Setting the workflow status for a finding - AWS Security Hub

Setting the workflow status for a finding

For findings, the workflow status tracks the progress of your investigation into a finding.

The workflow status values are as follows.

NEW

The initial state of a finding before you review it.

NOTIFIED

Indicates that you notified the resource owner about the security issue. You can use this status when you are not the resource owner, and you need intervention from the resource owner in order to resolve a security issue.

SUPPRESSED

The finding will not be reviewed again and will not be acted upon.

RESOLVED

The finding was reviewed and remediated and is now considered resolved.

For findings from controls, if Compliance.Status is PASSED, then Security Hub automatically sets the workflow status to RESOLVED.

Setting the workflow status (console)

To set the workflow status from the finding details for a finding, from Workflow status, choose the status.

You can also set the workflow status for multiple selected findings in the findings list.

To set the workflow status for multiple findings

  1. In the findings list, select the check box for each finding that you want to update.

  2. For Change workflow status, choose the status.

Setting the workflow status (Security Hub API, AWS CLI)

To set the workflow status, you can use an API call or the AWS Command Line Interface.

To set the workflow status of a finding (Security Hub API, AWS CLI)

  • Security Hub API – Use the BatchUpdateFindings operation. To identify the finding to update, you must provide both the finding ID and the ARN of the product that generated the finding.

  • AWS CLI – At the command line, run the batch-update-findings command.

    batch-update-findings --finding-identifiers Id="<findingID>",ProductArn="<productARN>" --workflow Status="<workflowStatus>"

    Example

    aws securityhub batch-update-findings --finding-identifiers Id="arn:aws:securityhub:us-west-1:123456789012:subscription/pci-dss/v/3.2.1/PCI.Lambda.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111",ProductArn="arn:aws:securityhub:us-west-1::product/aws/securityhub" --workflow Status="RESOLVED"