AWS SecHub Fix for AWS Filter Limitation (demisto#32009)

Packs/AWS-SecurityHub/Integrations/AWSSecurityHubEventCollector/AWSSecurityHubEventCollector.py

@@ -1,7 +1,8 @@
 import demistomock as demisto  # noqa: F401
 from CommonServerPython import *  # noqa: F401
 import datetime as dt
-from typing import TYPE_CHECKING, Iterator, cast
+from typing import TYPE_CHECKING, cast
+from collections.abc import Iterator
 
 from AWSApiModule import *
 
@@ -87,9 +88,9 @@ def get_events(client: "SecurityHubClient", start_time: dt.datetime | None = Non
         }]
 
     if id_ignore_list:
-        ignore_filters = [{'Value': event_id, 'Comparison': 'NOT_EQUALS'} for event_id in id_ignore_list]
-
-        filters['Id'] = ignore_filters
+        id_ignore_set = set(id_ignore_list)
+    else:
+        id_ignore_set = set()
 
     if filters:
         # We send kwargs because passing Filters=None to get_findings() tries to use a None value for filters,
@@ -107,6 +108,10 @@ def get_events(client: "SecurityHubClient", start_time: dt.datetime | None = Non
 
         response = client.get_findings(**kwargs)
         result = response.get('Findings', [])
+
+        # Filter out events based on id_ignore_set
+        result = [event for event in result if event['Id'] not in id_ignore_set]
+
         count += len(result)
         yield result
 

Packs/AWS-SecurityHub/Integrations/AWSSecurityHubEventCollector/AWSSecurityHubEventCollector.yml

@@ -116,7 +116,7 @@ script:
       name: limit
     description: Fetch events from AWS Security Hub.
     name: aws-securityhub-get-events
-  dockerimage: demisto/boto3py3:1.0.0.84082
+  dockerimage: demisto/boto3py3:1.0.0.84645
   isfetchevents: true
   script: '-'
   subtype: python3

Packs/AWS-SecurityHub/Integrations/AWSSecurityHubEventCollector/AWSSecurityHubEventCollector_test.py

@@ -16,7 +16,7 @@ def load_test_data(folder: str, file_name: str) -> dict:
     Returns:
         dict: Dictionary data loaded from the json file.
     """
-    with open(Path("test_data") / folder / f"{file_name}.json", "r") as f:
+    with open(Path("test_data") / folder / f"{file_name}.json") as f:
         return json.load(f)
 
 

Packs/AWS-SecurityHub/ReleaseNotes/1_3_26.md

@@ -0,0 +1,8 @@
+
+#### Integrations
+
+##### AWS Security Hub Event Collector
+- Updated the Docker image to: *demisto/boto3py3:1.0.0.84645*.
+
+- Fixed an issue where event collection would fail while filtering large amounts of events.
+

Packs/AWS-SecurityHub/pack_metadata.json

@@ -2,7 +2,7 @@
     "name": "AWS - Security Hub",
     "description": "Amazon Web Services Security Hub Service.",
     "support": "xsoar",
-    "currentVersion": "1.3.25",
+    "currentVersion": "1.3.26",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",