AWS SecurityHub: AwsSecurityFindingFilters

Hey All,

I’ve hit a wall trying to use the AWS SecurityHub cmdlet Get-SHUBFinding. I’m trying to apply the filter option (AWSSecurityFindingsFilter) but cannot figure out how to form it. For example, if I wanted to filter the SeverityLabel value(s) to Critical and High…how?

eg - Get-SHUBFinding -Filter <What-Does-This-Look-Like>

By default, the query return everything which is currently over 100k records which is a heavier than I need to sift through. I’ve reviewed the documentation and scoured the web, but cannot find a single practical example of how to use this. I’ve even resorted to the Contact Owners link in the PowerShell Gallery but received no response.

Can anyone provide a practical example on how to use the Filter option?

Thank you in advance,

Rick

Wow it’s ridiculous I cannot find one example so far. So much documentation talking about the filters, but not an example? Give this a try.

Get-SHUBFinding -Filter "SeverityLabel -eq 'Critical'"

If that works, then maybe this will too

Get-SHUBFinding -filter "SeverityLabel -eq 'Critical' -and SeverityLabel -eq 'High'"

My next attempt would be a filter hashtable

Get-SHUBFinding -Filter @{Severity='Critical'}

But I’m just making uneducated guesses. Unfortunately I don’t have an environment like this to test in.

Also check out these argument completers, maybe they can help.
https://www.powershellgallery.com/packages/AWS.Tools.SecurityHub/4.0.0.0/Content/AWS.Tools.SecurityHub.Completers.psm1
https://www.powershellgallery.com/packages/AWSPowerShell.NetCore/3.3.563.1/Content/AWSPowerShellCompleters.psm1

Thanks for the response!

I tried the string-based when I first started playing with this and it simply errors out with type conversation errors. (eg - cannot convert value of type “System.String” to type “Amazon.SecurityHub.Model.AwsSecurityFindingFilters”). I’ve seen those completer pages in my journey but, likely due to my lower level of PowerShell experience, still wasn’t able to determine what it wants.

I have been able to init an object of the “correct” type that executes without error, but haven’t been able to figure out what it wants in the object.

$x = New-Object Amazon.SecurityHub.Model.AwsSecurityFindingFilters
$findings = Get-SHUBFinding -Filter $x
The var $x does have auto-complete attributes (VSCode), but nothing I try to assign to it compiles.
Ugh.

Update - I made enough progress to at least get me over the hump. I’m sure there is a more streamlined way to do this, but this is close enough to allow me to move forward. Hopefully posting this will save someone else some time and maybe someone can show me an even more streamlined way to do this (eg - single pass / multiple values in the filter over having to query twice, but its not a deal breaker at this point).

$filter = New-Object Amazon.SecurityHub.Model.AwsSecurityFindingFilters
$filterHigh = New-Object Amazon.SecurityHub.Model.StringFilter -Property @{Comparison = "EQUALS"; Value = "HIGH"}
$filterCritical = New-Object Amazon.SecurityHub.Model.StringFilter -Property @{Comparison = "EQUALS"; Value = "CRITICAL"}
$filter.SeverityLabel = $filterHigh
$findingsHigh = Get-SHUBFinding -Filter $filter
$filter.SeverityLabel = $filterCritical
$findingsCritical = Get-SHUBFinding -Filter $filter
Write-Host "High Findings Count: $($findingsHigh.Count)"
Write-Host "Critical Findings Count: $($findingsCritical.Count)"
Thanks!