.Query.Statistics.ServicePreProcessingTimeInMillisNumberThe number of milliseconds that Athena took to preprocess the query before submitting the query to the query engine.
AWS.SecurityLake.Query.Statistics.QueryPlanningTimeInMillisNumberThe number of milliseconds that Athena took to plan the query processing flow. This includes the time spent retrieving table partitions from the data source.
AWS.SecurityLake.Query.Statistics.ServiceProcessingTimeInMillisNumberThe number of milliseconds that Athena took to finalize and publish the query results after the query engine finished running the query.
AWS.SecurityLake.Query.ResultReuseInformation.ReusedPreviousResultBooleanTrue if a previous query result was reused; false if the result was generated from a new run of the query.
AWS.SecurityLake.Query.WorkGroupStringThe name of the workgroup in which the query ran.
AWS.SecurityLake.Query.EngineVersion.SelectedEngineVersionStringThe engine version requested by the user. Possible values are determined by the output of ListEngineVersions, including AUTO.
AWS.SecurityLake.Query.EngineVersion.EffectiveEngineVersionStringThe engine version on which the query runs.
AWS.SecurityLake.Query.ExecutionParametersListA list of values for the parameters in a query. The values are applied sequentially to the parameters in the query in the order in which the parameters occur. The list of parameters is not returned in the response.
AWS.SecurityLake.Query.SubstatementTypeStringThe type of query statement that was run.
AWS.SecurityLake.QueryResultsListList of query results.

aws-security-lake-data-catalogs-list#


Lists the data catalogs in the current Amazon Web Services account.

Base Command#

aws-security-lake-data-catalogs-list

Input#

Argument NameDescriptionRequired
work_groupThe name of the workgroup. Required if making an IAM Identity Center request.Optional
regionThe AWS region. If not specified, the default region will be used.Optional
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional
limitSpecifies the maximum number of data catalogs to return.Optional
next_tokenSpecifies the maximum number of data catalogs to return.Optional

Context Output#

PathTypeDescription
AWS.SecurityLake.Catalog.CatalogNameStringThe name of the data catalog.
AWS.SecurityLake.Catalog.TypeStringThe data catalog type.
AWS.SecurityLake.CatalogNextTokenStringA token generated by the SecurityLake service that specifies where to continue pagination if a previous request was truncated. To obtain the next set of pages, pass in the NextToken from the response object of the previous page call.

aws-security-lake-databases-list#


Lists the databases in the specified data catalog.

Base Command#

aws-security-lake-databases-list

Input#

Argument NameDescriptionRequired
catalog_nameThe name of the data catalog that contains the databases to return.Required
work_groupThe name of the workgroup for which the metadata is being fetched. Required if requesting an IAM Identity Center enabled Glue Data Catalog.Optional
regionThe AWS region. If not specified, the default region will be used.Optional
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional
limitSpecifies the maximum number of results to return.Optional
next_tokenA token generated by the SecurityLake. service that specifies where to continue pagination if a previous request was truncated. To obtain the next set of pages, pass in the NextToken from the response object of the previous page call.Optional

Context Output#

PathTypeDescription
AWS.SecurityLake.Database.NameStringThe name of the database.
AWS.SecurityLake.Database.DescriptionStringAn optional description of the database.
AWS.SecurityLake.Database.ParametersListA set of custom key/value pairs.
AWS.SecurityLake.DatabaseNextTokenStringA token generated by the SecurityLake service that specifies where to continue pagination if a previous request was truncated. To obtain the next set of pages, pass in the NextToken from the response object of the previous page call.

Command Example#

!aws-security-lake-databases-list catalog_name=Test

aws-security-lake-table-metadata-list#


Lists the metadata for the tables in the specified data catalog database.

