As the security landscape continues to evolve, security teams are increasingly in need of tools that enable them to detect and monitor security findings effectively. A core goal of cloud security posture management is to swiftly identify and address security findings. AWS Security Hub plays a crucial role by aggregating, organizing, and prioritizing security alerts and findings from a variety of AWS services, as well as security solutions from the AWS Partner Network.
With the growing volume of findings, it becomes more challenging—and critical—to track the changes and actions taken regarding each finding to facilitate timely investigations. In this post, we will explore how you can leverage the new Finding History feature in Security Hub to monitor and comprehend the evolution of a security finding.
Updates to findings occur when finding providers modify certain fields like resource details using the BatchImportFindings API. Users have the ability to update fields such as workflow status through the AWS Management Console or via the BatchUpdateFindings API. Additionally, ticketing systems, incident management, SIEM, and automated remediation solutions can also utilize the BatchUpdateFindings API to make updates. This capability showcases various changes and their timestamps, alleviating the need for manual investigation.
Finding History
The newly introduced Finding History feature in Security Hub provides an immutable history of changes within finding details, helping you comprehend the status of a finding. This feature allows you to track the history of each finding, including the previous and updated values of altered fields, who or what made those changes, and when they occurred. This transparency simplifies operations on findings by offering insights into the changes made over time, along with the finding details, eliminating the necessity for separate tools or additional processes. This feature incurs no extra cost in AWS Regions where Security Hub is active and is automatically available for new or updated findings. Finding History can also be accessed through Security Hub APIs.
To explore this feature, simply log into the Security Hub console, select a finding, and click the History tab. Here, you will find a chronological list of changes made to the finding. The transparency in finding history enables you to quickly assess the state of the finding, understand the actions taken, and implement necessary measures to mitigate risk. For instance, when resolving a finding, you can leave a note explaining why you resolved it; both the resolved status and the note will be recorded in the history.
In the illustration below, a finding was updated and subsequently resolved, with a note left by the reviewer. Through Finding History, you can see the previous updates and events in the finding’s History tab.
Figure 1: Finding History displays recent updates to the finding
Moreover, the current state of the finding can still be viewed in its Details tab.
Figure 2: Finding Details displays the record of a security check or detection
Conclusion
The Finding History feature in Security Hub enhances visibility into the activities and updates associated with each finding, facilitating more efficient investigation and response to potential security threats. The next time you set out to investigate and respond to a security finding in Security Hub, start by checking the finding history. For more insights on security, you might find this other blog post engaging, as well as this authority on the topic. Additionally, if you’re looking for more resources, check out this excellent resource.
Leave a Reply