I am sending SecurityHub New findings to an Slack channel, however the problem is that it is sending the same findings over and over again and it would be very noisy in the channel.
The event rule is as below:
EventRule:
Type: AWS::Events::Rule
Properties:
Description: "EventRule"
EventPattern:
source:
- "aws.securityhub"
detail-type:
- "Security Hub Findings - Imported"
detail:
findings:
Workflow:
Status:
- "NEW"
State: "ENABLED"
Targets:
-
Arn:
Fn::GetAtt:
- "LambdaFunction"
- "Arn"
Id: "TargetFunctionV1"
I have tried a way that is mentioned in a post, setting the finding as "Notified" after it is send the New finding to Slack:
responsestatus = client.batch_update_findings(
FindingIdentifiers=[
{
'Id': ID,
'ProductArn': productarn
},
],
Workflow={
'Status': 'NOTIFIED'
}
)
print("State updated as Notified!")
However next day I saw that the same findings have been send to Slack channel again. After checking on AWS doc, it seems AWS changes the Notified workflow-status to New: https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_Workflow.html
Has anyone found a way to prevent sending duplicate findings?