Base Command#

aws-security-lake-table-metadata-list

Input#

Argument NameDescriptionRequired
catalog_nameThe name of the data catalog that contains the databases to return.Required
database_nameThe name of the database for which table metadata should be returned.Required
expressionA regex filter that pattern-matches table names. If no expression is supplied, metadata for all tables are listed.Optional
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional
limitSpecifies the maximum number of results to return.Optional
next_tokenA token generated by the SecurityLake service that specifies where to continue pagination if a previous request was truncated. To obtain the next set of pages, pass in the NextToken from the response object of the previous page call.Optional
work_groupThe name of the workgroup for which the metadata is being fetched. Required if requesting an IAM Identity Center enabled Glue Data Catalog.Optional

Context Output#

PathTypeDescription
AWS.SecurityLake.TableMetadata.NameStringThe name of the table.
AWS.SecurityLake.TableMetadata.CreateTimeDateThe time that the table was created.
AWS.SecurityLake.TableMetadata.LastAccessTimeDateThe last time the table was accessed.
AWS.SecurityLake.TableMetadata.TableTypeStringThe type of table. In Athena, only EXTERNAL_TABLE is supported.
AWS.SecurityLake.TableMetadata.Columns.NameStringThe name of the column.
AWS.SecurityLake.TableMetadata.Columns.TypeStringThe data type of the column.
AWS.SecurityLake.TableMetadata.Columns.CommentStringOptional information about the column.
AWS.SecurityLake.TableMetadata.PartitionKeys.NameStringThe name of the column.
AWS.SecurityLake.TableMetadata.PartitionKeys.TypeStringThe data type of the column.
AWS.SecurityLake.TableMetadata.PartitionKeys.CommentStringOptional information about the column.
AWS.SecurityLake.TableMetadata.ParametersListA set of custom key/value pairs for table properties.
AWS.SecurityLake.TableMetadataNextTokenStringA token generated by the SecurityLake service that specifies where to continue pagination if a previous request was truncated. To obtain the next set of pages, pass in the NextToken from the response object of the previous page call.

Command Example#

!aws-security-lake-table-metadata-list catalog_name=Test database_name=test

aws-security-lake-user-mfalogin-query#


Runs query that takes a provided username and queries the AWS Security Lake for MFA login attempts (Success/Failed) associated with the user's account, using AWS CloudTrail logs.

Base Command#

aws-security-lake-user-mfalogin-query

Input#

Argument NameDescriptionRequired
databaseThe database to run the query against.Required
tableThe table to run the query against.Required
user_nameThe username to search for MFA login attempts.Required
output_locationThe location in Amazon S3 where your query results are stored, such as s3://path/to/query/bucket/.Required
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional
regionThe AWS region. If not specified, the default region will be used.Optional
query_limitA limit (number) to use for the query. If the keyword 'LIMIT' exists within 'QueryString', this parameter will be ignored.Optional

