As traduções são geradas por tradução automática. Em caso de conflito entre o conteúdo da tradução e da versão original em inglês, a versão em inglês prevalecerá.
Integrando com AWS Security Hub
O AWS Security Hub fornece uma visão abrangente do estado de segurança na AWS e ajuda a verificar o ambiente em relação aos padrões e às práticas recomendadas do setor de segurança. O Security Hub coleta dados de segurança de várias AWS contas, serviços e produtos de parceiros terceirizados compatíveis e ajuda você a analisar suas tendências de segurança e identificar os problemas de segurança de maior prioridade.
A GuardDuty integração da Amazon com o Security Hub permite que você envie descobertas GuardDuty para o Security Hub. O Security Hub pode então incluir tais descobertas na análise feita sobre a seu procedimento de segurança.
Sumário
Como a Amazon GuardDuty envia descobertas para AWS Security Hub
Em AWS Security Hub, os problemas de segurança são rastreados como descobertas. Algumas descobertas vêm de problemas detectados por outros AWS serviços ou por parceiros terceirizados. O Security Hub também tem um conjunto de regras que ele usa para detectar problemas de segurança e gerar descobertas.
O Security Hub fornece ferramentas para gerenciar descobertas em todas essas fontes. Você pode exibir e filtrar listas de descobertas e exibir detalhes de uma descoberta. Para obter mais informações, consulte Visualizar descobertas no Guia do usuário do AWS Security Hub . Você também pode rastrear o status de uma investigação em uma descoberta. Para obter mais informações, consulte Tomar medidas sobre descobertas no Manual do usuário do AWS Security Hub .
Todas as descobertas no Security Hub usam um JSON formato padrão chamado AWS Security Finding Format (ASFF). ASFFIsso inclui detalhes sobre a origem do problema, os recursos afetados e o status atual da descoberta. Consulte Formato AWS de descoberta de segurança (ASFF) no Guia AWS Security Hub do usuário.
A Amazon GuardDuty é um dos AWS serviços que envia descobertas para o Security Hub.
Tipos de descobertas que são GuardDuty enviadas ao Security Hub
Depois de ativar o GuardDuty Security Hub na mesma conta dentro da mesma Região da AWS, GuardDuty começa a enviar todas as descobertas geradas para o Security Hub. Essas descobertas são enviadas ao Security Hub usando o AWS
Security Finding Format (ASFF). EmASFF, o Types
campo fornece o tipo de descoberta.
Latência para envio de novas descobertas
Quando GuardDuty cria uma nova descoberta, ela geralmente é enviada ao Security Hub em cinco minutos.
Tentar novamente quando o Security Hub não estiver disponível
Se o Security Hub não estiver disponível, GuardDuty tente enviar novamente as descobertas até que elas sejam recebidas.
Atualizar as descobertas do existentes no Security Hub
Depois de enviar uma descoberta para o Security Hub, GuardDuty envia atualizações para refletir observações adicionais da atividade de descoberta para o Security Hub. As novas observações dessas descobertas são enviadas ao Security Hub com base nas Etapa 5 — Frequência de exportação dos resultados configurações do seu Conta da AWS.
Quando você arquiva ou desarquiva uma descoberta, GuardDuty não a envia para o Security Hub. Qualquer descoberta desarquivada manualmente que posteriormente se torne ativa não GuardDuty é enviada para o Security Hub.
Visualizando GuardDuty descobertas em AWS Security Hub
Para ver suas GuardDuty descobertas no Security Hub, selecione Ver descobertas na Amazon na página GuardDuty de resumo. Como alternativa, você pode selecionar Descobertas no painel de navegação e filtrar as descobertas para exibir somente GuardDuty as descobertas selecionando o campo Nome do produto: com um valor deGuardDuty
.
Interpretando GuardDuty encontrar nomes em AWS Security Hub
GuardDuty envia as descobertas para o Security Hub usando o AWS
Security Finding Format (ASFF). EmASFF, o Types
campo fornece o tipo de descoberta. ASFFos tipos usam um esquema de nomenclatura diferente dos GuardDuty tipos. A tabela abaixo detalha todos os tipos de GuardDuty descobertas com seus ASFF equivalentes conforme aparecem no Security Hub.
nota
Para alguns tipos de GuardDuty descoberta, o Security Hub atribui nomes de ASFF descoberta diferentes, dependendo se a função de recurso do detalhe da descoberta era ACTORou TARGET. Para ter mais informações, consulte Detalhes da descoberta.
