Integrating with AWS Security Hub
AWS Security Hub provides you with a comprehensive view of your security state in AWS and helps you to check your environment against security industry standards and best practices. Security Hub collects security data from across AWS accounts, services, and supported third-party partner products and helps you to analyze your security trends and identify the highest priority security issues.
The Amazon GuardDuty integration with Security Hub enables you to send findings from GuardDuty to Security Hub. Security Hub can then include those findings in its analysis of your security posture.
Contents
How Amazon GuardDuty sends findings to AWS Security Hub
In AWS Security Hub, security issues are tracked as findings. Some findings come from issues that are detected by other AWS services or by third-party partners. Security Hub also has a set of rules that it uses to detect security issues and generate findings.
Security Hub provides tools to manage findings from across all of these sources. You can view and filter lists of findings and view details for a finding. For more information, see Viewing findings in the AWS Security Hub User Guide. You can also track the status of an investigation into a finding. For more information, see Taking action on findings in the AWS Security Hub User Guide.
All findings in Security Hub use a standard JSON format called the AWS Security Finding Format (ASFF). The ASFF includes details about the source of the issue, the affected resources, and the current status of the finding. See AWS Security Finding Format (ASFF) in the AWS Security Hub User Guide.
Amazon GuardDuty is one of the AWS services that sends findings to Security Hub.
Types of findings that GuardDuty sends to Security Hub
Once you enable GuardDuty and Security Hub in the same account within the same AWS Region,
GuardDuty starts sending all the generated findings to Security Hub. These findings are sent to
Security Hub using the AWS
Security Finding Format (ASFF). In ASFF, the Types
field
provides the finding type.
Latency for sending new findings
When GuardDuty creates a new finding, it is usually sent to Security Hub within five minutes.
Retrying when Security Hub is not available
If Security Hub is not available, GuardDuty retries sending the findings until they are received.
Updating existing findings in Security Hub
After it sends a finding to Security Hub, GuardDuty sends updates to reflect additional observations of the finding activity to Security Hub. The new observations of these findings are sent to Security Hub based on the Step 5 – Frequency for exporting findings settings in your AWS account.
When you archive or unarchive a finding, GuardDuty doesn't send that finding to Security Hub. Any manually unarchived finding that later become active in GuardDuty is not sent to Security Hub.
Viewing GuardDuty findings in AWS Security Hub
Sign in to the AWS Management Console and open the AWS Security Hub console at https://console.aws.amazon.com/securityhub/
You can now use either of the following ways to view the GuardDuty findings in the Security Hub console:
- Option 1: Using Integrations in Security Hub
-
In the left navigation pane, choose Integrations.
-
On the Integrations page, check the Status for Amazon: GuardDuty.
-
If the Status is Accepting findings, then choose See findings next to Accepting findings.
-
If not, then for more information about how Integrations work, see Security Hub integrations in AWS Security Hub User Guide.
-
- Option 2: Using Findings in Security Hub
-
In the left navigation pane, choose Findings.
-
On the Findings page, add the filter Product name and enter
GuardDuty
to view only GuardDuty findings.
Interpreting GuardDuty finding names in AWS Security Hub
GuardDuty sends the findings to Security Hub using the AWS
Security Finding Format (ASFF). In ASFF, the Types
field
provides the finding type. ASFF types use a different naming scheme than GuardDuty
types. The table below details all the GuardDuty finding types with their ASFF
counterpart as they appear in Security Hub.
Note
For some GuardDuty finding types Security Hub assigns different ASFF finding names depending on whether the finding detail's Resource Role was ACTOR or TARGET. For more information see Finding details.
