Last active
May 21, 2024 12:00
-
-
Save atheiman/308004dc375f05d2b71690cc01a131aa to your computer and use it in GitHub Desktop.
Security Hub findings querying and batch updating with boto3. Suppress sample findings (i.e. from GuardDuty "CreateSampleFindings").
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| import boto3 | |
| import json | |
| sechub = boto3.client("securityhub") | |
| sts = boto3.client("sts") | |
| caller_arn = sts.get_caller_identity()["Arn"] | |
| print(caller_arn) | |
| findings_summaries = set() | |
| findings_count = 0 | |
| # https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/securityhub/paginator/GetFindings.html | |
| for pg in sechub.get_paginator("get_findings").paginate( | |
| SortCriteria=[ | |
| { | |
| "Field": "UpdatedAt", | |
| "SortOrder": "asc", # 'asc'|'desc' | |
| } | |
| ], | |
| PaginationConfig={ | |
| # 'MaxItems': 500, | |
| "PageSize": 100, | |
| }, | |
| Filters={ | |
| "WorkflowStatus": [ | |
| # {"Comparison": "NOT_EQUALS", "Value": "SUPPRESSED"}, | |
| {"Comparison": "EQUALS", "Value": "NEW"}, | |
| {"Comparison": "EQUALS", "Value": "NOTIFIED"}, | |
| ], | |
| "RecordState": [ | |
| {"Comparison": "EQUALS", "Value": "ACTIVE"}, | |
| ], | |
| "SeverityLabel": [ | |
| # {"Comparison": "EQUALS", "Value": "INFORMATIONAL"}, | |
| # {"Comparison": "EQUALS", "Value": "LOW"}, | |
| # {"Comparison": "EQUALS", "Value": "MEDIUM"}, | |
| {"Comparison": "EQUALS", "Value": "HIGH"}, | |
| {"Comparison": "EQUALS", "Value": "CRITICAL"}, | |
| ], | |
| "Sample": [{"Value": False}], | |
| # "Title": [ | |
| # {"Value": "EC2 instance i-99999999", "Comparison": "PREFIX"}, | |
| # ], | |
| # "UpdatedAt": [ | |
| # { | |
| # "Start": "2022-01-01T00:00:00.000Z", | |
| # "End": "2023-11-01T00:00:00.000Z", | |
| # }, | |
| # ], | |
| }, | |
| ): | |
| findings_count += len(pg["Findings"]) | |
| for f in pg["Findings"]: | |
| # findings_summaries.add(json.dumps(f, default=str, indent=2)) | |
| # Raw findings objects are very large, this summarizes to key attributes | |
| findings_summaries.add( | |
| json.dumps( | |
| { | |
| "Id": f.get("Id", ""), | |
| "ProductArn": f.get("ProductArn", ""), | |
| "Region": f.get("Region", ""), | |
| "AwsAccountId": f.get("AwsAccountId", ""), | |
| "Title": f.get("Title", ""), | |
| "WorkflowStatus": f.get("Workflow", {}).get("Status", ""), | |
| "RecordState": f.get("RecordState", ""), | |
| "ProcessedAt": f.get("ProcessedAt", ""), | |
| "UpdatedAt": f.get("UpdatedAt", ""), | |
| "CreatedAt": f.get("CreatedAt", ""), | |
| "Sample": f.get("Sample", ""), | |
| "ResourceIds": [r["Id"] for r in f.get("Resources", [])], | |
| "NoteText": f.get("Note", {}).get("Text", ""), | |
| }, | |
| default=str, | |
| indent=2, | |
| ) | |
| ) | |
| # # https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/securityhub/client/batch_update_findings.html | |
| # print("Updating findings", len(pg["Findings"])) | |
| # sechub.batch_update_findings( | |
| # FindingIdentifiers=[ | |
| # {"Id": f["Id"], "ProductArn": f["ProductArn"]} for f in pg["Findings"] | |
| # ], | |
| # Note={ | |
| # 'Text': 'Updated in batch', | |
| # 'UpdatedBy': caller_arn | |
| # }, | |
| # Workflow={'Status': 'SUPPRESSED'}, | |
| # ) | |
| print( | |
| json.dumps( | |
| [json.loads(s) for s in list(findings_summaries)], | |
| default=str, | |
| indent=2, | |
| ) | |
| ) | |
| print("Total findings:", findings_count) | |
| print("Total unique findings summaries:", len(findings_summaries)) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| import boto3 | |
| import json | |
| sechub = boto3.client("securityhub") | |
| sts = boto3.client("sts") | |
| caller_arn = sts.get_caller_identity()["Arn"] | |
| print(caller_arn) | |
| findings_count = 0 | |
| # https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/securityhub/paginator/GetFindings.html | |
| for pg in sechub.get_paginator("get_findings").paginate( | |
| PaginationConfig={"PageSize": 100}, | |
| Filters={"Sample": [{"Value": False}]}, | |
| ): | |
| findings_count += len(pg["Findings"]) | |
| # https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/securityhub/client/batch_update_findings.html | |
| print("Updating", len(pg["Findings"], "findings")) | |
| sechub.batch_update_findings( | |
| FindingIdentifiers=[ | |
| {"Id": f["Id"], "ProductArn": f["ProductArn"]} for f in pg["Findings"] | |
| ], | |
| Note={ | |
| 'Text': 'Suppressed in batch', | |
| 'UpdatedBy': caller_arn | |
| }, | |
| Workflow={'Status': 'SUPPRESSED'}, | |
| ) | |
| print("Total findings updated:", findings_count) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment