Setting the workflow status of findings - AWS Security Hub

Setting the workflow status of findings

Workflow status tracks the progress of your investigation into a finding. The workflow status is specific to an individual finding. It doesn't affect the generation of new findings. For example, setting the workflow status of a finding to SUPPRESSED or RESOLVED doesn't prevent AWS Security Hub from generating a new finding for the same issue.

Workflow status can have the following values:

NEW

The initial state of a finding before you review it.

Findings that are ingested from integrated AWS services, such as AWS Config, have NEW as their initial status.

Security Hub also resets the workflow status from either NOTIFIED or RESOLVED to NEW in the following cases:

  • RecordState changes from ARCHIVED to ACTIVE.

  • Compliance.Status changes from PASSED to FAILED, WARNING, or NOT_AVAILABLE.

These changes imply that additional investigation is required.

NOTIFIED

Indicates that you notified the resource owner about the security issue. You can use this status when you are not the resource owner, and you need intervention from the resource owner in order to resolve a security issue.

If one of the following occurs, the workflow status is changed automatically from NOTIFIED to NEW:

  • RecordState changes from ARCHIVED to ACTIVE.

  • Compliance.Status changes from PASSED to FAILED, WARNING, or NOT_AVAILABLE.

SUPPRESSED

Indicates that you reviewed the finding and do not believe that any action is needed.

The workflow status of a SUPPRESSED finding does not change if RecordState changes from ARCHIVED to ACTIVE.

RESOLVED

The finding was reviewed and remediated and is now considered resolved.

The finding remains RESOLVED unless one of the following occurs:

  • RecordState changes from ARCHIVED to ACTIVE.

  • Compliance.Status changes from PASSED to FAILED, WARNING, or NOT_AVAILABLE.

In those cases, the workflow status is automatically reset to NEW.

For findings from controls, if Compliance.Status is PASSED, then Security Hub automatically sets the workflow status to RESOLVED.

Setting the workflow status of findings

Choose your preferred method, and follow the steps to set the workflow status of one or more findings.

To automatically update the workflow status of specific findings, see Automation rules.

Security Hub console
To set the workflow status of findings
  1. Open the AWS Security Hub console at https://console.aws.amazon.com/securityhub/.

  2. To display a finding list, do one of the following:

    • In the Security Hub navigation pane, choose Findings.

    • In the Security Hub navigation pane, choose Insights. Choose an insight. Then on the results list, choose an insight result.

    • In the Security Hub navigation pane, choose Integrations. Choose See findings for an integration.

    • In the Security Hub navigation pane, choose Security standards. Choose View results to display a list of controls. Then, select a control to see a list of findings for that control.

  3. In the finding list, select the check box for each finding that you want to update.

  4. At the top of the list, for Workflow status, choose the status.

  5. In the Set workflow status dialog box, provide an optional note that details the reason for updating the workflow status. Choose Set status.

Security Hub API

Invoke the BatchUpdateFindings API. Provide both the finding ID and the ARN of the product that generated the finding. You can get these details by invoking the GetFindings API.

AWS CLI

Run the batch-update-findings command. Provide both the finding ID and the ARN of the product that generated the finding. You can get these details by running the get-findings command.

batch-update-findings --finding-identifiers Id="<findingID>",ProductArn="<productARN>" --workflow Status="<workflowStatus>"

Example

aws securityhub batch-update-findings --finding-identifiers Id="arn:aws:securityhub:us-west-1:123456789012:subscription/pci-dss/v/3.2.1/PCI.Lambda.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111",ProductArn="arn:aws:securityhub:us-west-1::product/aws/securityhub" --workflow Status="RESOLVED"