GuardDuty finding type |
ASFF finding type |
---|---|
TTPs/AttackSequence:IAM/CompromisedCredentials |
|
TTPs/AttackSequence:S3/CompromisedData |
|
TTPs/Command and Control/Backdoor:EC2-C&CActivity.B |
|
TTPs/Command and Control/Backdoor:EC2-C&CActivity.B!DNS |
|
TTPs/Command and Control/Backdoor:EC2-DenialOfService.Dns |
|
TTPs/Command and Control/Backdoor:EC2-DenialOfService.Tcp |
|
TTPs/Command and Control/Backdoor:EC2-DenialOfService.Udp |
|
TTPs/Command and Control/Backdoor:EC2-DenialOfService.UdpOnTcpPorts |
|
TTPs/Command and Control/Backdoor:EC2-DenialOfService.UnusualProtocol |
|
TTPs/Command and Control/Backdoor:EC2-Spambot |
|
Unusual Behaviors/VM/Behavior:EC2-NetworkPortUnusual |
|
Unusual Behaviors/VM/Behavior:EC2-TrafficVolumeUnusual |
|
TTPs/Command and Control/Backdoor:Lambda-C&CActivity.B |
|
TTPs/Command and Control/Backdoor:Runtime-C&CActivity.B |
|
TTPs/Command and Control/Backdoor:Runtime-C&CActivity.B!DNS |
|
TTPs/Credential Access/IAMUser-AnomalousBehavior |
|
CredentialAccess:Kubernetes/AnomalousBehavior.SecretsAccessed |
TTPs/AnomalousBehavior/CredentialAccess:Kubernetes-SecretsAccessed |
CredentialAccess:Kubernetes/MaliciousIPCaller |
TTPs/CredentialAccess/CredentialAccess:Kubernetes-MaliciousIPCaller |
CredentialAccess:Kubernetes/MaliciousIPCaller.Custom |
TTPs/CredentialAccess/CredentialAccess:Kubernetes-MaliciousIPCaller.Custom |
CredentialAccess:Kubernetes/SuccessfulAnonymousAccess |
TTPs/CredentialAccess/CredentialAccess:Kubernetes-SuccessfulAnonymousAccess |
CredentialAccess:Kubernetes/TorIPCaller |
TTPs/CredentialAccess/CredentialAccess:Kubernetes-TorIPCaller |
TTPs/Credential Access/CredentialAccess:RDS-AnomalousBehavior.FailedLogin |
|
TTPs/Credential Access/RDS-AnomalousBehavior.SuccessfulBruteForce |
|
TTPs/Credential Access/RDS-AnomalousBehavior.SuccessfulLogin |
|
TTPs/Credential Access/RDS-MaliciousIPCaller.FailedLogin |
|
TTPs/Credential Access/RDS-MaliciousIPCaller.SuccessfulLogin |
|
TTPs/Credential Access/RDS-TorIPCaller.FailedLogin |
|
TTPs/Credential Access/RDS-TorIPCaller.SuccessfulLogin |
|
TTPs/Command and Control/CryptoCurrency:EC2-BitcoinTool.B |
|
TTPs/Command and Control/CryptoCurrency:EC2-BitcoinTool.B!DNS |
|
TTPs/Command and Control/CryptoCurrency:Lambda-BitcoinTool.B Effects/Resource Consumption/CryptoCurrency:Lambda-BitcoinTool.B |
|
TTPs/Command and Control/CryptoCurrency:Runtime-BitcoinTool.B |
|
TTPs/Command and Control/CryptoCurrency:Runtime-BitcoinTool.B!DNS |
|
TTPs/DefenseEvasion/EC2:Unusual-DNS-Resolver |
|
TTPs/DefenseEvasion/EC2:Unusual-DoH-Activity |
|
TTPs/DefenseEvasion/EC2:Unusual-DoT-Activity |
|
TTPs/Defense Evasion/IAMUser-AnomalousBehavior |
|
TTPs/DefenseEvasion/DefenseEvasion:Kubernetes-MaliciousIPCaller |
|
TTPs/DefenseEvasion/DefenseEvasion:Kubernetes-MaliciousIPCaller.Custom |
|
TTPs/DefenseEvasion/DefenseEvasion:Kubernetes-SuccessfulAnonymousAccess |
|
TTPs/DefenseEvasion/DefenseEvasion:Kubernetes-TorIPCaller |
|
TTPs/Defense Evasion/DefenseEvasion:Runtime-FilelessExecution |
|
TTPs/Defense Evasion/DefenseEvasion:Runtime-ProcessInjection.Proc |