Context Output#

PathTypeDescription
AWS.SecurityLake.Query.QueryExecutionIdStringThe unique identifier for each query execution.
AWS.SecurityLake.Query.QueryStringThe SQL query statements which the query execution ran.
AWS.SecurityLake.Query.StatementTypeStringThe type of query statement that was run.
AWS.SecurityLake.Query.ResultConfiguration.OutputLocationStringThe location in Amazon S3 where your query and calculation results are stored, such as 's3://path/to/query/bucket/'.
AWS.SecurityLake.Query.ResultConfiguration.EncryptionConfiguration.EncryptionOptionStringIf query and calculation results are encrypted in Amazon S3, indicates the encryption option used (for example, SSE_KMS or CSE_KMS) and key information.
AWS.SecurityLake.Query.ResultConfiguration.EncryptionConfiguration.KmsKeyStringFor SSE_KMS and CSE_KMS, this is the KMS key ARN or ID.
AWS.SecurityLake.Query.ResultConfiguration.ExpectedBucketOwnerStringThe Amazon Web Services account ID that you expect to be the owner of the Amazon S3 bucket specified by ResultConfiguration.OutputLocation.
AWS.SecurityLake.Query.ResultConfiguration.AclConfiguration.S3AclOptionStringThe Amazon S3 canned ACL that Athena should specify when storing query results.
AWS.SecurityLake.Query.ResultReuseConfiguration.ResultReuseByAgeConfiguration.EnabledBooleanTrue if previous query results can be reused when the query is run; otherwise, false. The default is false.
AWS.SecurityLake.Query.ResultReuseConfiguration.ResultReuseByAgeConfiguration.MaxAgeInMinutesNumberSpecifies, in minutes, the maximum age of a previous query result that Athena should consider for reuse. The default is 60.
AWS.SecurityLake.Query.QueryExecutionContext.DatabaseStringThe name of the database used in the query execution.
AWS.SecurityLake.Query.QueryExecutionContext.CatalogStringThe name of the data catalog used in the query execution.
AWS.SecurityLake.Query.Status.StateStringThe state of the query execution.
AWS.SecurityLake.Query.Status.StateChangeReasonStringFurther detail about the status of the query.
AWS.SecurityLake.Query.Status.SubmissionDateTimeStringThe date and time that the query was submitted.
AWS.SecurityLake.Query.Status.CompletionDateTimeStringThe date and time that the query completed.
AWS.SecurityLake.Query.Status.AthenaError.ErrorCategoryNumberAn integer value that specifies the category of a query failure error.
AWS.SecurityLake.Query.Status.AthenaError.ErrorTypeNumberAn integer value that provides specific information about an Athena query error. For the meaning of specific values, see the Error Type Reference in the Amazon Athena User Guide.
AWS.SecurityLake.Query.Status.AthenaError.RetryableBooleanTrue if the query might succeed if resubmitted.
AWS.SecurityLake.Query.Status.AthenaError.ErrorMessageStringContains a short description of the error that occurred.
AWS.SecurityLake.Query.Statistics.EngineExecutionTimeInMillisNumberThe number of milliseconds that the query took to execute.
AWS.SecurityLake.Query.Statistics.DataScannedInBytesNumberThe number of bytes in the data that was queried.
AWS.SecurityLake.Query.Statistics.DataManifestLocationStringThe location and file name of a data manifest file. The manifest file is saved to the Athena query results location in Amazon S3.
AWS.SecurityLake.Query.Statistics.TotalExecutionTimeInMillisNumberThe number of milliseconds that Athena took to run the query.
AWS.SecurityLake.Query.Statistics.QueryQueueTimeInMillisNumberThe number of milliseconds that the query was in your query queue waiting for resources.
AWS.SecurityLake.Query.Statistics.ServicePreProcessingTimeInMillisNumberThe number of milliseconds that Athena took to preprocess the query before submitting the query to the query engine.
AWS.SecurityLake.Query.Statistics.QueryPlanningTimeInMillisNumberThe number of milliseconds that Athena took to plan the query processing flow. This includes the time spent retrieving table partitions from the data source.
AWS.SecurityLake.Query.Statistics.ServiceProcessingTimeInMillisNumberThe number of milliseconds that Athena took to finalize and publish the query results after the query engine finished running the query.
AWS.SecurityLake.Query.ResultReuseInformation.ReusedPreviousResultBooleanTrue if a previous query result was reused; false if the result was generated from a new run of the query.
AWS.SecurityLake.Query.WorkGroupStringThe name of the workgroup in which the query ran.
AWS.SecurityLake.Query.EngineVersion.SelectedEngineVersionStringThe engine version requested by the user. Possible values are determined by the output of ListEngineVersions, including AUTO.
AWS.SecurityLake.Query.EngineVersion.EffectiveEngineVersionStringThe engine version on which the query runs.
AWS.SecurityLake.Query.ExecutionParametersListA list of values for the parameters in a query. The values are applied sequentially to the parameters in the query in the order in which the parameters occur. The list of parameters is not returned in the response.
AWS.SecurityLake.Query.SubstatementTypeStringThe type of query statement that was run.
AWS.SecurityLake.MfaLoginQueryResultsListList of query results.

Command Example#

!aws-security-lake-user-mfalogin-query table=Test database=test user_name=123 output_location=s3://path/to/query/bucket/

aws-security-lake-source-ip-query#


Runs a query that takes a provided source IP address and queries the AWS Security Lake for console login attempts (Success/Failed) associated with the IP address, using AWS CloudTrail logs.

