toripiyo · October 22, 2021 07:43
diff --git a/fetch_securityhub_findings.rb b/fetch_securityhub_findings.rb
 require 'aws-sdk-securityhub'
 require 'csv'
 require 'pry'

 aws_profile_name = 'your profile name that you want to use on this script'
 client = Aws::SecurityHub::Client.new(profile: aws_profile_name)

 filters = {
  # id: [
  #   {
  #     value: "xxxxxxxxxxxxxxxxxxx",
  #     comparison: "EQUALS",
  #   },
  # ],
  # type: [
  #   {
  #     value: "Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices",
  #     comparison: "EQUALS",
  #   },
  # ],
  workflow_status: [
    {
      value: "NEW",
      comparison: "EQUALS",
    },
  ],
  record_state: [
    {
      value: "ACTIVE",
      comparison: "EQUALS",
    },
  ],
  # severity_label: [
  #   {
  #     value: "CRITICAL",
  #     comparison: "EQUALS",
  #   }
  # ]
 }

 sort_criteria = [
  {
    field: "CreatedAt",
    sort_order: "asc",
  }
 ]

 # https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/SecurityHub/Client.html#get_findings-instance_method
 findings = []
 response = client.get_findings({
  filters: filters,
  sort_criteria: sort_criteria,
  max_results: 100,
 })

 findings = findings + response.findings
 while response.next_page? do
  response = client.get_findings({
    filters: filters,
    sort_criteria: sort_criteria,
    max_results: 100,
    next_token: response.next_token
  })
  findings = findings + response.findings
 end

 # binding.pry

 # format findings
 records = findings.map do |f|
  [
    f.id,
    f.region,
    f.aws_account_id,
    f.product_fields['StandardsArn'],
    f.types.join(","),
    f.title,
    f.severity.label,
    f.description,
    f.remediation.recommendation.text,
    f.remediation.recommendation.url,
    f.resources.map{|r| r.id}.join("\n"),
  ]
 end

 # write in csv
 filename = "securityhub-findings-#{Time.now.strftime("%Y-%m-%d-%H-%M")}.csv"
 headers = [
  "id","region","account_id","standards_arn","type","title","severity","description","remediation_text","remediation_url","resources"
 ]
 records.unshift(headers)

 File.write(filename, records.map(&:to_csv).join)
	require 'aws-sdk-securityhub'
	require 'csv'
	require 'pry'

	aws_profile_name = 'your profile name that you want to use on this script'
	client = Aws::SecurityHub::Client.new(profile: aws_profile_name)

	filters = {
	# id: [
	# {
	# value: "xxxxxxxxxxxxxxxxxxx",
	# comparison: "EQUALS",
	# },
	# ],
	# type: [
	# {
	# value: "Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices",
	# comparison: "EQUALS",
	# },
	# ],
	workflow_status: [
	{
	value: "NEW",
	comparison: "EQUALS",
	},
	],
	record_state: [
	{
	value: "ACTIVE",
	comparison: "EQUALS",
	},
	],
	# severity_label: [
	# {
	# value: "CRITICAL",
	# comparison: "EQUALS",
	# }
	# ]
	}

	sort_criteria = [
	{
	field: "CreatedAt",
	sort_order: "asc",
	}
	]

	# https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/SecurityHub/Client.html#get_findings-instance_method
	findings = []
	response = client.get_findings({
	filters: filters,
	sort_criteria: sort_criteria,
	max_results: 100,
	})

	findings = findings + response.findings
	while response.next_page? do
	response = client.get_findings({
	filters: filters,
	sort_criteria: sort_criteria,
	max_results: 100,
	next_token: response.next_token
	})
	findings = findings + response.findings
	end

	# binding.pry

	# format findings
	records = findings.map do \|f\|
	[
	f.id,
	f.region,
	f.aws_account_id,
	f.product_fields['StandardsArn'],
	f.types.join(","),
	f.title,
	f.severity.label,
	f.description,
	f.remediation.recommendation.text,
	f.remediation.recommendation.url,
	f.resources.map{\|r\| r.id}.join("\n"),
	]
	end

	# write in csv
	filename = "securityhub-findings-#{Time.now.strftime("%Y-%m-%d-%H-%M")}.csv"
	headers = [
	"id","region","account_id","standards_arn","type","title","severity","description","remediation_text","remediation_url","resources"
	]
	records.unshift(headers)

	File.write(filename, records.map(&:to_csv).join)