Option for "__Prowler:Foobar__" generated tags to capture context that is currently missing from findings pushed to security hub.

[mlmerchant]

I noticed that when prowler generates it's inventory of AWS resources, it seem to only keep tags and discards the rest of the available context. It would be nice, at that step, to optionally capture those extra details into prowler generated "pseudo tags". I assume this could be done without major changes to the rest of the application. One example might be, looking at a report, I want to know the VPC of a resource, but prowler discarded that information. So I'd need to do additional calls post reporting to derive that.

If you look at security hub derived findings, those details exist within the ndjson formtted results. Prowler, on the other hand, provides very minimal if any context.

[mlmerchant]

prowler/prowler/providers/aws/services/vpc/vpc_service.py

Line 358 in 35c8ea5

# Add it to to list of vpc_subnets and to the VPC object

For the purpose of missing the VpcId, I was able to accomplish what I needed by adding logic to the above module just before the object was built for a specific subnet. I created a "VpcId" tag with the value subnet["SubnetId"] and this data followed through to the finding that was generated and pushed to security hub.

So I can solve my own problem by making those adjustments manually for now.

[jfagoagas]

Hi @mlmerchant currently we are working to include context in each Prowler finding. As you pointed out right now we only collect tags but no the relationship between resources, but that's just the plan to be able to link resources in between and have findings with more than one resource associated. Would that fix it?