Base Command#

aws-security-lake-source-ip-query

Input#

Argument NameDescriptionRequired
databaseThe database to run the query against.Required
tableThe table to run the query against.Required
ip_srcThe source IP address to search for console login attempts.Required
output_locationThe location in Amazon S3 where your query results are stored, such as s3://path/to/query/bucket/.Required
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional
regionThe AWS region. If not specified, the default region will be used.Optional
query_limitA limit (number) to use for the query. If the keyword 'LIMIT' exists within 'QueryString', this parameter will be ignored.Optional

Context Output#

PathTypeDescription
AWS.SecurityLake.Query.QueryExecutionIdStringThe unique identifier for each query execution.
AWS.SecurityLake.Query.QueryStringThe SQL query statements which the query execution ran.
AWS.SecurityLake.Query.StatementTypeStringThe type of query statement that was run.
AWS.SecurityLake.Query.ResultConfiguration.OutputLocationStringThe location in Amazon S3 where your query and calculation results are stored, such as 's3://path/to/query/bucket/'.
AWS.SecurityLake.Query.ResultConfiguration.EncryptionConfiguration.EncryptionOptionStringIf query and calculation results are encrypted in Amazon S3, indicates the encryption option used (for example, SSE_KMS or CSE_KMS) and key information.
AWS.SecurityLake.Query.ResultConfiguration.EncryptionConfiguration.KmsKeyStringFor SSE_KMS and CSE_KMS, this is the KMS key ARN or ID.
AWS.SecurityLake.Query.ResultConfiguration.ExpectedBucketOwnerStringThe Amazon Web Services account ID that you expect to be the owner of the Amazon S3 bucket specified by ResultConfiguration.OutputLocation.
AWS.SecurityLake.Query.ResultConfiguration.AclConfiguration.S3AclOptionStringThe Amazon S3 canned ACL that Athena should specify when storing query results.
AWS.SecurityLake.Query.ResultReuseConfiguration.ResultReuseByAgeConfiguration.EnabledBooleanTrue if previous query results can be reused when the query is run; otherwise, false. The default is false.
AWS.SecurityLake.Query.ResultReuseConfiguration.ResultReuseByAgeConfiguration.MaxAgeInMinutesNumberSpecifies, in minutes, the maximum age of a previous query result that Athena should consider for reuse. The default is 60.
AWS.SecurityLake.Query.QueryExecutionContext.DatabaseStringThe name of the database used in the query execution.
AWS.SecurityLake.Query.QueryExecutionContext.CatalogStringThe name of the data catalog used in the query execution.
AWS.SecurityLake.Query.Status.StateStringThe state of the query execution.
AWS.SecurityLake.Query.Status.StateChangeReasonStringFurther detail about the status of the query.
AWS.SecurityLake.Query.Status.SubmissionDateTimeStringThe date and time that the query was submitted.
AWS.SecurityLake.Query.Status.CompletionDateTimeStringThe date and time that the query completed.
AWS.SecurityLake.Query.Status.AthenaError.ErrorCategoryNumberAn integer value that specifies the category of a query failure error.
AWS.SecurityLake.Query.Status.AthenaError.ErrorTypeNumberAn integer value that provides specific information about an Athena query error. For the meaning of specific values, see the Error Type Reference in the Amazon Athena User Guide.
AWS.SecurityLake.Query.Status.AthenaError.RetryableBooleanTrue if the query might succeed if resubmitted.
AWS.SecurityLake.Query.Status.AthenaError.ErrorMessageStringContains a short description of the error that occurred.
AWS.SecurityLake.Query.Statistics.EngineExecutionTimeInMillisNumberThe number of milliseconds that the query took to execute.
AWS.SecurityLake.Query.Statistics.DataScannedInBytesNumberThe number of bytes in the data that was queried.
AWS.SecurityLake.Query.Statistics.DataManifestLocationStringThe location and file name of a data manifest file. The manifest file is saved to the Athena query results location in Amazon S3.
AWS.SecurityLake.Query.Statistics.TotalExecutionTimeInMillisNumberThe number of milliseconds that Athena took to run the query.
AWS.SecurityLake.Query.Statistics.QueryQueueTimeInMillisNumberThe number of milliseconds that the query was in your query queue waiting for resources.
AWS.SecurityLake.Query.Statistics.ServicePreProcessingTimeInMillisNumberThe number of milliseconds that Athena took to preprocess the query before submitting the query to the query engine.
AWS.SecurityLake.Query.Statistics.QueryPlanningTimeInMillisNumberThe number of milliseconds that Athena took to plan the query processing flow. This includes the time spent retrieving table partitions from the data source.
AWS.SecurityLake.Query.Statistics.ServiceProcessingTimeInMillisNumberThe number of milliseconds that Athena took to finalize and publish the query results after the query engine finished running the query.
AWS.SecurityLake.Query.ResultReuseInformation.ReusedPreviousResultBooleanTrue if a previous query result was reused; false if the result was generated from a new run of the query.
AWS.SecurityLake.Query.WorkGroupStringThe name of the workgroup in which the query ran.
AWS.SecurityLake.Query.EngineVersion.SelectedEngineVersionStringThe engine version requested by the user. Possible values are determined by the output of ListEngineVersions, including AUTO.
AWS.SecurityLake.Query.EngineVersion.EffectiveEngineVersionStringThe engine version on which the query runs.
AWS.SecurityLake.Query.ExecutionParametersListA list of values for the parameters in a query. The values are applied sequentially to the parameters in the query in the order in which the parameters occur. The list of parameters is not returned in the response.
AWS.SecurityLake.Query.SubstatementTypeStringThe type of query statement that was run.
AWS.SecurityLake.SourceIPQueryResultsListList of query results.