|
TTPs/Defense Evasion/DefenseEvasion:Runtime-ProcessInjection.Ptrace |
|
TTPs/Defense Evasion/DefenseEvasion:Runtime-ProcessInjection.VirtualMemoryWrite |
|
TTPs/DefenseEvasion/DefenseEvasion:Runtime-PtraceAntiDebugging |
|
TTPs/DefenseEvasion/DefenseEvasion:Runtime-SuspiciousCommand |
|
TTPs/Discovery/IAMUser-AnomalousBehavior |
|
TTPs/AnomalousBehavior/Discovery:Kubernetes-PermissionChecked |
|
TTPs/Discovery/Discovery:Kubernetes-MaliciousIPCaller |
|
TTPs/Discovery/Discovery:Kubernetes-MaliciousIPCaller.Custom |
|
TTPs/Discovery/Discovery:Kubernetes-SuccessfulAnonymousAccess |
|
TTPs/Discovery/Discovery:Kubernetes-TorIPCaller |
|
TTPs/Discovery/RDS-MaliciousIPCaller |
|
TTPs/Discovery/RDS-TorIPCaller |
|
TTPs/Discovery/Discovery:Runtime-SuspiciousCommand |
|
TTPs/Discovery:S3-AnomalousBehavior |
|
TTPs/Discovery:S3-BucketEnumeration.Unusual |
|
TTPs/Discovery:S3-MaliciousIPCaller.Custom |
|
TTPs/Discovery:S3-TorIPCaller |
|
TTPs/Discovery:S3-MaliciousIPCaller |
|
Exfiltration:IAMUser/AnomalousBehavior |
TTPs/Exfiltration/IAMUser-AnomalousBehavior |
Execution:Kubernetes/ExecInKubeSystemPod |
TTPs/Execution/Execution:Kubernetes-ExecInKubeSystemPod |
TTPs/AnomalousBehavior/Execution:Kubernetes-ExecInPod |
|
TTPs/AnomalousBehavior/Execution:Kubernetes-WorkloadDeployed |
|
TTPs/Impact/Impact:Kubernetes-MaliciousIPCaller |
|
TTPs/Impact/Impact:Kubernetes-MaliciousIPCaller.Custom |
|
TTPs/Impact/Impact:Kubernetes-SuccessfulAnonymousAccess |
|
TTPs/Impact/Impact:Kubernetes-TorIPCaller |
|
TTPs/Persistence/Persistence:Kubernetes-ContainerWithSensitiveMount |
|
Persistence:Kubernetes/AnomalousBehavior.WorkloadDeployed!ContainerWithSensitiveMount |
TTPs/AnomalousBehavior/Persistence:Kubernetes-WorkloadDeployed!ContainerWithSensitiveMount |
PrivilegeEscalation:Kubernetes/AnomalousBehavior.WorkloadDeployed!PrivilegedContainer |
TTPs/AnomalousBehavior/PrivilegeEscalation:Kubernetes-WorkloadDeployed!PrivilegedContainer |
TTPs/Persistence/Persistence:Kubernetes-MaliciousIPCaller |
|
TTPs/Persistence/Persistence:Kubernetes-MaliciousIPCaller.Custom |
|
TTPs/Persistence/Persistence:Kubernetes-SuccessfulAnonymousAccess |
|
TTPs/Persistence/Persistence:Kubernetes-TorIPCaller |
|
TTPs/Execution/Execution:EC2-MaliciousFile |
|
TTPs/Execution/Execution:ECS-MaliciousFile |
|
TTPs/Execution/Execution:Kubernetes-MaliciousFile |
|
TTPs/Execution/Execution:Container-MaliciousFile |
|
TTPs/Execution/Execution:EC2-SuspiciousFile |
|
TTPs/Execution/Execution:ECS-SuspiciousFile |
|
TTPs/Execution/Execution:Kubernetes-SuspiciousFile |
|
TTPs/Execution/Execution:Container-SuspiciousFile |
|
TTPs/Execution/Execution:Runtime-MaliciousFileExecuted |
|
TTPs/Execution/Execution:Runtime-NewBinaryExecuted |
|
TTPs/Execution/Execution:Runtime-NewLibraryLoaded |
|
TTPs/Execution/Execution:Runtime-ReverseShell |
|
TTPs/Execution/Execution:Runtime-SuspiciousCommand |
|
TTPs/Execution/Execution:Runtime-SuspiciousShellCreated |
|
TTPs/Execution/Execution:Runtime-SuspiciousTool |
|
TTPs/Exfiltration:S3-AnomalousBehavior |
|
