Open API
      Back to home
      1. Horangi Academy
      2. API & Integrations
      3. Open API

      Exporting Warden CSPM Findings into AWS Security Hub

      NOTE: This API is for beta purposes only. Kindly email cs@horangi.com for access

      Warden’s CSPM Checks API can also output CSPM Checks into the AWS Security Finding Format (ASFF) for supported resource types. The ASFF format is used in AWS Security Hub so you can immediately import Warden AWS findings and aggregate them with the rest of your Security Hub findings.

      Request Format

      To get an API response in ASFF format, put the following case-sensitive header in your request.

      check-format: asff

      For the ASFF format, you also need to include in the AWS account ID (e.g. 123456789012) where Security Hub is enabled, plus the region (e.g. us-east-1) Security Hub is enabled in. The API requires these two parameters for Warden to know which Security Hub setup will be receiving the data so that Security Hub can successfully import the exported findings. 

      Use this URL format when you want to request an ASFF response. 

      IMPORTANT: To export only findings (FAILED checks) to import into Security Hub,  you will need to add the `results=fail` filter in the URL

      https://api.horangi.com/v1/cspm/checks?results=fail&account_id=<AWS Account ID of Security Hub integration>&region=<region of Security Hub integration>

      To easily extract the API response to a file which you can then use to import into Security Hub, use a tool called jq to extract the data from the response.

      curl --request GET \

        --url '<YOUR REQUEST URL>' \

        --header 'check-format: asff' \

        --header 'x-api-key: YOUR API KEY' | jq '.data' > report.asff

      To generate your own Warden API key, go to Managing API Keys

      Example full query using cURL:

      curl --request GET \

        --url 'https://api.horangi.com/v1/cspm/checks?results=fail&account_id=123456789012&region=us-east-1' \

        --header 'check-format: asff' \

        --header 'x-api-key: 5kx1os69VWWulg9m8W%dRyp@bxvAX%%wOudG4u1Gp4x8YQVb7m' | jq '.data' > report.asff

      Are you seeing less results than you are expecting? Do note that:

      • Only AWS resources are included in the response
      • Only supported resources types will be included in the response
      • By default, we only return 500 results per query. Refer to Pagination here for more details

      You can also add in the same filters as the rest of the Checks API to further refine your results.

      Query Response

      Response Field

      Type

      Description

      data.[x].AwsAccountId

      String

      The AWS Account ID of the Security Hub instance

      data.[x].CreatedAt

      String

      The time this check was created.

      data.[x].Description

      String

      A short description of the check.

      Note: Because Security Hub only supports up to 1024 characters, longer descriptions are truncated.

      data.[x].GeneratorId

      String

      A Warden-generated identifier used in Security Hub:

      Format: <Check UID>//<Rule ID>//<Resource ID>

      data.[x].Id

      String

      The unique signature for this check.

      data.[x].ProductName

      String

      Name of the product

      Value: Warden (hardcoded)

      data.[x].CompanyName

      String

      Name of the company

      Value: Horangi (hardcoded)

      data.[x].ProductArn

      String

      The Amazon Resource Name (ARN) generated by Security Hub that uniquely identifies Warden after the product is registered with Security Hub.

      data.[x].Compliance.Status

      String

      Whether or not the resource passed or failed the compliance checks.

      Values: PASSED or FAILED

      data.[x].Resources[]

      Array

      The resource/s associated with the check

      data[x].Resources[y].Id

      String

      The cloud-native resource identifier of the check.

      data[x].Resources[y].Type

      String

      The resource type in ASFF format

      data[x].Resources[y].Region

      String

      The region the resource is located in

      data[x].SchemaVersion

      String

      The schema version that a finding is formatted for. The value of this field must be one of the officially published versions identified by AWS. The current release's AWS Security Finding Format schema version is 2018-10-08.

      data[x].Severity

      Object

      Defines the importance of a check. 

      data[x].Severity.Label

      String

      The final severity of this check.

      Values:

      • INFORMATIONAL
      • LOW
      • MEDIUM
      • HIGH
      • CRITICAL

      data.[x].Title

      String

      The rule title of this check.

      data.[x].Types[]

      Array[String]

      The different compliance standards this check applies to. Note that not all the standards that Warden supports are supported by Security Hub.

      Supported Values:

      • CIS AWS Foundations Benchmark
      • PCI-DSS
      • ISO 27001 Controls
      • SOC 2
      • NIST 800-53 Controls (USA)
      • NIST CSF Controls (USA)
      • K-ISMS Controls (Korea)
      • GDPR Controls (Europe)

      data.[x].UpdatedAt

      String

      The last time a check  was updated

      links.self

      URL

      The URL that generates this response

      links.next

      URL

      If not null, the URL to be used to request the next page of items.

      Importing Findings to Security Hub

      To import the findings to Security Hub, assuming that the AWS CLI is already set up on your machine and you saved the results to a file, run this command:

      aws securityhub batch-import-findings --findings file://<your findings file> --region <Region where Security Hub is located>

      If the command ran successfully, you should then see this response after with the number of findings both successfully and unsuccessfully imported into Security Hub.

      {

         "FailedCount": number,

         "FailedFindings": [ 

            { 

               "ErrorCode": "string",

               "ErrorMessage": "string",

               "Id": "string"

            }

         ],

         "SuccessCount": number

      }

      You can then find the new Warden findings in Security Hub

      Supported Resource Types

      These are the following resource types that will be included in the ASFF-formatted finding response. These are the resources that both Warden and Security Hub support out of the box.

      • ACM Certificate
      • Auto Scaling Group
      • Auto Scaling Launch Configuration
      • CloudFormation Stack
      • CloudFront Distribution
      • CloudTrail Trail
      • CloudWatch Alarm
      • DynamoDB Table
      • ECR Repository
      • ECS Cluster
      • ECS Container Instance
      • ECS Service
      • ECS Task Definition (Active)
      • EC2 AMI
      • EC2 Elastic IP Address
      • EC2 Instance
      • EC2 Network ACL
      • EC2 Security Group
      • EC2 Subnet
      • EKS Cluster
      • Elastic Beanstalk Environment
      • ElasticSearch Domain
      • Elastic Load Balancer v2
      • Classic Load Balancer
      • GuardDuty Detector
      • IAM Group
      • IAM Policy
      • IAM Role
      • IAM User
      • Kinesis Data Stream
      • KMS Key
      • Lambda Function
      • RDS DB Cluster
      • RDS DB Instance
      • RDS DB Snapshot
      • Redshift Cluster
      • S3 Bucket
      • SageMaker Notebook Instance
      • SecretsManager Secret
      • SNS Topic
      • SQS Queue
      • VPC
      • WAFv2 Access Control List