Command Example#

!aws-security-lake-source-ip-query table=Test database=test ip_src=1.2.3.4 output_location=s3://path/to/query/bucket/

aws-security-lake-guardduty-activity-query#


This command is used to search for Guard Duty logs for any criticality level activity.

Base Command#

aws-security-lake-guardduty-activity-query

Input#

Argument NameDescriptionRequired
databaseThe database to run the query against.Required
tableThe table to run the query against.Required
severityThe severity of searchingto search related events for. Possible values are: 0-Unknown, 1-Informational, 2-Low, 3-Medium, 4-High, 5-Critical, 6-Fatal, 99-Other.Required
output_locationThe location in Amazon S3 where your query results are stored, such as s3://path/to/query/bucket/.Required
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional
regionThe AWS region. If not specified, the default region will be used.Optional
query_limitA limit (number) to use for the query. If the keyword 'LIMIT' exists within 'QueryString', this parameter will be ignored.Optional

Context Output#

PathTypeDescription
AWS.SecurityLake.Query.QueryExecutionIdStringThe unique identifier for each query execution.
AWS.SecurityLake.Query.QueryStringThe SQL query statements which the query execution ran.
AWS.SecurityLake.Query.StatementTypeStringThe type of query statement that was run.
AWS.SecurityLake.Query.ResultConfiguration.OutputLocationStringThe location in Amazon S3 where your query and calculation results are stored, such as 's3://path/to/query/bucket/'.
AWS.SecurityLake.Query.ResultConfiguration.EncryptionConfiguration.EncryptionOptionStringIf query and calculation results are encrypted in Amazon S3, indicates the encryption option used (for example, SSE_KMS or CSE_KMS) and key information.
AWS.SecurityLake.Query.ResultConfiguration.EncryptionConfiguration.KmsKeyStringFor SSE_KMS and CSE_KMS, this is the KMS key ARN or ID.
AWS.SecurityLake.Query.ResultConfiguration.ExpectedBucketOwnerStringThe Amazon Web Services account ID that you expect to be the owner of the Amazon S3 bucket specified by ResultConfiguration.OutputLocation.
AWS.SecurityLake.Query.ResultConfiguration.AclConfiguration.S3AclOptionStringThe Amazon S3 canned ACL that Athena should specify when storing query results.
AWS.SecurityLake.Query.ResultReuseConfiguration.ResultReuseByAgeConfiguration.EnabledBooleanTrue if previous query results can be reused when the query is run; otherwise, false. The default is false.
AWS.SecurityLake.Query.ResultReuseConfiguration.ResultReuseByAgeConfiguration.MaxAgeInMinutesNumberSpecifies, in minutes, the maximum age of a previous query result that Athena should consider for reuse. The default is 60.
AWS.SecurityLake.Query.QueryExecutionContext.DatabaseStringThe name of the database used in the query execution.
AWS.SecurityLake.Query.QueryExecutionContext.CatalogStringThe name of the data catalog used in the query execution.
AWS.SecurityLake.Query.Status.StateStringThe state of the query execution.
AWS.SecurityLake.Query.Status.StateChangeReasonStringFurther detail about the status of the query.
AWS.SecurityLake.Query.Status.SubmissionDateTimeStringThe date and time that the query was submitted.
AWS.SecurityLake.Query.Status.CompletionDateTimeStringThe date and time that the query completed.