TTPs/Exfiltration:S3-ObjectRead.Unusual |
|
TTPs/Exfiltration:S3-MaliciousIPCaller |
|
TTPs/Impact:EC2-AbusedDomainRequest.Reputation |
|
TTPs/Impact:EC2-BitcoinDomainRequest.Reputation |
|
TTPs/Impact:EC2-MaliciousDomainRequest.Reputation |
|
TTPs/Impact/Impact:EC2-PortSweep |
|
TTPs/Impact:EC2-SuspiciousDomainRequest.Reputation |
|
TTPs/Impact/Impact:EC2-WinRMBruteForce |
|
TTPs/Impact/IAMUser-AnomalousBehavior |
|
TTPs/Impact/Impact:Runtime-AbusedDomainRequest.Reputation |
|
TTPs/Impact/Impact:Runtime-BitcoinDomainRequest.Reputation |
|
TTPs/Impact/Impact:Runtime-CryptoMinerExecuted |
|
TTPs/Impact/Impact:Runtime-MaliciousDomainRequest.Reputation |
|
TTPs/Impact/Impact:Runtime-SuspiciousDomainRequest.Reputatio |
|
TTPs/Impact:S3-AnomalousBehavior.Delete |
|
TTPs/Impact:S3-AnomalousBehavior.Permission |
|
TTPs/Impact:S3-AnomalousBehavior.Write |
|
TTPs/Impact:S3-ObjectDelete.Unusual |
|
TTPs/Impact:S3-PermissionsModification.Unusual |
|
TTPs/Impact:S3-MaliciousIPCaller |
|
TTPs/Initial Access/IAMUser-AnomalousBehavior |
|
TTPs/Object/Object:S3-MaliciousFile |
|
TTPs/PenTest:IAMUser/KaliLinux |
|
TTPs/PenTest:IAMUser/ParrotLinux |
|
TTPs/PenTest:IAMUser/PentooLinux |
|
TTPs/PenTest:S3-KaliLinux |
|
TTPs/PenTest:S3-ParrotLinux |
|
TTPs/PenTest:S3-PentooLinux |
|
TTPs/Persistence/IAMUser-AnomalousBehavior | |
TTPs/Persistence/Persistence:IAMUser-NetworkPermissions |
|
TTPs/Persistence/Persistence:IAMUser-ResourcePermissions |
|
TTPs/Persistence/Persistence:IAMUser-UserPermissions |
|
TTPs/Persistence/Persistence:Runtime-SuspiciousCommand |
|
TTPs/Policy:IAMUser-RootCredentialUsage |
|
TTPs/Policy:IAMUser-ShortTermRootCredentialUsage |
|
Software and Configuration Checks/AWS Security Best Practices/Policy:Kubernetes-AdminAccessToDefaultServiceAccount |
|
Software and Configuration Checks/AWS Security Best Practices/Policy:Kubernetes-AnonymousAccessGranted |
|
Software and Configuration Checks/AWS Security Best Practices/Policy:Kubernetes-ExposedDashboard |
|
Software and Configuration Checks/AWS Security Best Practices/Policy:Kubernetes-KubeflowDashboardExposed |
|
TTPs/Policy:S3-AccountBlockPublicAccessDisabled |
|
TTPs/Policy:S3-BucketAnonymousAccessGranted |
|
Effects/Data Exposure/Policy:S3-BucketBlockPublicAccessDisabled |
|
TTPs/Policy:S3-BucketPublicAccessGranted |
|
TTPs/Privilege Escalation/IAMUser-AnomalousBehavior | |
TTPs/Privilege Escalation/PrivilegeEscalation:IAMUser-AdministrativePermissions |
|
PrivilegeEscalation:Kubernetes/AnomalousBehavior.RoleBindingCreated |
TTPs/AnomalousBehavior/PrivilegeEscalation:Kubernetes-RoleBindingCreated |
PrivilegeEscalation:Kubernetes/AnomalousBehavior.RoleCreated |
TTPs/AnomalousBehavior/PrivilegeEscalation:Kubernetes-RoleCreated |
TTPs/PrivilegeEscalation/PrivilegeEscalation:Kubernetes-PrivilegedContainer |
|
TTPs/Privilege Escalation/PrivilegeEscalation:Runtime-ContainerMountsHostDirectory |
|
TTPs/Privilege Escalation/PrivilegeEscalation:Runtime-CGroupsReleaseAgentModified |
|
TTPs/Privilege Escalation/PrivilegeEscalation:Runtime-DockerSocketAccessed |
|
