- Neueste
- Die meisten Stimmen
- Die meisten Kommentare
The issue you're facing with the get_findings
API and the ComplianceStatus
filter is likely due to the way the GuardDuty API handles the compliance status.
The ComplianceStatus
field in the GuardDuty findings represents the compliance status of the finding against the security standards or controls that GuardDuty is monitoring. The possible values for ComplianceStatus
are PASSED
, FAILED
, and NOT_AVAILABLE
.
However, the get_findings
API expects the filter values to be exact matches, and the values 'FAILED'
and 'PASSED'
may not be recognized as valid values for the ComplianceStatus
filter.
To work around this issue, you can try the following approach:
- Use the
'FAILED'
and'PASSED'
values in theComplianceStatus
filter, but also include the'NOT_AVAILABLE'
value to ensure you capture all the relevant findings:
filters = {} filters['RecordState'] = [{'Value': 'ARCHIVED', 'Comparison':'NOT_EQUALS'}] if severity_labels: filters['SeverityLabel'] = [{'Value': label, 'Comparison': 'EQUALS'} for label in severity_labels] if compliance_status: filters['ComplianceStatus'] = [ {'Value': compliance_status, 'Comparison': 'EQUALS'}, {'Value': 'NOT_AVAILABLE', 'Comparison': 'EQUALS'} ] return filters
This way, your ComplianceStatus
filter will include both the specific status you're looking for (e.g., 'FAILED'
) and the 'NOT_AVAILABLE'
status, which may also be relevant.
- Alternatively, you can use the
'COMPLIANT'
and'NON_COMPLIANT'
values instead of'PASSED'
and'FAILED'
, as these are the values that the GuardDuty API documentation recommends using for theComplianceStatus
filter:
filters = {} filters['RecordState'] = [{'Value': 'ARCHIVED', 'Comparison':'NOT_EQUALS'}] if severity_labels: filters['SeverityLabel'] = [{'Value': label, 'Comparison': 'EQUALS'} for label in severity_labels] if compliance_status: filters['ComplianceStatus'] = [{'Value': compliance_status, 'Comparison': 'EQUALS'}] return filters
In this case, you would use 'COMPLIANT'
or 'NON_COMPLIANT'
as the compliance_status
value, instead of 'PASSED'
or 'FAILED'
.
By trying one of these approaches, you should be able to get the correct set of findings based on the ComplianceStatus
filter.
Relevanter Inhalt
- AWS OFFICIALAktualisiert vor 2 Jahren
- AWS OFFICIALAktualisiert vor 7 Monaten