Skip to content

Commit e2c9dfa

Browse files
sgtojsgtoj
authored
Merge pull request #2 from cruxstack/dev
fix: update eventbridge filter for securityhub v2 events
2 parents e2f5650 + 26da4ca commit e2c9dfa

3 files changed

Lines changed: 35 additions & 11 deletions

File tree

README.md

Lines changed: 11 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -72,28 +72,32 @@ cd dist && zip deployment.zip bootstrap && cd ..
7272
```json
7373
{
7474
"source": ["aws.securityhub"],
75-
"detail-type": ["Security Hub Findings - Imported"]
75+
"detail-type": ["Findings Imported V2"]
7676
}
7777
```
7878
Optional: Filter by severity (recommended for high-volume environments):
7979
```json
8080
{
8181
"source": ["aws.securityhub"],
82-
"detail-type": ["Security Hub Findings - Imported"],
82+
"detail-type": ["Findings Imported V2"],
8383
"detail": {
84-
"severity": ["Critical", "High"]
84+
"findings": {
85+
"severity": ["Critical", "High"]
86+
}
8587
}
8688
}
8789
```
8890
Or filter by specific source services:
8991
```json
9092
{
9193
"source": ["aws.securityhub"],
92-
"detail-type": ["Security Hub Findings - Imported"],
94+
"detail-type": ["Findings Imported V2"],
9395
"detail": {
94-
"metadata": {
95-
"product": {
96-
"name": ["GuardDuty", "Inspector"]
96+
"findings": {
97+
"metadata": {
98+
"product": {
99+
"name": ["GuardDuty", "Inspector"]
100+
}
97101
}
98102
}
99103
}

cmd/sample/main.go

Lines changed: 10 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -38,14 +38,22 @@ func main() {
3838
}
3939

4040
for i, finding := range findings {
41+
detail := map[string]interface{}{
42+
"findings": []json.RawMessage{finding},
43+
}
44+
detailBytes, err := json.Marshal(detail)
45+
if err != nil {
46+
log.Fatalf("marshal detail: %v", err)
47+
}
48+
4149
evt := awsevents.CloudWatchEvent{
4250
Version: "0",
4351
ID: fmt.Sprintf("sample-%d", i),
44-
DetailType: "Security Hub Findings - Imported",
52+
DetailType: "Findings Imported V2",
4553
Source: "aws.securityhub",
4654
AccountID: "123456789012",
4755
Region: "us-east-1",
48-
Detail: finding,
56+
Detail: detailBytes,
4957
}
5058

5159
if err := a.Process(evt); err != nil {

internal/app/app.go

Lines changed: 14 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,7 @@
11
package app
22

33
import (
4+
"encoding/json"
45
"fmt"
56

67
awsEvent "github.com/aws/aws-lambda-go/events"
@@ -20,10 +21,21 @@ func New(cfg *Config) *App {
2021
}
2122
}
2223

24+
type EventDetail struct {
25+
Findings []json.RawMessage `json:"findings"`
26+
}
27+
2328
func (a *App) ParseEvent(e awsEvent.CloudWatchEvent) (events.SecurityHubEvent, error) {
2429
switch e.DetailType {
25-
case "Security Hub Findings - Imported":
26-
return events.NewSecurityHubFinding(e.Detail)
30+
case "Findings Imported V2":
31+
var detail EventDetail
32+
if err := json.Unmarshal(e.Detail, &detail); err != nil {
33+
return nil, fmt.Errorf("failed to unmarshal event detail: %w", err)
34+
}
35+
if len(detail.Findings) == 0 {
36+
return nil, fmt.Errorf("no findings in event")
37+
}
38+
return events.NewSecurityHubFinding(detail.Findings[0])
2739
default:
2840
return nil, fmt.Errorf("unknown cloudwatch event type: %s", e.DetailType)
2941
}

0 commit comments

Comments
 (0)