-
Notifications
You must be signed in to change notification settings - Fork 16
/
lambda.py
56 lines (47 loc) · 1.95 KB
/
lambda.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
import lib.main
from lib.helpers import get_logger
def lambda_handler(event, context):
logger = get_logger("INFO")
# Add your custom options here (e.g. Only Critical: ["--sh-filters", "SeverityLabel=CRITICAL"])
# Only used if triggering lambda manually, not from Security Hub Custom Actions
CUSTOM_OPTIONS = []
# Actions the lambda will execute, if you don't need actions, keep this list empty
# Example, for enriching findings:
# ACTIONS = [
# "--enrich-findings",
# "--no-actions-confirmation",
# ]
ACTIONS = []
# These are the minimum options required to run the Lambda, don't change this
LAMBDA_OPTIONS = [
"--output-modes",
"lambda",
"--no-banners",
]
# Lambda execution
event_source = event.get("source")
event_detail_type = event.get("detail-type")
logger.info("Event Source: %s (%s)", event_source, event_detail_type)
# Code to handle Security Hub Custom Actions, execution by finding
if (
event_source == "aws.securityhub"
and event_detail_type == "Security Hub Findings - Custom Action"
):
event_detail = event.get("detail")
action_name = event_detail.get("actionName")
logger.info("Security Hub Custom Action: %s", action_name)
for finding in event_detail.get("findings"):
finding_id = finding.get("Id")
resource_id = finding.get("Resources")[0].get("Id")
logger.info("Security Hub Finding: %s", finding_id)
CUSTOM_OPTIONS = []
# Search by ResoureId
LAMBDA_OPTIONS.extend(
["--sh-filters", f"ResourceId={resource_id}", "RecordState=ACTIVE"]
)
# Search by FindingId
# LAMBDA_OPTIONS.extend(["--sh-filters", f"Id={finding_id}"])
OPTIONS = LAMBDA_OPTIONS + ACTIONS + CUSTOM_OPTIONS
logger.info("Executing with options: %s", OPTIONS)
exec = lib.main.main(OPTIONS)
return exec