Posted On: Apr 16, 2020

AWS Security Hub has released a new API action called BatchUpdateFindings, and we plan to deprecate the current UpdateFindings API. The UpdateFindings API only supported a few fields in the AWS Security Finding Format (ASFF), and wasn't integrated with CloudWatch Events. The BatchUpdateFindings API fixes those issues and supports a much larger set of fields that can now be updated, such as severity, criticality, confidence, user defined fields, notes, and workflow status. Also, the fields that BatchUpdateFindings can update cannot be updated by finding providers. Those fields can only be updated by the customer or by SIEM/ticketing/SOAR tools that have access to this API action. This prevents finding providers from overwriting your updates. You can use the BatchUpdateFindings API to complete actions such as creating your own suppression rules, changing severity scores, and adding notes to findings. To learn more about this API, please visit our documentation.

We have also added a new Workflow Status field to the AWS Security Finding Format (ASFF) and to our console. Previously, customers used the Record State field to track the findings to archive. We are keeping the Record State object, but now only finding providers update this field. Customers (or SIEM/ticketing/SOAR tools working on their behalf) now use Workflow Status to indicate whether the finding status is NEW, NOTIFIED, SUPPRESSED, or RESOLVED. Separating these fields eliminates conflicts between finding provider updates and customer updates, such as a customer updating the Record State and then the finding provider overwriting that update. We also updated the definitions of our default insights, finding views, and dashboards to account for Workflow Status. We do not show SUPPRESSED findings in these default views. You can use the new BatchUpdateFindings API to create auto-suppression rules. Note that the Workflow Status field is different from our previous Workflow State field. We are deprecating Workflow State in favor of this new field. To learn more about workflow status, please visit our documentation.

Available globally, AWS Security Hub gives you a comprehensive view of your high priority security alerts and security status across your AWS accounts. With Security Hub, you now have a single place that aggregates, organizes, and prioritizes your security alerts, or findings, from multiple AWS services, such as Amazon GuardDuty, Amazon Inspector, Amazon Macie, AWS Firewall Manager, and AWS IAM Access Analyzer, as well as from over 40 AWS Partner solutions. You can also continuously monitor your environment using automated security checks based on standards, such as the CIS AWS Foundations Benchmark and the Payment Card Industry Data Security Standard. You can also take action on these findings by investigating findings in Amazon Detective and by using Amazon CloudWatch Event rules to send the findings to ticketing, chat, Security Information and Event Management (SIEM), Security Orchestration Automation and Response (SOAR), and incident management tools or to custom remediation playbooks.  

You can enable your 30-day free trial of AWS Security Hub with a single-click in the AWS Management console. Please see the AWS Regions page for all the regions where AWS Security Hub is available. To learn more about AWS Security Hub capabilities, see the AWS Security Hub documentation, and to start your 30-day free trial see the AWS Security Hub free trial page