GuardDuty tipo de descoberta |
ASFFtipo de descoberta |
---|---|
TTPs/Command and Control/Backdoor:EC2-C&CActivity.B |
|
TTPs/Command and Control/Backdoor:EC2-C&CActivity.B!DNS |
|
TTPs/Command and Control/Backdoor:EC2-DenialOfService.Dns |
|
TTPs/Command and Control/Backdoor:EC2-DenialOfService.Tcp |
|
TTPs/Command and Control/Backdoor:EC2-DenialOfService.Udp |
|
TTPs/Command and Control/Backdoor:EC2-DenialOfService.UdpOnTcpPorts |
|
TTPs/Command and Control/Backdoor:EC2-DenialOfService.UnusualProtocol |
|
TTPs/Command and Control/Backdoor:EC2-Spambot |
|
Unusual Behaviors/VM/Behavior:EC2-NetworkPortUnusual |
|
Unusual Behaviors/VM/Behavior:EC2-TrafficVolumeUnusual |
|
TTPs/Command and Control/Backdoor:Lambda-C&CActivity.B |
|
TTPs/Command and Control/Backdoor:Runtime-C&CActivity.B |
|
TTPs/Command and Control/Backdoor:Runtime-C&CActivity.B!DNS |
|
TTPs/Credential Access/IAMUser-AnomalousBehavior |
|
CredentialAccess:Kubernetes/AnomalousBehavior.SecretsAccessed |
TTPs/AnomalousBehavior/CredentialAccess:Kubernetes-SecretsAccessed |
CredentialAccess:Kubernetes/MaliciousIPCaller |
TTPs/CredentialAccess/CredentialAccess:Kubernetes-MaliciousIPCaller |
CredentialAccess:Kubernetes/MaliciousIPCaller.Custom |
TTPs/CredentialAccess/CredentialAccess:Kubernetes-MaliciousIPCaller.Custom |
CredentialAccess:Kubernetes/SuccessfulAnonymousAccess |
TTPs/CredentialAccess/CredentialAccess:Kubernetes-SuccessfulAnonymousAccess |
CredentialAccess:Kubernetes/TorIPCaller |
TTPs/CredentialAccess/CredentialAccess:Kubernetes-TorIPCaller |
TTPs/Credential Access/CredentialAccess:RDS-AnomalousBehavior.FailedLogin |
|
TTPs/Credential Access/RDS-AnomalousBehavior.SuccessfulBruteForce |
|
TTPs/Credential Access/RDS-AnomalousBehavior.SuccessfulLogin |
|
TTPs/Credential Access/RDS-MaliciousIPCaller.FailedLogin |
|
TTPs/Credential Access/RDS-MaliciousIPCaller.SuccessfulLogin |
|
TTPs/Credential Access/RDS-TorIPCaller.FailedLogin |
|
TTPs/Credential Access/RDS-TorIPCaller.SuccessfulLogin |
|
TTPs/Command and Control/CryptoCurrency:EC2-BitcoinTool.B |
|
TTPs/Command and Control/CryptoCurrency:EC2-BitcoinTool.B!DNS |
|
TTPs/Command and Control/CryptoCurrency:Lambda-BitcoinTool.B Effects/Resource Consumption/CryptoCurrency:Lambda-BitcoinTool.B |
|
TTPs/Command and Control/CryptoCurrency:Runtime-BitcoinTool.B |
|
TTPs/Command and Control/CryptoCurrency:Runtime-BitcoinTool.B!DNS |
|
TTPs/DefenseEvasion/EC2:Unusual-DNS-Resolver |
|
TTPs/DefenseEvasion/EC2:Unusual-DoH-Activity |
|
TTPs/DefenseEvasion/EC2:Unusual-DoT-Activity |
|
TTPs/Defense Evasion/IAMUser-AnomalousBehavior |
|
TTPs/DefenseEvasion/DefenseEvasion:Kubernetes-MaliciousIPCaller |
|
TTPs/DefenseEvasion/DefenseEvasion:Kubernetes-MaliciousIPCaller.Custom |
|
TTPs/DefenseEvasion/DefenseEvasion:Kubernetes-SuccessfulAnonymousAccess |
|
TTPs/DefenseEvasion/DefenseEvasion:Kubernetes-TorIPCaller |
|
TTPs/Defense Evasion/DefenseEvasion:Runtime-FilelessExecution |
|
TTPs/Defense Evasion/DefenseEvasion:Runtime-ProcessInjection.Proc |
|
TTPs/Defense Evasion/DefenseEvasion:Runtime-ProcessInjection.Ptrace |
|
TTPs/Defense Evasion/DefenseEvasion:Runtime-ProcessInjection.VirtualMemoryWrite |
|
TTPs/DefenseEvasion/DefenseEvasion:Runtime-PtraceAntiDebugging |
|
TTPs/DefenseEvasion/DefenseEvasion:Runtime-SuspiciousCommand |
|
TTPs/Discovery/IAMUser-AnomalousBehavior |
|
TTPs/AnomalousBehavior/Discovery:Kubernetes-PermissionChecked |
