Support for formatting security-hub Custom Action (manually triggered) type findings/events/alerts #269
Description
Is your request related to a new offering from AWS?
No. It seems the security hub events with detail-type="Security Hub Findings - Custom Action" it supports already long time along side to Imported one.
More details about this ability can be found in aws docs:
https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cwe-custom-actions.html
https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cwe-send.html
Is your request related to a problem? Please describe.
This is actually not as big problem but similar to security hub detail-type="Security Hub Findings - Imported" events formatting handling(which module supports now) it will be good also to implement/add handling of "Security Hub Findings - Custom Action" ones also. The "Imported" security hub events got triggered by security hub automatically but security hub also supports "Custom Action" type events which being triggered manually from Security Hub CSPM findings listing page when we select some findings and pick pre-created Action. Right know for Custom Action ones we get only default formatted json content of the event detail field which is not as convenient as formatted one which had Imported security hub events/findings. We may need to send/trigger events manually when want to for example test or start some automated flow on a security hub findings manually.
Describe the solution you'd like.
It seems both "Security Hub Findings - Imported" and "Security Hub Findings - Custom Action" detail-type events have almost similar event detail objects so that the same handler for Imported one may be used. Did quick test by directly changing the lambda code line were we have the check for "Imported" security hub findings and all worked ok with "Custom Action" type ones also, here https://github.com/terraform-aws-modules/terraform-aws-notify-slack/blob/v7.2.0/functions/notify_slack.py#L592 is the line I changed to:
if isinstance(message, Dict) and (message.get("detail-type") == "Security Hub Findings - Imported" or message.get("detail-type") == "Security Hub Findings - Custom Action"):Describe alternatives you've considered.
No alternative for now with the module current version, right now we just get default formatted message in slack with full json kind of bug content in detail field and that just not easy readable. As alternative can be considered to use another custom module/lamda-function, but the change seem minimal and do the trick
Additional context
No