How to Create Insight Filter Policy in StackGuardian via API

[refeed]

What are Policies?

Policy is a construct in the StackGuardian Platform. Its job is to contain a policy definition that will be applied to another construct like Workflow or Insights findings.

As of now, there are two types of Policy:

• GENERAL: the original Policy type. Policies that have this type will be able to be applied to construct like Workflow.
• FILTER.INSIGHT: Policies that control what findings will be excluded from Insight report.

How to create a Insight Filter Policy?

Insight Filter is a Policy type that contains a filter definition that will be applied to the Insight view finding reports. With Insight Filter, we can exclude findings that matches the filters defined so that they won't appear in the main Insight dashboard.

For this, we'll use the Create Policy API

To create an insight filter policy, we first need to define our filter. A filter is a key value pairs with the key having the filter name, and the value is the filter value. It also has an extra key called ignoreUntil, which is a timestamp, when the value is null, the filter will be effective forever. Please see the example below.

{
	"CSP": ["AWS"],
	"benchmark": ["gdpr"],
	"ignoreUntil": 1735715376000  // This is timestamp in millisecond
}

The filter above will match all of the findings that of CSP AWS, having the benchmark of gdpr, and it will be effective until January 1st 2025. After the filter is made, we can finally wrap it inside exclude_rules list. Please see the example below.

This payload will create an Insight Filter that will exclude findings that have controlId of aws_thrifty.control.lambda_function_with_graviton and the filter will ignore the matching findings forever.

{
    "ResourceName": "ignore_thrifty_graviton",
    "Description": "We always use x86 lambda",
    "Tags": [],
    "PolicyType": "FILTER.INSIGHT",
    "PoliciesConfig": [
        {
            "name": "Rule-1",
            "policyInputData": {
                "data": {
                    "exclusion_rules": [
                        {
                            "controlId": ["aws_thrifty.control.lambda_function_with_graviton"],
                            "ignoreUntil": null
                        }
                    ]
                },
                "schemaType": "FILTER_INSIGHT_JSON",
                "schemaVersion": "V1"
            }
        }
    ]
}

Please note that, every policy of type FILTER.INSIGHT can only contain one filter rule as of now.

Here are the available filters that can be put inside the exclusion_rules key:

• CSP
  • The Cloud Provider (e.g. AWS, AZURE, or GCP)
• severity
  • Severity of the findings (e.g. Critical, High, Medium, Low)
• benchmark
  • Benchmark ID (e.g. thrifty, gdpr)
• integrations
  • Connector ID (e.g aws-prod)
• resource
  • Resource ID, in AWS it's the ARN of the resource
• region
  • Region, e.g. eu-central-1, `global
• controlTitle
  • Control title of the check
• controlId
  • Control ID of the check
• accountId
  • Account ID of the connector