SEMPER Filter Policy Documentation

SEMPER will aggregate all the security events from the provisioned SEMPER AWS Config Rules, the AWS EventBridge Rules (API calls via CloudTrail) and also the AWS Security Hub- and Amazon GuardDuty findings. SEMPER forwards all those security findings to a SEMPER Processing Lambda in your Core Security account.

This SEMPER Processing Lambda will determine the account-context (OU-ID, AWS account tags) of the originating account based on the account ID.

Depending on the source (AWS Event, AWS Security Hub or Amazon GuardDuty) SEMPER will iterate through all filtering policies. Based on the defined filter policies in those folders the processing Lambda will filter the the security findings.

Required Semper Version: >=1.18.0

Filter Section in the Policy Repository

The SEMPER Filter Policies are stored in the "20_filtering" folder of the Policy-Repository:

SEMPER Filter Policies in the Repository

├───20_filtering/
│   ├───cloudtrail_api_calls/
│   │   │   api_call_filter_policy1.json
│   │   │   api_call_filter_policy2.json
│   │   │   ...
│   │
│   ├───guardduty_findings/
│   │   │   gd_filter_policy1.json
│   │   │   ...
│   │
│   ├───securityhub_findings/
│   │   │   sh_filter_policy1.json
│   │   │   sh_filter_policy2.json
│   │   │   ...

Sample policies:

Folder: /20_filtering/cloudtrail_api_calls
Folder: /20_filtering/guardduty_findings
Folder: /20_filtering/securityhub_findings

SEMPER Filter Policy Elements

The SEMPER Filter Policies always have the following sections:

{
  ...
  "filtering" : {
    "policyScope": <policyScopePattern>,
    "findingPattern": <findingPattern>
  },
  ...
}

Key	Value-Type	Comment
filtering	object	determines the SEMPER Filter Policy
.policyScope	object	(optional) as described in the following chapter Section policyScope.
.findingPattern	object	According to the ACAI JSON-Pattern Engine.

Samples of Filter Policies

{
  "metaData": {
    "domain": "filter",
    "type": "eventbridge_rule",
    "title": "Ignore KMS events for all environments except 'Production'",
    ...
  },
  "filtering": {
    "policyScope": {
      "accountScope": {
        "exclude": "*",
        "forceInclude": {
          "accountTags": {
            "Environment" : [
              {
                "anything-but": "Production"
              }
            ]
          }
        }
      }
    },
    "findingPattern": {
      "detail": {
        "eventSource": [
          "kms.amazonaws.com"
        ],
        "eventName": [
          "DisableKey",
          "ScheduleKeyDeletion"
        ]
      }
    }
  },
  ...
}

{
  "metaData": {
    "domain": "filter",
    "type": "eventbridge_rule",
    "title": "Drop CIS_AWS_1.4 findings for IAM User foundation_checkpoint_reader",
    ...
  },
  "filtering": {
    "findingPattern": {
      "ProductFields": {
        "StandardsGuideArn": [
          {
            "prefix": "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark"
          }
        ],
        "RuleId": [
          "1.4"
        ]
      },
      "Resources": {
        "Id": [
          {
            "suffix": ":user/checkpoint_api"
          }
        ]
      }
    }
  },
  ...
}