Setting the workflow status of findings in Security Hub CSPM
Workflow status tracks the progress of your investigation into a finding. Workflow
status is specific to an individual finding and doesn't affect generation of new findings.
For example, if you change the workflow status of a finding to SUPPRESSED
or
RESOLVED
, your change doesn't prevent Security Hub CSPM from generating a new finding
for the same issue.
The workflow status of a finding can be one of the following values.
- NEW
-
The initial state of a finding before you review it.
Findings that are ingested from integrated AWS services, such as AWS Config, have
NEW
as their initial status.Security Hub CSPM also resets the workflow status from either
NOTIFIED
orRESOLVED
toNEW
in the following cases:-
RecordState
changes fromARCHIVED
toACTIVE
. -
Compliance.Status
changes fromPASSED
toFAILED
,WARNING
, orNOT_AVAILABLE
.
These changes imply that additional investigation is required.
-
- NOTIFIED
-
Indicates that you notified the resource owner about the security issue. You can use this status when you are not the resource owner, and you need intervention from the resource owner in order to resolve a security issue.
If one of the following occurs, the workflow status is changed automatically from
NOTIFIED
toNEW
:-
RecordState
changes fromARCHIVED
toACTIVE
. -
Compliance.Status
changes fromPASSED
toFAILED
,WARNING
, orNOT_AVAILABLE
.
-
- SUPPRESSED
-
Indicates that you reviewed the finding and do not believe that any action is needed.
The workflow status of a
SUPPRESSED
finding does not change ifRecordState
changes fromARCHIVED
toACTIVE
. - RESOLVED
-
The finding was reviewed and remediated and is now considered resolved.
The finding remains
RESOLVED
unless one of the following occurs:-
RecordState
changes fromARCHIVED
toACTIVE
. -
Compliance.Status
changes fromPASSED
toFAILED
,WARNING
, orNOT_AVAILABLE
.
In those cases, the workflow status is automatically reset to
NEW
.For findings from controls, if
Compliance.Status
isPASSED
, Security Hub CSPM automatically sets the workflow status toRESOLVED
. -
Setting the workflow status of findings
To change the workflow status of one or more findings, you can use the Security Hub CSPM console or the Security Hub CSPM API. If you change the workflow status of a finding, note that it can take several minutes for Security Hub CSPM to process your request and update the finding.
Tip
You can also change the workflow status of findings automatically by using automation rules. With automation rules, you configure Security Hub CSPM to automatically update the workflow status of findings based on criteria that you specify. For more information, see Understanding automation rules in Security Hub CSPM.
To change the workflow status of one or more findings, choose your preferred method and follow the steps.