Amazon Security Hub Review Insight Findings

arazzo: 1.0.1
info:
  title: Amazon Security Hub Review Insight Findings
  summary: List a saved insight and drill into the findings behind it.
  description: >-
    Insights are saved filtered views over the findings store. This workflow
    fetches a specific insight by ARN to read its filter and grouping
    definition, then runs a findings query so the operator can inspect the
    underlying records that the insight aggregates. The specification does not
    expose a dedicated insight-results operation, so the supported drill-down
    path is to query findings directly; this adaptation is noted here. Each step
    spells out its request inline so the flow can be read and executed without
    opening the underlying OpenAPI description.
  version: 1.0.0
sourceDescriptions:
- name: securityHubApi
  url: ../openapi/amazon-security-hub-openapi.yml
  type: openapi
workflows:
- workflowId: review-insight-findings
  summary: Fetch an insight definition, then query the findings behind it.
  description: >-
    Retrieves a saved insight by its ARN to read its filter definition, then
    queries the findings store to inspect the records the insight aggregates.
  inputs:
    type: object
    required:
    - insightArn
    - productName
    properties:
      insightArn:
        type: string
        description: The ARN of the saved insight to retrieve.
      productName:
        type: string
        description: The product name value used to filter the underlying findings query.
      maxResults:
        type: integer
        description: The maximum number of findings to return for the insight drill-down.
        default: 100
  steps:
  - stepId: getInsight
    description: >-
      Retrieve the saved insight by ARN so its filter and grouping attribute can
      be read before drilling into the findings it aggregates.
    operationId: GetInsights
    requestBody:
      contentType: application/json
      payload:
        InsightArns:
        - $inputs.insightArn
        MaxResults: 1
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      insightArn: $response.body#/Insights/0/InsightArn
      insightName: $response.body#/Insights/0/Name
      groupByAttribute: $response.body#/Insights/0/GroupByAttribute
  - stepId: drillIntoFindings
    description: >-
      Query the findings store using a filter aligned to the insight so the
      operator can inspect the records that drive the insight's aggregation.
    operationId: GetFindings
    requestBody:
      contentType: application/json
      payload:
        Filters:
          ProductName:
          - Value: $inputs.productName
            Comparison: EQUALS
        MaxResults: $inputs.maxResults
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      findings: $response.body#/Findings
      nextToken: $response.body#/NextToken
  outputs:
    insightName: $steps.getInsight.outputs.insightName
    findings: $steps.drillIntoFindings.outputs.findings