Setting the workflow status for findings
For findings, the workflow status tracks the progress of your investigation into a finding.
The workflow status has the following values:
NEW
-
The initial state of a finding before you review it.
Security Hub also resets the workflow status from either
NOTIFIED
orRESOLVED
toNEW
in the following cases:-
An archived finding is made active.
-
The compliance status changes from
PASSED
to eitherWARNING
,FAILED
, orNOT_AVAILABLE
.
These changes imply that additional investigation is required.
-
NOTIFIED
-
Indicates that you notified the resource owner about the security issue. You can use this status when you are not the resource owner, and you need intervention from the resource owner in order to resolve a security issue.
SUPPRESSED
-
The finding will not be reviewed again and will not be acted upon.
RESOLVED
-
The finding was reviewed and remediated and is now considered resolved.
For findings from controls, if
Compliance.Status
isPASSED
, then Security Hub automatically sets the workflow status toRESOLVED
.
Setting the workflow status (console)
To set the workflow status from a finding details pane, from Workflow status, choose the status.
You can also set the workflow status for multiple selected findings in a finding list.
To set the workflow status for multiple findings (console)
-
Open the AWS Security Hub console at https://console.aws.amazon.com/securityhub/
. -
To display a finding list, do one of the following:
-
In the Security Hub navigation pane, choose Findings.
-
In the Security Hub navigation pane, choose Insights. Choose an insight. Then on the results list, choose an insight result.
-
In the Security Hub navigation pane, choose Integrations. Choose See findings for an integration.
-
In the Security Hub navigation pane, choose Security standards. Choose View results to display a list of controls. Then choose the control name.
-
-
In the finding list, select the check box for each finding that you want to update.
-
At the top of the list, for Workflow status, choose the status.
Setting the workflow status (Security Hub API, AWS CLI)
To set the workflow status, you can use an API call or the AWS Command Line Interface.
To set the workflow status of a finding (Security Hub API, AWS CLI)
-
Security Hub API – Use the
BatchUpdateFindings
operation. To identify the finding to update, you must provide both the finding ID and the ARN of the product that generated the finding. -
AWS CLI – At the command line, run the
batch-update-findings
command.batch-update-findings --finding-identifiers Id="
<findingID>
",ProductArn="<productARN>
" --workflow Status="<workflowStatus>
"Example
aws securityhub batch-update-findings --finding-identifiers Id="arn:aws:securityhub:us-west-1:123456789012:subscription/pci-dss/v/3.2.1/PCI.Lambda.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111",ProductArn="arn:aws:securityhub:us-west-1::product/aws/securityhub" --workflow Status="RESOLVED"