Findings getting Archived in Security Hub

[RishiTandonAthena]

I am facing an issue where findings from Prowler are sent to Security Hub and after a random amount of time (ranging from seconds to hours) are getting archived via Security Hub API. For imported findings in Security Hub, the field "RecordState" is updated by the findings provider (Prowler in this scenario) and it can be only done via the API "BatchImportFindings".
The Prowler scans are giving output like below:

Executing 9 checks, please wait...
-> Scan completed! |▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉| 9/9 [100%] in 1:32.7
Sending findings to AWS Security Hub, please wait...
123 findings sent to AWS Security Hub!
Archiving previous findings in AWS Security Hub, please wait...
49 findings archived in AWS Security Hub!

But when I go to Security Hub, I can see some of the findings are Archived automatically (irrespective of the resource types) with below History logs:

19:58:55 (UTC+00:00)
by
account
via Security Hub API
FirstObservedAt changed from '2025-06-08T19:58:35Z' to '2025-06-15T19:58:47Z'
FindingProviderFields Severity Normalized added '40'
RecordState changed from 'ARCHIVED' to 'ACTIVE'

and then get Archived like below:

20:03:54 (UTC+00:00)
by
account
via Security Hub API
FindingProviderFields Severity Normalized changed from '40' to ''
RecordState changed from 'ACTIVE' to 'ARCHIVED'

Prowler should be archiving the old ones as I've not disabled that in the config but seems like the new findings are getting archived as well even if the resources are available and the finding is relevant. Can someone help or suggest here ?

[puchy22]

Hi @RishiTandonAthena,

Thanks for the detailed explanation and logs—they're really helpful.

We've looked into the issue on our end but unfortunately, we haven't been able to replicate the behavior you're experiencing. Based on what you've described, the only explanation I can think of is that something other than Prowler might be interacting with the same findings and calling the BatchImportFindings API, which—as you noted—is the only way to update the RecordState for imported findings.

Since Prowler itself only archives findings explicitly during its run (as reflected in your output: “49 findings archived in AWS Security Hub!”), it’s unlikely that it would later change RecordState unless triggered again. It's possible that:

• Another system or tool is re-importing or modifying those findings.
• Someone else in the account/team is running another process that interacts with Security Hub.

To better understand what's happening, it would be helpful if you could share:

• Whether any other tools or scripts might be interacting with Security Hub in that account.
• If there’s any automation or scheduled workflows running that use the BatchImportFindings API.
• Whether the finding IDs that are being re-archived match those that Prowler previously sent or if they are new ones.

Happy to investigate further with more details—let me know what you find!

[RishiTandonAthena]

Hi @puchy22 , thank you for your response. Please find requested information below:

1. Whether any other tools or scripts might be interacting with Security Hub in that account.
   The only other integration that we have with Security Hub is Snyk which is working fine and we don't see similar behaviour with Snyk's findings.

2. If there’s any automation or scheduled workflows running that use the BatchImportFindings API.
   There's no automation running in SH. We do have a custom action for sending findings to our SIEM solution via Amazon EventBridge.

3. Whether the finding IDs that are being re-archived match those that Prowler previously sent or if they are new ones.
   I believe so. I can see in the SH finding history that the same finding id is being updated from ARCHIVED -> ACTIVE -> ARCHIVED.

We do have AWS Config enabled but am not sure if that would be the cause of this issue.

I had opened a case with AWS as well and they pointed out that none of their services are archiving these findings and it's only been done through BatchImportFindings API used by Prowler.

Please let me know if any further information is required. Thank you for the help here.

[puchy22]

Hi @RishiTandonAthena,

Thanks a lot for the detailed follow-up—it’s really helpful to narrow things down.

We’re still not able to reproduce the issue on our end, and from what you’ve shared, it doesn’t seem like there are any obvious conflicting automations or third-party tools involved.

Given that the RecordState is being updated through the BatchImportFindings API (as confirmed by AWS Support) and appears to be triggered again for the same finding IDs, it seems something is re-invoking that endpoint using Prowler’s signature. But without being able to reproduce it, it’s hard to pinpoint exactly what’s causing it.

To dig deeper, we’d be happy to continue investigating this with you. If you’d like, you’re very welcome to join our Slack community to discuss this more interactively—some of the team and community members may have also encountered similar behavior.

Alternatively, we can also set up a quick call to go through your setup together and try to spot what might be triggering the re-archival.

Let me know what works best for you, and we’ll take it from there.

[RishiTandonAthena]

Hi @puchy22 , I've joined the Slack community. How can we move this forward ? Should I post in the channel there again ?
Thanks for all the help !

[puchy22]

Hi again @RishiTandonAthena.

Yes, what I’d suggest is posting this again in the #04-bug-reports channel, this time including the context from this discussion.

Either I or someone from the team will get back to you there. And if we’re still unable to find a solution, we can schedule a quick Slack call to troubleshoot it together.

Thanks so much—and sorry for the delay!