we are getting guardduty findings in aws security using the filter like this
aws securityhub get-findings --filters '{"ProductName":[{"Value":"GuardDuty","Comparison":"EQUALS"}]
when we import those findings for the first time it shows as active. but when we reimport all gone from the active state.
The reason seems the issue is in the security hub parser and it only passes the original security hub findings and not for other tools like guard duty.
curl --location --request POST 'DOMAIN/api/v2/import-scan/' \
--header 'Authorization: Token TOKEN' \
--form 'verified="true"' \
--form 'active="true"' \
--form 'scan_type="AWS Security Hub Scan"' \
--form 'minimum_severity="High"' \
--form 'product_type_name="AWS"' \
--form 'product_name="guardduty"' \
--form 'deduplication_on_engagement="True"' \
--form 'engagement_name="Automated guardduty Scan"' \
--form 'auto_create_context="True"' \
--form 'file=@"guardduty-all.json"'
re-import for guardduty
curl --location --request POST 'DOMAIN/api/v2/reimport-scan/' \
--header 'Authorization: Token TOKEN' \
--form 'verified="true"' \
--form 'active="true"' \
--form 'scan_type="AWS Security Hub Scan"' \
--form 'minimum_severity="High"' \
--form 'product_type_name="AWS"' \
--form 'product_name="guardduty"' \
--form 'deduplication_on_engagement="True"' \
--form 'engagement_name="Automated guardduty Scan"' \
--form 'auto_create_context="True"' \
--form 'close_old_findings="False"' \
--form 'do_not_reactivate="True"' \
--form 'file=@"guardduty-all.json"'
we are getting guardduty findings in aws security using the filter like this
aws securityhub get-findings --filters '{"ProductName":[{"Value":"GuardDuty","Comparison":"EQUALS"}]
when we import those findings for the first time it shows as active. but when we reimport all gone from the active state.
The reason seems the issue is in the security hub parser and it only passes the original security hub findings and not for other tools like guard duty.