0

I am working on a project which needs to display the identified AWS security threats on a globe. They have specifically asked to use Security Hub API to get the GaurdDuty, Firewall etc. identified threats by integrating them to Security Hub. We were able to correctly integrate that part and it's working fine. However, in order to display this security threat in a globe it is a must to get the latitude and longitude of the location it occurred. Even though GuardDuty identifies these location it is not returned with Security Hub API response as they mention.

For example I referred https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_GetFindings.html

Here they mention that response will contain an Action field which contains all the remote IP details. But in my case this field is null for the GuardDuty incident I created. However, this as a GuardDuty product field it is returning these data. Just wanted to check whether there's anything I am missing in here.

I am expecting to see following fields in the Security Hub API response for an identified GuardDuty incident.

 "Action": { 
        "ActionType": "string",
        "AwsApiCallAction": { 
           "AffectedResources": { 
              "string" : "string" 
           },
           "Api": "string",
           "CallerType": "string",
           "DomainDetails": { 
              "Domain": "string"
           },
           "FirstSeen": "string",
           "LastSeen": "string",
           "RemoteIpDetails": { 
              "City": { 
                 "CityName": "string"
              },
              "Country": { 
                 "CountryCode": "string",
                 "CountryName": "string"
              },
              "GeoLocation": { 
                 "Lat": number,
                 "Lon": number
              },
              "IpAddressV4": "string",
              "Organization": { 
                 "Asn": number,
                 "AsnOrg": "string",
                 "Isp": "string",
                 "Org": "string"
              }
           },
           "ServiceName": "string"
        },

I used the @aws-sdk/client-securityhub npm package to write the program to invoke security hub API.

Following is the Javascript code I used in here.

    const { SecurityHubClient, GetFindingsCommand } = require("@aws-sdk/client-securityhub");
    
    const client = new SecurityHubClient({ 
        region: "ap-south-1",
        credentials: {
          accessKeyId: "",
          secretAccessKey: ""
        }
    });
    
    const params = {
      /** input parameters */
      "Filters": { 
        "ProductName": [ 
          { 
             "Comparison": "EQUALS",
             "Value": "GuardDuty"
          }
       ],  
      }
    };
    
    const command = new GetFindingsCommand(params);
    
    async function getAllSeucrityHubFindings(){
      try {
          const data = await client.send(command);
          console.log(JSON.stringify(data));
          
      } catch (error) {
          console.log(error);
      } finally {
      }
    }

getAllSeucrityHubFindings();

It's highly appreciated if someone can help me to resolve this issue.

Thanks in advance

Dulanjali
  • 27
  • 1
  • 7

0 Answers0