TTPs/Privilege Escalation/PrivilegeEscalation:Runtime-ElevationToRoot |
|
TTPs/Privilege Escalation/PrivilegeEscalation:Runtime-RuncContainerEscape |
|
Software and Configuration Checks/PrivilegeEscalation:Runtime-SuspiciousCommand |
|
TTPs/Privilege Escalation/PrivilegeEscalation:Runtime-UserfaultfdUsage |
|
TTPs/Discovery/Recon:EC2-PortProbeEMRUnprotectedPort |
|
TTPs/Discovery/Recon:EC2-PortProbeUnprotectedPort |
|
TTPs/Discovery/Recon:EC2-Portscan |
|
TTPs/Discovery/Recon:IAMUser-MaliciousIPCaller |
|
TTPs/Discovery/Recon:IAMUser-MaliciousIPCaller.Custom |
|
TTPs/Discovery/Recon:IAMUser-NetworkPermissions |
|
TTPs/Discovery/Recon:IAMUser-ResourcePermissions |
|
TTPs/Discovery/Recon:IAMUser-TorIPCaller |
|
TTPs/Discovery/Recon:IAMUser-UserPermissions |
|
Unusual Behaviors/User/ResourceConsumption:IAMUser-ComputeResources |
|
TTPs/Defense Evasion/Stealth:IAMUser-CloudTrailLoggingDisabled |
|
TTPs/Defense Evasion/Stealth:IAMUser-LoggingConfigurationModified |
|
TTPs/Defense Evasion/Stealth:IAMUser-PasswordPolicyChange |
|
TTPs/Defense Evasion/Stealth:S3-ServerAccessLoggingDisabled |
|
TTPs/Command and Control/Trojan:EC2-BlackholeTraffic |
|
TTPs/Command and Control/Trojan:EC2-BlackholeTraffic!DNS |
|
TTPs/Command and Control/Trojan:EC2-DGADomainRequest.B |
|
TTPs/Command and Control/Trojan:EC2-DGADomainRequest.C!DNS |
|
TTPs/Command and Control/Trojan:EC2-DNSDataExfiltration |
|
TTPs/Initial Access/Trojan:EC2-DriveBySourceTraffic!DNS |
|
Effects/Data Exfiltration/Trojan:EC2-DropPoint |
|
Effects/Data Exfiltration/Trojan:EC2-DropPoint!DNS |
|
TTPs/Command and Control/Trojan:EC2-PhishingDomainRequest!DNS |
|
TTPs/Command and Control/Trojan:Lambda-BlackholeTraffic |
|
Effects/Data Exfiltration/Trojan:Lambda-DropPoint |
|
TTPs/Command and Control/Trojan:Runtime-BlackholeTraffic |
|
TTPs/Command and Control/Trojan:Runtime-BlackholeTraffic!DNS |
|
TTPs/Command and Control/Trojan:Runtime-DGADomainRequest.C!DNS |
|
TTPs/Initial Access/Trojan:Runtime-DriveBySourceTraffic!DNS |
|
Effects/Data Exfiltration/Trojan:Runtime-DropPoint |
|
Effects/Data Exfiltration/Trojan:Runtime-DropPoint!DNS |
|
TTPs/Command and Control/Trojan:Runtime-PhishingDomainRequest!DNS |
|
TTPs/Command and Control/UnauthorizedAccess:EC2-MaliciousIPCaller.Custom |
|
TTPs/UnauthorizedAccess:EC2-MetadataDNSRebind |
|
TTPs/Initial Access/UnauthorizedAccess:EC2-RDPBruteForce |
|
TTPs/Initial Access/UnauthorizedAccess:EC2-SSHBruteForce |
|
Effects/Resource Consumption/UnauthorizedAccess:EC2-TorClient |
|
Effects/Resource Consumption/UnauthorizedAccess:EC2-TorRelay |
|
Unusual Behaviors/User/UnauthorizedAccess:IAMUser-ConsoleLogin |
|
TTPs/UnauthorizedAccess:IAMUser-ConsoleLoginSuccess.B |
|
UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.InsideAWS |
Effects/Data Exfiltration/UnauthorizedAccess:IAMUser-InstanceCredentialExfiltration.InsideAWS |
UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.OutsideAWS |
Effects/Data Exfiltration/UnauthorizedAccess:IAMUser-InstanceCredentialExfiltration.OutsideAWS |
TTPs/UnauthorizedAccess:IAMUser-MaliciousIPCaller |
|
