From f8ad2959e9e1023faa80c686ad739b71bea0f9b5 Mon Sep 17 00:00:00 2001 From: Andrew Shamah <42912128+amshamah419@users.noreply.github.com> Date: Thu, 11 Jan 2024 20:46:16 +0200 Subject: [PATCH] AWS SecHub Fix for AWS Filter Limitation (#32009) --- .../AWSSecurityHubEventCollector.py | 13 +++++++++---- .../AWSSecurityHubEventCollector.yml | 2 +- .../AWSSecurityHubEventCollector_test.py | 2 +- Packs/AWS-SecurityHub/ReleaseNotes/1_3_26.md | 8 ++++++++ Packs/AWS-SecurityHub/pack_metadata.json | 2 +- 5 files changed, 20 insertions(+), 7 deletions(-) create mode 100644 Packs/AWS-SecurityHub/ReleaseNotes/1_3_26.md diff --git a/Packs/AWS-SecurityHub/Integrations/AWSSecurityHubEventCollector/AWSSecurityHubEventCollector.py b/Packs/AWS-SecurityHub/Integrations/AWSSecurityHubEventCollector/AWSSecurityHubEventCollector.py index bc4a732b7ae..09b6361f95e 100644 --- a/Packs/AWS-SecurityHub/Integrations/AWSSecurityHubEventCollector/AWSSecurityHubEventCollector.py +++ b/Packs/AWS-SecurityHub/Integrations/AWSSecurityHubEventCollector/AWSSecurityHubEventCollector.py @@ -1,7 +1,8 @@ import demistomock as demisto # noqa: F401 from CommonServerPython import * # noqa: F401 import datetime as dt -from typing import TYPE_CHECKING, Iterator, cast +from typing import TYPE_CHECKING, cast +from collections.abc import Iterator from AWSApiModule import * @@ -87,9 +88,9 @@ def get_events(client: "SecurityHubClient", start_time: dt.datetime | None = Non }] if id_ignore_list: - ignore_filters = [{'Value': event_id, 'Comparison': 'NOT_EQUALS'} for event_id in id_ignore_list] - - filters['Id'] = ignore_filters + id_ignore_set = set(id_ignore_list) + else: + id_ignore_set = set() if filters: # We send kwargs because passing Filters=None to get_findings() tries to use a None value for filters, @@ -107,6 +108,10 @@ def get_events(client: "SecurityHubClient", start_time: dt.datetime | None = Non response = client.get_findings(**kwargs) result = response.get('Findings', []) + + # Filter out events based on id_ignore_set + result = [event for event in result if event['Id'] not in id_ignore_set] + count += len(result) yield result diff --git a/Packs/AWS-SecurityHub/Integrations/AWSSecurityHubEventCollector/AWSSecurityHubEventCollector.yml b/Packs/AWS-SecurityHub/Integrations/AWSSecurityHubEventCollector/AWSSecurityHubEventCollector.yml index 17921ff014d..74df1e531ed 100644 --- a/Packs/AWS-SecurityHub/Integrations/AWSSecurityHubEventCollector/AWSSecurityHubEventCollector.yml +++ b/Packs/AWS-SecurityHub/Integrations/AWSSecurityHubEventCollector/AWSSecurityHubEventCollector.yml @@ -116,7 +116,7 @@ script: name: limit description: Fetch events from AWS Security Hub. name: aws-securityhub-get-events - dockerimage: demisto/boto3py3:1.0.0.84082 + dockerimage: demisto/boto3py3:1.0.0.84645 isfetchevents: true script: '-' subtype: python3 diff --git a/Packs/AWS-SecurityHub/Integrations/AWSSecurityHubEventCollector/AWSSecurityHubEventCollector_test.py b/Packs/AWS-SecurityHub/Integrations/AWSSecurityHubEventCollector/AWSSecurityHubEventCollector_test.py index 1b3d51c1147..1e8b2a2bbf7 100644 --- a/Packs/AWS-SecurityHub/Integrations/AWSSecurityHubEventCollector/AWSSecurityHubEventCollector_test.py +++ b/Packs/AWS-SecurityHub/Integrations/AWSSecurityHubEventCollector/AWSSecurityHubEventCollector_test.py @@ -16,7 +16,7 @@ def load_test_data(folder: str, file_name: str) -> dict: Returns: dict: Dictionary data loaded from the json file. """ - with open(Path("test_data") / folder / f"{file_name}.json", "r") as f: + with open(Path("test_data") / folder / f"{file_name}.json") as f: return json.load(f) diff --git a/Packs/AWS-SecurityHub/ReleaseNotes/1_3_26.md b/Packs/AWS-SecurityHub/ReleaseNotes/1_3_26.md new file mode 100644 index 00000000000..a3a013b1c5a --- /dev/null +++ b/Packs/AWS-SecurityHub/ReleaseNotes/1_3_26.md @@ -0,0 +1,8 @@ + +#### Integrations + +##### AWS Security Hub Event Collector +- Updated the Docker image to: *demisto/boto3py3:1.0.0.84645*. + +- Fixed an issue where event collection would fail while filtering large amounts of events. + diff --git a/Packs/AWS-SecurityHub/pack_metadata.json b/Packs/AWS-SecurityHub/pack_metadata.json index 9705e0b7137..2523e822f66 100644 --- a/Packs/AWS-SecurityHub/pack_metadata.json +++ b/Packs/AWS-SecurityHub/pack_metadata.json @@ -2,7 +2,7 @@ "name": "AWS - Security Hub", "description": "Amazon Web Services Security Hub Service.", "support": "xsoar", - "currentVersion": "1.3.25", + "currentVersion": "1.3.26", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "",