search

aws-samples / aws-security-hub-csv-manager

CSV Manager for AWS Security Hub exports SecurityHub findings to a CSV file and allows you to mass-update SecurityHub findings by modifying that CSV file.
MIT No Attribution
14 stars 5 forks source link

Using filters to limit CSV results broken #3

Open ptyo opened 1 year ago

ptyo commented 1 year ago

Love this blog it will greatly help us with keeping an eye on security. I have one issue though the filters to limit CSV are not working. I am following the blog post https://aws.amazon.com/blogs/security/how-to-export-aws-security-hub-findings-to-csv-format/ and Step 3: (Optional) Using filters to limit CSV results is broke. After some digging into things the best I could I noticed the filters being passed in are not getting to the actual code.. If it matters I deployed using the CloudFormation stack.

csvExporter.py `################################################################################

################################################################################ def getFilters ( candidate = None ): """ Process filters, which are specified as a JSON object or as a string, in this case "HighActive." If the filter can't be parsed, a messagae is issued but a null filter is returned. """ if not candidate: filters = {} elif candidate != "HighActive": try: filters = json.loads(candidate) except Exception as thrown: _LOGGER.error(f'493020e filter parsing failed: {thrown}') filters = {} else: _LOGGER.info("493030i canned HighActive filter selects active high- " + \ "and critical-severity findings") filters = { "SeverityLabel": [ {"Value": "CRITICAL", "Comparison": "EQUALS" }, {"Value": "HIGH", "Comparison": "EQUALS"} ], "RecordState": [ { "Comparison": "EQUALS", "Value": "ACTIVE"} ] }

return filters

###############################################################################`

If I add the filters manually to the default code..

if not candidate: filters = {}

and make it look like

if not candidate: filters = { "SeverityLabel":[ { "Value":"CRITICAL", "Comparison":"EQUALS" }, { "Value":"HIGH", "Comparison":"EQUALS" } ], "RecordState":[ { "Comparison":"EQUALS", "Value":"ACTIVE" } ] } Then it works as expected. So when entering the below in the test event.. It doesn't filter you get everything.

{ "SeverityLabel":[ { "Value":"CRITICAL", "Comparison":"EQUALS" }, { "Value":"HIGH", "Comparison":"EQUALS" } ], "RecordState":[ { "Comparison":"EQUALS", "Value":"ACTIVE" } ] } Any assistance would be greatly appreciated. I haven't tried the Update functionality yet.

Thank you,

Pete

ptyo commented 1 year ago

The updater works as expected when using a testEvent with Lambda... not sure why the exporter doesn't work with lambda test events.

tamg-aws commented 1 year ago

@ptyo thanks! We've identified the issue and validating a fix.

ptyo commented 1 year ago

@tamg-aws Thank you very much. This is a very useful tool.

azizur commented 11 months ago

@tamg-aws Are you able to share the fix for this issue?

ptyo commented 11 months ago

@azizur They fixed the code and updated the repo.. Not sure what you are looking for? Are you getting an error?