Security team example: Creating a Security Hub automation rule - AWS Prescriptive Guidance

Security team example: Creating a Security Hub automation rule

The security team receives findings related to threat detection, including Amazon GuardDuty findings. For a complete list of GuardDuty finding types that are categorized by AWS resource type, see Finding types in the GuardDuty documentation. Security teams must be familiar with all of these finding types.

For this example, the security team is accepting the level of associated risk for security findings in an AWS account that is used strictly for learning purposes and does not include important or sensitive data. The name of this account is sandbox, and the account ID is 123456789012. The security team can create an AWS Security Hub automation rule that suppresses all GuardDuty findings from this account. They can either create a rule from a template, which covers many common use cases, or they can create a custom rule. In Security Hub, we recommend previewing the results of the criteria to confirm that the rule returns the intended findings.

Note

This example highlights the functionality of automation rules. We don't recommend suppressing all GuardDuty findings for an account. Context matters, and each organization must choose which findings to suppress based on data type, classification, and mitigation controls.

The following are the parameters used to create this automation rule:

  • Rule:

    • Rule name is Suppress findings from Sandbox account

    • Rule description is Date: 06/25/23 Authored by: John Doe Reason: Suppress GuardDuty findings from the sandbox account

  • Criteria:

    • AwsAccountId = 123456789012

    • ProductName = GuardDuty

    • WorkflowStatus = NEW

    • RecordState = ACTIVE

  • Automated action:

    • Workflow.status is SUPPRESSED

For more information, see Automation rules in the Security Hub documentation. Security teams have many options for investigating and remediating findings for detected threats. For extensive guidance, see the AWS Security Incident Response Guide. We recommend reviewing this guide to confirm that you have established strong incident response processes.