TTPs/UnauthorizedAccess:IAMUser-MaliciousIPCaller.Custom |
|
TTPs/Command and Control/UnauthorizedAccess:IAMUser-TorIPCaller |
|
TTPs/Command and Control/UnauthorizedAccess:Lambda-MaliciousIPCaller.Custom |
|
Effects/Resource Consumption/UnauthorizedAccess:Lambda-TorClient |
|
Effects/Resource Consumption/UnauthorizedAccess:Lambda-TorRelay |
|
TTPs/UnauthorizedAccess:Runtime-MetadataDNSRebind |
|
Effects/Resource Consumption/UnauthorizedAccess:Runtime-TorRelay |
|
Effects/Resource Consumption/UnauthorizedAccess:Runtime-TorClient |
|
TTPs/UnauthorizedAccess:S3-MaliciousIPCaller.Custom |
|
TTPs/UnauthorizedAccess:S3-TorIPCaller |
Typical finding from GuardDuty
GuardDuty sends findings to Security Hub using the AWS Security Finding Format (ASFF).
Here is an example of a typical finding from GuardDuty.
{ "SchemaVersion": "2018-10-08", "Id": "arn:aws:guardduty:us-east-1:193043430472:detector/d4b040365221be2b54a6264dc9a4bc64/finding/46ba0ac2845071e23ccdeb2ae03bfdea", "ProductArn": "arn:aws:securityhub:us-east-1:product/aws/guardduty", "GeneratorId": "arn:aws:guardduty:us-east-1:193043430472:detector/d4b040365221be2b54a6264dc9a4bc64", "AwsAccountId": "193043430472", "Types": [ "TTPs/Initial Access/UnauthorizedAccess:EC2-SSHBruteForce" ], "FirstObservedAt": "2020-08-22T09:15:57Z", "LastObservedAt": "2020-09-30T11:56:49Z", "CreatedAt": "2020-08-22T09:34:34.146Z", "UpdatedAt": "2020-09-30T12:14:00.206Z", "Severity": { "Product": 2, "Label": "MEDIUM", "Normalized": 40 }, "Title": "199.241.229.197 is performing SSH brute force attacks against i-0c10c2c7863d1a356.", "Description": "199.241.229.197 is performing SSH brute force attacks against i-0c10c2c7863d1a356. Brute force attacks are used to gain unauthorized access to your instance by guessing the SSH password.", "SourceUrl": "https://us-east-1.console.aws.amazon.com/guardduty/home?region=us-east-1#/findings?macros=current&fId=46ba0ac2845071e23ccdeb2ae03bfdea", "ProductFields": { "aws/guardduty/service/action/networkConnectionAction/remotePortDetails/portName": "Unknown", "aws/guardduty/service/archived": "false", "aws/guardduty/service/action/networkConnectionAction/remoteIpDetails/organization/asnOrg": "CENTURYLINK-US-LEGACY-QWEST", "aws/guardduty/service/action/networkConnectionAction/remoteIpDetails/geoLocation/lat": "42.5122", "aws/guardduty/service/action/networkConnectionAction/remoteIpDetails/ipAddressV4": "199.241.229.197", "aws/guardduty/service/action/networkConnectionAction/remoteIpDetails/geoLocation/lon": "-90.7384", "aws/guardduty/service/action/networkConnectionAction/blocked": "false", "aws/guardduty/service/action/networkConnectionAction/remotePortDetails/port": "46717", "aws/guardduty/service/action/networkConnectionAction/remoteIpDetails/country/countryName": "United