AWS SecurityHub: AwsSecurityFindingFilters

Welcome Forums General PowerShell Q&A AWS SecurityHub: AwsSecurityFindingFilters

Viewing 4 reply threads
  • Author
    Posts
    • #242969
      Participant
      Topics: 1
      Replies: 2
      Points: 20
      Rank: Member

      Hey All,

      I’ve hit a wall trying to use the AWS SecurityHub cmdlet Get-SHUBFinding. I’m trying to apply the filter option (AWSSecurityFindingsFilter) but cannot figure out how to form it. For example, if I wanted to filter the SeverityLabel value(s) to Critical and High…how?

      eg – Get-SHUBFinding -Filter <What-Does-This-Look-Like>

      By default, the query return everything which is currently over 100k records which is a heavier than I need to sift through. I’ve reviewed the documentation and scoured the web, but cannot find a single practical example of how to use this. I’ve even resorted to the Contact Owners link in the PowerShell Gallery but received no response.

      Can anyone provide a practical example on how to use the Filter option?

      Thank you in  advance,

      Rick

    • #242987
      Participant
      Topics: 8
      Replies: 568
      Points: 2,170
      Helping Hand
      Rank: Community Hero

      Wow it’s ridiculous I cannot find one example so far. So much documentation talking about the filters, but not an example? Give this a try.

      If that works, then maybe this will too

      My next attempt would be a filter hashtable

      But I’m just making uneducated guesses. Unfortunately I don’t have an environment like this to test in.

    • #242990
      Participant
      Topics: 8
      Replies: 568
      Points: 2,170
      Helping Hand
      Rank: Community Hero
    • #243089
      Participant
      Topics: 1
      Replies: 2
      Points: 20
      Rank: Member

      Thanks for the response!

      I tried the string-based when I first started playing with this and it simply errors out with type conversation errors. (eg – cannot convert value of type “System.String” to type “Amazon.SecurityHub.Model.AwsSecurityFindingFilters”). I’ve seen those completer pages in my journey but, likely due to my lower level of PowerShell experience, still wasn’t able to determine what it wants.

      I have been able to init an object of the “correct” type that executes without error, but haven’t been able to figure out what it wants in the object.

      $x = New-Object Amazon.SecurityHub.Model.AwsSecurityFindingFilters
      $findings = Get-SHUBFinding -Filter $x
      The var $x does have auto-complete attributes (VSCode), but nothing I try to assign to it compiles.
      Ugh.
    • #243149
      Participant
      Topics: 1
      Replies: 2
      Points: 20
      Rank: Member

      Update – I made enough progress to at least get me over the hump. I’m sure there is a more streamlined way to do this, but this is close enough to allow me to move forward. Hopefully posting this will save someone else some time and maybe someone can show me an even more streamlined way to do  this (eg – single pass / multiple values in the filter over having to query twice, but its not a deal breaker at this point).

      $filter = New-Object Amazon.SecurityHub.Model.AwsSecurityFindingFilters
      $filterHigh = New-Object Amazon.SecurityHub.Model.StringFilter -Property @{Comparison = "EQUALS"; Value = "HIGH"}
      $filterCritical = New-Object Amazon.SecurityHub.Model.StringFilter -Property @{Comparison = "EQUALS"; Value = "CRITICAL"}
      $filter.SeverityLabel = $filterHigh
      $findingsHigh = Get-SHUBFinding -Filter $filter
      $filter.SeverityLabel = $filterCritical
      $findingsCritical = Get-SHUBFinding -Filter $filter
      Write-Host "High Findings Count: $($findingsHigh.Count)"
      Write-Host "Critical Findings Count: $($findingsCritical.Count)"
      Thanks!

       

Viewing 4 reply threads
  • You must be logged in to reply to this topic.