By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Need Some Guidance for listing Security hub findings for "Compliance: Passed" Status

0

I am having issue on having 1000's of findings in Security Hub which says "Compliance Status: Passed" usually they close after some period of time, but we generate daily reports and need to list the positive findings from CLI Atleast.

Wondering if any one has any knowledge on this please share, I am trying on - Planning to list the findings in CLI which says "Compliance Status: Passed" and close them from CLI Having hard time with query in cli with this security hub. If anyone call help really appreciate it.

Topics
Security, Identity, & ComplianceAWS Well-Architected Framework
Tags
Security, Identity, & ComplianceAWS Security HubAmazon InspectorSecurity
Language
English
RGADA
asked 2 years ago2927 views
2 Answers
0
Accepted Answer

Hello RGADA, Thank you for reaching out on RePost!

To search based on 'ComplianceStatus = Passed' you may use the following CLI command: aws securityhub get-findings --filters '{"ComplianceStatus": [{"Comparison": "EQUALS", "Value": "PASSED"}]}'

Please note that for findings that are >3 - 5 days they will be automatically archived, these findings are viewable using the following CLI command: aws securityhub get-findings --filters '{"RecordState": [{"Comparison": "EQUALS", "Value": "ARCHIVED"}]}'

Of course, you may also use both of these at the same time to show both archived AND 'ComplianceStatus = Passed' findings like this: aws securityhub get-findings --filters '{"ComplianceStatus": [{"Comparison": "EQUALS", "Value": "PASSED"}], "RecordState": [{"Comparison": "EQUALS", "Value": "ARCHIVED"}]}'

There are some further examples and guidance on using the CLI to return findings which can be found here: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/securityhub/get-findings.html

I note that you also mention that you would like to be able to close the findings as well. This is also possible via the CLI using the batch-update-findings CLI command. The documentation linked below has an example for doing exactly this task. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/securityhub/batch-update-findings.html

AWS
SUPPORT ENGINEER
Jasper_R
answered 2 years ago
  • RGADA
    2 years ago

    That worked, thank you lot

0

For what it's worth, you can also query for just the list of Finding IDs which might may it a bit easier:

aws securityhub get-findings --filters ComplianceStatus="[{Comparison=EQUALS,Value=PASSED}]" --query 'Findings[].[Id]' --output text

If you want to get the full JSON for just one Finding:

aws securityhub get-findings --filters Id="[{Comparison=EQUALS,Value=$FINDING_ARN}]" --query Findings[0] --output json

(Adding this comment months later since this is currently the top search result for "aws securityhub get-findings".)

AWS
JoshuaF-AWS
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content