States", "aws/guardduty/service/serviceName": "guardduty", "aws/guardduty/service/evidence": "", "aws/guardduty/service/action/networkConnectionAction/localIpDetails/ipAddressV4": "172.31.43.6", "aws/guardduty/service/detectorId": "d4b040365221be2b54a6264dc9a4bc64", "aws/guardduty/service/action/networkConnectionAction/remoteIpDetails/organization/org": "CenturyLink", "aws/guardduty/service/action/networkConnectionAction/connectionDirection": "INBOUND", "aws/guardduty/service/eventFirstSeen": "2020-08-22T09:15:57Z", "aws/guardduty/service/eventLastSeen": "2020-09-30T11:56:49Z", "aws/guardduty/service/action/networkConnectionAction/localPortDetails/portName": "SSH", "aws/guardduty/service/action/actionType": "NETWORK_CONNECTION", "aws/guardduty/service/action/networkConnectionAction/remoteIpDetails/city/cityName": "Dubuque", "aws/guardduty/service/additionalInfo": "", "aws/guardduty/service/resourceRole": "TARGET", "aws/guardduty/service/action/networkConnectionAction/localPortDetails/port": "22", "aws/guardduty/service/action/networkConnectionAction/protocol": "TCP", "aws/guardduty/service/count": "74", "aws/guardduty/service/action/networkConnectionAction/remoteIpDetails/organization/asn": "209", "aws/guardduty/service/action/networkConnectionAction/remoteIpDetails/organization/isp": "CenturyLink", "aws/securityhub/FindingId": "arn:aws:securityhub:us-east-1::product/aws/guardduty/arn:aws:guardduty:us-east-1:193043430472:detector/d4b040365221be2b54a6264dc9a4bc64/finding/46ba0ac2845071e23ccdeb2ae03bfdea", "aws/securityhub/ProductName": "GuardDuty", "aws/securityhub/CompanyName": "Amazon" }, "Resources": [ { "Type": "AwsEc2Instance", "Id": "arn:aws:ec2:us-east-1:193043430472:instance/i-0c10c2c7863d1a356", "Partition": "aws", "Region": "us-east-1", "Tags": { "Name": "kubectl" }, "Details": { "AwsEc2Instance": { "Type": "t2.micro", "ImageId": "ami-02354e95b39ca8dec", "IpV4Addresses": [ "18.234.130.16", "172.31.43.6" ], "VpcId": "vpc-a0c2d7c7", "SubnetId": "subnet-4975b475", "LaunchedAt": "2020-08-03T23:21:57Z" } } } ], "WorkflowState": "NEW", "Workflow": { "Status": "NEW" }, "RecordState": "ACTIVE" }
Enabling and configuring the integration
To use the integration with AWS Security Hub, you must enable Security Hub. For information on how to enable Security Hub, see Setting up Security Hub in the AWS Security Hub User Guide.
When you enable both GuardDuty and Security Hub, the integration is enabled automatically. GuardDuty immediately begins to send findings to Security Hub.
Using GuardDuty controls in Security Hub
AWS Security Hub uses security controls to evaluate your AWS resources, and check your compliance against security industry standards and best practices. You can use the controls related to GuardDuty resources and selected protection plans. For more information, see Amazon GuardDuty controls in the AWS Security Hub User Guide.
For a list of all the controls across AWS services and resources, see Security Hub controls reference in the AWS Security Hub User Guide.
Stopping the publication of findings to Security Hub
To stop sending findings to Security Hub, you can use either the Security Hub console or the API.
See Disabling and enabling the flow of findings from an integration (console) or Disabling the flow of findings from an integration (Security Hub API, AWS CLI) in the AWS Security Hub User Guide.