Setting the workflow status for findings

For findings, the workflow status tracks the progress of your investigation into a finding.

The workflow status has the following values:

NEW

The initial state of a finding before you review it.

Security Hub also resets the workflow status from either NOTIFIED or RESOLVED to NEW in the following cases:

• An archived finding is made active.

• The compliance status changes from PASSED to either WARNING, FAILED, or NOT_AVAILABLE.

These changes imply that additional investigation is required.

NOTIFIED

Indicates that you notified the resource owner about the security issue. You can use this status when you are not the resource owner, and you need intervention from the resource owner in order to resolve a security issue.

SUPPRESSED

The finding will not be reviewed again and will not be acted upon.

RESOLVED

The finding was reviewed and remediated and is now considered resolved.

For findings from controls, if Compliance.Status is PASSED, then Security Hub automatically sets the workflow status to RESOLVED.

Setting the workflow status (console)

To set the workflow status from a finding details pane, from Workflow status, choose the status.

You can also set the workflow status for multiple selected findings in a finding list.

To set the workflow status for multiple findings (console)

1. Open the AWS Security Hub console at https://console.aws.amazon.com/securityhub/.

2. To display a finding list, do one of the following:

   • In the Security Hub navigation pane, choose Findings.

   • In the Security Hub navigation pane, choose Insights. Choose an insight. Then on the results list, choose an insight result.

   • In the Security Hub navigation pane, choose Integrations. Choose See findings for an integration.

   • In the Security Hub navigation pane, choose Security standards. Choose View results to display a list of controls. Then choose the control name.

3. In the finding list, select the check box for each finding that you want to update.

4. At the top of the list, for Workflow status, choose the status.

Setting the workflow status (Security Hub API, AWS CLI)

To set the workflow status, you can use an API call or the AWS Command Line Interface.

To set the workflow status of a finding (Security Hub API, AWS CLI)

• Security Hub API – Use the BatchUpdateFindings operation. To identify the finding to update, you must provide both the finding ID and the ARN of the product that generated the finding.

• AWS CLI – At the command line, run the batch-update-findings command.

  batch-update-findings --finding-identifiers Id="<findingID>",ProductArn="<productARN>" --workflow Status="<workflowStatus>"

  Example

  aws securityhub batch-update-findings --finding-identifiers Id="arn:aws:securityhub:us-west-1:123456789012:subscription/pci-dss/v/3.2.1/PCI.Lambda.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111",ProductArn="arn:aws:securityhub:us-west-1::product/aws/securityhub" --workflow Status="RESOLVED"