AWS.SecurityLake.Query.Status.AthenaError.ErrorCategoryNumberAn integer value that specifies the category of a query failure error.
AWS.SecurityLake.Query.Status.AthenaError.ErrorTypeNumberAn integer value that provides specific information about an Athena query error. For the meaning of specific values, see the Error Type Reference in the Amazon Athena User Guide.
AWS.SecurityLake.Query.Status.AthenaError.RetryableBooleanTrue if the query might succeed if resubmitted.
AWS.SecurityLake.Query.Status.AthenaError.ErrorMessageStringContains a short description of the error that occurred.
AWS.SecurityLake.Query.Statistics.EngineExecutionTimeInMillisNumberThe number of milliseconds that the query took to execute.
AWS.SecurityLake.Query.Statistics.DataScannedInBytesNumberThe number of bytes in the data that was queried.
AWS.SecurityLake.Query.Statistics.DataManifestLocationStringThe location and file name of a data manifest file. The manifest file is saved to the Athena query results location in Amazon S3.
AWS.SecurityLake.Query.Statistics.TotalExecutionTimeInMillisNumberThe number of milliseconds that Athena took to run the query.
AWS.SecurityLake.Query.Statistics.QueryQueueTimeInMillisNumberThe number of milliseconds that the query was in your query queue waiting for resources.
AWS.SecurityLake.Query.Statistics.ServicePreProcessingTimeInMillisNumberThe number of milliseconds that Athena took to preprocess the query before submitting the query to the query engine.
AWS.SecurityLake.Query.Statistics.QueryPlanningTimeInMillisNumberThe number of milliseconds that Athena took to plan the query processing flow. This includes the time spent retrieving table partitions from the data source.
AWS.SecurityLake.Query.Statistics.ServiceProcessingTimeInMillisNumberThe number of milliseconds that Athena took to finalize and publish the query results after the query engine finished running the query.
AWS.SecurityLake.Query.ResultReuseInformation.ReusedPreviousResultBooleanTrue if a previous query result was reused; false if the result was generated from a new run of the query.
AWS.SecurityLake.Query.WorkGroupStringThe name of the workgroup in which the query ran.
AWS.SecurityLake.Query.EngineVersion.SelectedEngineVersionStringThe engine version requested by the user. Possible values are determined by the output of ListEngineVersions, including AUTO.
AWS.SecurityLake.Query.EngineVersion.EffectiveEngineVersionStringThe engine version on which the query runs.
AWS.SecurityLake.Query.ExecutionParametersListA list of values for the parameters in a query. The values are applied sequentially to the parameters in the query in the order in which the parameters occur. The list of parameters is not returned in the response.
AWS.SecurityLake.Query.SubstatementTypeStringThe type of query statement that was run.
AWS.SecurityLake.GuardDutyActivityQueryResultsListList of query results.

Command Example#

!aws-security-lake-guardduty-activity-query table=Test database=test severity=0-Unknown output_location=s3://path/to/query/bucket/

aws-security-lake-data-sources-list#


Retrieves a snapshot of the current region, including whether Amazon Security Lake is enabled for those accounts and which sources Security Lake is collecting data from. In order to run this command the user must have 'securitylake' permissions.

