By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

AWS Security Hub Get_findings not displaying based on compliance status

0

When using get_findings for ComplianceStatus i am not able to get the correct display if I select 'FAILED' or 'PASSED' as a compliance Status.

Here are my filters


   filters = {}
    # findings that are >3 - 5 days they will be automatically archived (displays correct FAILED states only)
    filters['RecordState'] = [{'Value': 'ARCHIVED', 'Comparison':'NOT_EQUALS'}]

    if severity_labels:
        filters['SeverityLabel'] = [{'Value': label, 'Comparison': 'EQUALS'} for label in severity_labels]
    if compliance_status:
        filters['ComplianceStatus'] = [{'Value': compliance_status, 'Comparison': 'EQUALS'}]
    return filters
Topics
Security, Identity, & Compliance
Tags
AWS Security Hub
Language
English
Rickah Tech
asked 3 months ago107 views
1 Answer
0

The issue you're facing with the get_findings API and the ComplianceStatus filter is likely due to the way the GuardDuty API handles the compliance status.

The ComplianceStatus field in the GuardDuty findings represents the compliance status of the finding against the security standards or controls that GuardDuty is monitoring. The possible values for ComplianceStatus are PASSED, FAILED, and NOT_AVAILABLE.

However, the get_findings API expects the filter values to be exact matches, and the values 'FAILED' and 'PASSED' may not be recognized as valid values for the ComplianceStatus filter.

To work around this issue, you can try the following approach:

  1. Use the 'FAILED' and 'PASSED' values in the ComplianceStatus filter, but also include the 'NOT_AVAILABLE' value to ensure you capture all the relevant findings:
filters = {}
filters['RecordState'] = [{'Value': 'ARCHIVED', 'Comparison':'NOT_EQUALS'}]

if severity_labels:
    filters['SeverityLabel'] = [{'Value': label, 'Comparison': 'EQUALS'} for label in severity_labels]

if compliance_status:
    filters['ComplianceStatus'] = [
        {'Value': compliance_status, 'Comparison': 'EQUALS'},
        {'Value': 'NOT_AVAILABLE', 'Comparison': 'EQUALS'}
    ]
return filters

This way, your ComplianceStatus filter will include both the specific status you're looking for (e.g., 'FAILED') and the 'NOT_AVAILABLE' status, which may also be relevant.

  1. Alternatively, you can use the 'COMPLIANT' and 'NON_COMPLIANT' values instead of 'PASSED' and 'FAILED', as these are the values that the GuardDuty API documentation recommends using for the ComplianceStatus filter:
filters = {}
filters['RecordState'] = [{'Value': 'ARCHIVED', 'Comparison':'NOT_EQUALS'}]

if severity_labels:
    filters['SeverityLabel'] = [{'Value': label, 'Comparison': 'EQUALS'} for label in severity_labels]

if compliance_status:
    filters['ComplianceStatus'] = [{'Value': compliance_status, 'Comparison': 'EQUALS'}]
return filters

In this case, you would use 'COMPLIANT' or 'NON_COMPLIANT' as the compliance_status value, instead of 'PASSED' or 'FAILED'.

By trying one of these approaches, you should be able to get the correct set of findings based on the ComplianceStatus filter.

AWS
JonQ
answered 4 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content