Automate the AWS Security Hub finding updates and closures by the SIR incident status

  • Rversion finale: Australia
  • Mis à jour 12 mars 2026
  • 1 minute de lecture

    • Automate the updates and closures of findings on AWS Security Hub according to the SIR incident status. The AWS Security Hub integration has a bi-directional interface that enables findings ingestion to create security incidents and to update the findings' status according to the changes in the SIR incident.

    Avant de commencer

    Role required: sn_si.admin

    Procédure

    1. On the form, fill in the details.
      Follow the instructions to complete the configuration for updating AWS Security Hub findings when you create or close a security incident in SIR.
      Tableau 1. Automating Incident Updates form
      Category Field Description
      Update State SIR Incident State Displays a list of SIR incident states. Select an option from this list to map it to a Security Hub Finding State.
      Security Hub Finding State Displays a list of Security Hub workflow statuses.

      The workflow status of a finding is updated on AWS Security Hub when the corresponding SIR state incident state changes.
      Update Priority SIR Incident Priority Displays a list of SIR incident priority levels. Select an option from this list to map it to a Security Hub finding priority level.
      Security Hub Finding Priority Select an option from the list of Security Hub severity levels.

      The severity of a finding is updated on AWS Security Hub when the corresponding security incident priority changes.
      Update Work Notes Select this option to update the notes section of aSecurity Hub when a work note is updated for the correspondingSIR incident.

      The work notes section on SIR has a limit of 512 characters as the notes section of a Security Hub finding supports the same.
      Update Additional Comments Select to update the AWS Security Hub finding comments section with the additional comments you provided in SIR incident.
      Update Resolution Notes Select to update the AWS Security Hub closing comments section with the resolution notes you provided when the SIR incident is resolved.
      Remarque :
      Each update from the work notes overrides the last update in the notes section of a Security Hub finding. We recommend you to add relevant work notes in a SIR incident.
    2. Select Finish.

    Que faire ensuite

    The profile moves to the Waiting state. When the confirmation message shows that the setup and configuration is complete, you can activate the profile.