Base Command#

aws-security-lake-data-sources-list

Input#

Argument NameDescriptionRequired
accountsThe Amazon Web Services account ID for which a static snapshot of the current Amazon Web Services Region, including enabled accounts and log sources, is retrieved.Optional
limitSpecifies the maximum number of results to return.Optional
next_tokenLists if there are more results available. The value of nextToken is a unique pagination token for each page. Repeat the call using the returned token to retrieve the next page. Keep all other arguments unchanged.Optional
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional
regionThe AWS region. If not specified, the default region will be used.Optional
query_limitA limit (number) to use for the query. If the keyword 'LIMIT' exists within 'QueryString', this parameter will be ignored.Optional

Context Output#

PathTypeDescription
AWS.SecurityLake.DataLakeSource.DataLakeArnStringThe Amazon Resource Name (ARN) created by you to provide to the subscriber.
AWS.SecurityLake.DataLakeSource.DataLakeSources.accountStringThe ID of the Security Lake account for which logs are collected.
AWS.SecurityLake.DataLakeSource.DataLakeSources.eventClassesListThe Open Cybersecurity Schema Framework (OCSF) event classes which describes the type of data that the custom source will send to Security Lake.
AWS.SecurityLake.DataLakeSource.DataLakeSources.sourceNameStringThe supported Amazon Web Services from which logs and events are collected. Amazon Security Lake supports log and event collection for natively supported Amazon Web Services.
AWS.SecurityLake.DataLakeSource.DataLakeSources.sourceStatuses.resourceStringDefines the path in which the stored logs are available which has information on your systems, applications, and services.
AWS.SecurityLake.DataLakeSource.DataLakeSources.sourceStatuses.statusStringThe health status of services, including error codes and patterns.
AWS.SecurityLake.DataLakeSourceNextTokenStringLists if there are more results available. The value of nextToken is a unique pagination token for each page. Repeat the call using the returned token to retrieve the next page. Keep all other arguments unchanged.

Command Example#

!aws-security-lake-data-sources-list

aws-security-lake-data-lakes-list#


Retrieves the Amazon Security Lake configuration object for the specified Amazon Web Services Regions. In order to run this command the user must have 'securitylake' permissions.

Base Command#

aws-security-lake-data-lakes-list

Input#

Argument NameDescriptionRequired
regionsThe list of regions where Security Lake is enabled.Optional
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional
regionThe AWS region. If not specified, the default region will be used.Optional
query_limitA limit (number) to use for the query. If the keyword 'LIMIT' exists within 'QueryString', this parameter will be ignored.Optional

Context Output#

PathTypeDescription
AWS.SecurityLake.createStatusStringRetrieves the status of the configuration operation for an account in Amazon Security Lake.
AWS.SecurityLake.dataLakeArnStringThe Amazon Resource Name (ARN) created by you to provide to the subscriber.
AWS.SecurityLake.encryptionConfiguration.kmsKeyIdStringThe ID of the KMS encryption key used by Amazon Security Lake to encrypt the Security Lake object.
AWS.SecurityLake.lifecycleConfiguration.expiration.daysNumberNumber of days before data expires in the Amazon Security Lake object.
AWS.SecurityLake.lifecycleConfiguration.transitions.daysNumberNumber of days before data transitions to a different S3 Storage Class in the Amazon Security Lake object.
AWS.SecurityLake.lifecycleConfiguration.transitions.storageClassStringThe range of storage classes that you can choose from based on the data access, resiliency, and cost requirements of your workloads.
AWS.SecurityLake.regionStringThe Amazon Web Services regions where Security Lake is enabled.
AWS.SecurityLake.replicationConfiguration.regionsStringReplication enables automatic, asynchronous copying of objects across Amazon S3 buckets.
AWS.SecurityLake.replicationConfiguration.roleArnStringReplication settings for the Amazon S3 buckets. This parameter uses the Identity and Access Management (IAM) role you created that is managed by Security Lake, to ensure the replication setting is correct.
AWS.SecurityLake.s3BucketArnStringThe ARN for the Amazon Security Lake Amazon S3 bucket.
AWS.SecurityLake.updateStatus.exception.codeStringThe reason code for the exception of the last UpdateDataLake or DeleteDataLake API request.
AWS.SecurityLake.updateStatus.exception.reasonStringThe reason for the exception of the last UpdateDataLake or DeleteDataLake API request.
AWS.SecurityLake.updateStatus.requestIdStringThe unique ID for the last UpdateDataLake or DeleteDataLake API request.
AWS.SecurityLake.updateStatus.statusStringThe status of the last UpdateDataLake or DeleteDataLake API request that was requested.

Command Example#

!aws-security-lake-data-lakes-list