Use Security Hub’s different Finding History feature to learn more about security seeking change.
Security teams need tools to find and track security findings in order to safeguard the assets of their organizations in today’s changing security threat landscape. Finding and addressing protection findings quickly and effectively is one goal of fog security strength management. Security updates, findings, and priorities from several AWS services and supported security solutions are gathered, organized, or prioritized by AWS Security Hub.
<p>As the volume of findings increases, tracking the changes and actions that have been taken on each finding becomes more difficult, as well as more important to perform timely and effective investigations. In this post, we will show you how to use the new Finding History feature in Security Hub to track and understand the history of a security finding.</p> <p>Updates to findings occur when finding providers update certain fields, such as resource details, by using the <span>BatchImportFindings</span> API. You, as a user, can update certain fields, such as workflow status, in the <a href="https://aws.amazon.com/console/" target="_blank" rel="noopener">AWS Management Console</a> or through the <span>BatchUpdateFindings</span> API. Ticketing, incident management, security information and event management (SIEM), and automatic remediation solutions can also use the <span>BatchUpdateFindings</span> API to update findings. This new capability highlights these various changes and when they occurred so that you don’t need to investigate this yourself.</p> <h2>Finding History</h2> <p>The new Finding History feature in Security Hub helps you understand the state of a finding by providing an immutable history of changes within the finding details. By using this feature, you can track the history of each finding, including the before and after values of the fields that were changed, who or what made the changes, and when the changes were made. This simplifies how you operate on a finding by giving you visibility into the changes made to a finding over time, alongside the rest of the finding details, which removes the need for separate tooling or additional processes. This feature is available at no additional cost in AWS Regions where Security Hub is available, and appears by default for new or updated findings. Finding History is also available through the Security Hub APIs.</p> <p>To try out this new feature, open the <a href="https://console.aws.amazon.com/securityhub" target="_blank" rel="noopener">Security Hub console</a>, select a finding, and choose the <strong>History </strong>tab. There you will see a chronological list of changes that have been made to the finding. The transparency of the finding history helps you quickly assess the status of the finding, understand actions already taken, and take the necessary actions to mitigate risk. For example, upon resolving a finding, you can add a note to the finding to indicate why you resolved it. Both the resolved status and note will appear in the history.</p> <p>In the following example, the finding was updated and then resolved with an explanatory note left by the person that reviewed the finding. With Finding History, you can see the previous updates and events in the finding’s <strong>History</strong> tab. </p> <div id="attachment_29372" class="wp-caption left"> <img aria-describedby="caption-attachment-29372" src="https://www.infracom.com.sg/wp-content/uploads/2023/05/img1-1.png" alt="Figure 1: Finding History shows recent updates to the finding" width="570" class="size-full wp-image-29372"> <p id="caption-attachment-29372" class="wp-caption-text">Figure 1: Finding History shows recent updates to the finding</p> </div> <p>In addition, you can still view the current state of the finding in its <strong>Details</strong> tab.</p> <div id="attachment_29381" class="wp-caption left"> <img aria-describedby="caption-attachment-29381" src="https://www.infracom.com.sg/wp-content/uploads/2023/05/img2_v2.png" alt="Figure 2: Finding Details shows the record of a security check or security-related detection" width="720" class="size-full wp-image-29381"> <p id="caption-attachment-29381" class="wp-caption-text">Figure 2: Finding Details shows the record of a security check or security-related detection</p> </div> <h2>Conclusion</h2> <p>With the new Finding History feature in Security Hub, you have greater visibility into the activity and updates on each finding, allowing for more efficient investigation and response to potential security risks. Next time that you start work to investigate and respond to a security finding in Security Hub, begin by checking the finding history.</p> <p>If you have feedback about this post, submit comments in the Comments section below. If you have questions about this post, start a new thread on the <a href="https://repost.aws/topics/TAEEfW2o7QS4SOLeZqACq9jA/security-identity-compliance%3Fsc_ichannel=ha&sc_ilang=en&sc_isite=repost&sc_iplace=hp&sc_icontent=TAEEfW2o7QS4SOLeZqACq9jA&sc_ipos=0" rel="noopener" target="_blank">AWS Security, Identity, & Compliance re:Post</a> or <a href="https://console.aws.amazon.com/support/home" rel="noopener" target="_blank">contact AWS Support</a>.</p> <p><strong>Want more AWS Security news? Follow us on <a title="Twitter" href="https://twitter.com/AWSsecurityinfo" target="_blank" rel="noopener noreferrer">Twitter</a>.</strong></p> <!-- '"` -->