toripiyo/fetch_securityhub_findings.rb

## fetch_securityhub_findings.rb
require 'aws-sdk-securityhub'
require 'csv'
require 'pry'

aws_profile_name = 'your profile name that you want to use on this script'
client = Aws::SecurityHub::Client.new(profile: aws_profile_name)

filters = {
  # id: [
  #   {
  #     value: "xxxxxxxxxxxxxxxxxxx",
  #     comparison: "EQUALS",
  #   },
  # ],
  # type: [
  #   {
  #     value: "Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices",
  #     comparison: "EQUALS",
  #   },
  # ],
  workflow_status: [
    {
      value: "NEW",
      comparison: "EQUALS",
    },
  ],
  record_state: [
    {
      value: "ACTIVE",
      comparison: "EQUALS",
    },
  ],
  # severity_label: [
  #   {
  #     value: "CRITICAL",
  #     comparison: "EQUALS",
  #   }
  # ]
}

sort_criteria = [
  {
    field: "CreatedAt",
    sort_order: "asc",
  }
]

# https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/SecurityHub/Client.html#get_findings-instance_method
findings = []
response = client.get_findings({
  filters: filters,
  sort_criteria: sort_criteria,
  max_results: 100,
})

findings = findings + response.findings
while response.next_page? do
  response = client.get_findings({
    filters: filters,
    sort_criteria: sort_criteria,
    max_results: 100,
    next_token: response.next_token
  })
  findings = findings + response.findings
end

# binding.pry

# format findings
records = findings.map do |f|
  [
    f.id,
    f.region,
    f.aws_account_id,
    f.product_fields['StandardsArn'],
    f.types.join(","),
    f.title,
    f.severity.label,
    f.description,
    f.remediation.recommendation.text,
    f.remediation.recommendation.url,
    f.resources.map{|r| r.id}.join("\n"),
  ]
end

# write in csv
filename = "securityhub-findings-#{Time.now.strftime("%Y-%m-%d-%H-%M")}.csv"
headers = [
  "id","region","account_id","standards_arn","type","title","severity","description","remediation_text","remediation_url","resources"
]
records.unshift(headers)

File.write(filename, records.map(&:to_csv).join)
	require 'aws-sdk-securityhub'
	require 'csv'
	require 'pry'

	aws_profile_name = 'your profile name that you want to use on this script'
	client = Aws::SecurityHub::Client.new(profile: aws_profile_name)

	filters = {
	# id: [
	# {
	# value: "xxxxxxxxxxxxxxxxxxx",
	# comparison: "EQUALS",
	# },
	# ],
	# type: [
	# {
	# value: "Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices",
	# comparison: "EQUALS",
	# },
	# ],
	workflow_status: [
	{
	value: "NEW",
	comparison: "EQUALS",
	},
	],
	record_state: [
	{
	value: "ACTIVE",
	comparison: "EQUALS",
	},
	],
	# severity_label: [
	# {
	# value: "CRITICAL",
	# comparison: "EQUALS",
	# }
	# ]
	}

	sort_criteria = [
	{
	field: "CreatedAt",
	sort_order: "asc",
	}
	]

	# https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/SecurityHub/Client.html#get_findings-instance_method
	findings = []
	response = client.get_findings({
	filters: filters,
	sort_criteria: sort_criteria,
	max_results: 100,
	})

	findings = findings + response.findings
	while response.next_page? do
	response = client.get_findings({
	filters: filters,
	sort_criteria: sort_criteria,
	max_results: 100,
	next_token: response.next_token
	})
	findings = findings + response.findings
	end

	# binding.pry

	# format findings
	records = findings.map do \|f\|
	[
	f.id,
	f.region,
	f.aws_account_id,
	f.product_fields['StandardsArn'],
	f.types.join(","),
	f.title,
	f.severity.label,
	f.description,
	f.remediation.recommendation.text,
	f.remediation.recommendation.url,
	f.resources.map{\|r\| r.id}.join("\n"),
	]
	end

	# write in csv
	filename = "securityhub-findings-#{Time.now.strftime("%Y-%m-%d-%H-%M")}.csv"
	headers = [
	"id","region","account_id","standards_arn","type","title","severity","description","remediation_text","remediation_url","resources"
	]
	records.unshift(headers)

	File.write(filename, records.map(&:to_csv).join)