|
TTPs/Discovery/Discovery:Kubernetes-MaliciousIPCaller |
|
TTPs/Discovery/Discovery:Kubernetes-MaliciousIPCaller.Custom |
|
TTPs/Discovery/Discovery:Kubernetes-SuccessfulAnonymousAccess |
|
TTPs/Discovery/Discovery:Kubernetes-TorIPCaller |
|
TTPs/Discovery/RDS-MaliciousIPCaller |
|
TTPs/Discovery/RDS-TorIPCaller |
|
TTPs/Discovery:S3-AnomalousBehavior |
|
TTPs/Discovery:S3-BucketEnumeration.Unusual |
|
TTPs/Discovery:S3-MaliciousIPCaller.Custom |
|
TTPs/Discovery:S3-TorIPCaller |
|
TTPs/Discovery:S3-MaliciousIPCaller |
|
Exfiltration:IAMUser/AnomalousBehavior |
TTPs/Exfiltration/IAMUser-AnomalousBehavior |
Execution:Kubernetes/ExecInKubeSystemPod |
TTPs/Execution/Execution:Kubernetes-ExecInKubeSystemPod |
TTPs/AnomalousBehavior/Execution:Kubernetes-ExecInPod |
|
TTPs/AnomalousBehavior/Execution:Kubernetes-WorkloadDeployed |
|
TTPs/Impact/Impact:Kubernetes-MaliciousIPCaller |
|
TTPs/Impact/Impact:Kubernetes-MaliciousIPCaller.Custom |
|
TTPs/Impact/Impact:Kubernetes-SuccessfulAnonymousAccess |
|
TTPs/Impact/Impact:Kubernetes-TorIPCaller |
|
TTPs/Persistence/Persistence:Kubernetes-ContainerWithSensitiveMount |
|
Persistence:Kubernetes/AnomalousBehavior.WorkloadDeployed!ContainerWithSensitiveMount |
TTPs/AnomalousBehavior/Persistence:Kubernetes-WorkloadDeployed!ContainerWithSensitiveMount |
PrivilegeEscalation:Kubernetes/AnomalousBehavior.WorkloadDeployed!PrivilegedContainer |
TTPs/AnomalousBehavior/PrivilegeEscalation:Kubernetes-WorkloadDeployed!PrivilegedContainer |
TTPs/Persistence/Persistence:Kubernetes-MaliciousIPCaller |
|
TTPs/Persistence/Persistence:Kubernetes-MaliciousIPCaller.Custom |
|
TTPs/Persistence/Persistence:Kubernetes-SuccessfulAnonymousAccess |
|
TTPs/Persistence/Persistence:Kubernetes-TorIPCaller |
|
TTPs/Execution/Execution:EC2-MaliciousFile |
|
TTPs/Execution/Execution:ECS-MaliciousFile |
|
TTPs/Execution/Execution:Kubernetes-MaliciousFile |
|
TTPs/Execution/Execution:Container-MaliciousFile |
|
TTPs/Execution/Execution:EC2-SuspiciousFile |
|
TTPs/Execution/Execution:ECS-SuspiciousFile |
|
TTPs/Execution/Execution:Kubernetes-SuspiciousFile |
|
TTPs/Execution/Execution:Container-SuspiciousFile |
|
TTPs/Execution/Execution:Runtime-MaliciousFileExecuted |
|
TTPs/Execution/Execution:Runtime-NewBinaryExecuted |
|
TTPs/Execution/Execution:Runtime-NewLibraryLoaded |
|
TTPs/Execution/Execution:Runtime-ReverseShell |
|
TTPs/Execution/Execution:Runtime-SuspiciousCommand |
|
TTPs/Execution/Execution:Runtime-SuspiciousShellCreated |
|
TTPs/Execution/Execution:Runtime-SuspiciousTool |
|
TTPs/Exfiltration:S3-AnomalousBehavior |
|
TTPs/Exfiltration:S3-ObjectRead.Unusual |
|
TTPs/Exfiltration:S3-MaliciousIPCaller |
|
TTPs/Impact:EC2-AbusedDomainRequest.Reputation |
|
TTPs/Impact:EC2-BitcoinDomainRequest.Reputation |
|
TTPs/Impact:EC2-MaliciousDomainRequest.Reputation |
|
TTPs/Impact/Impact:EC2-PortSweep |
|
TTPs/Impact:EC2-SuspiciousDomainRequest.Reputation |
|
TTPs/Impact/Impact:EC2-WinRMBruteForce |
|
TTPs/Impact/IAMUser-AnomalousBehavior |
|
TTPs/Impact/Impact:Runtime-AbusedDomainRequest.Reputation |
|
TTPs/Impact/Impact:Runtime-BitcoinDomainRequest.Reputation |
|
TTPs/Impact/Impact:Runtime-CryptoMinerExecuted |
|
TTPs/Impact/Impact:Runtime-MaliciousDomainRequest.Reputation |
|
TTPs/Impact/Impact:Runtime-SuspiciousDomainRequest.Reputatio |
|
TTPs/Impact:S3-AnomalousBehavior.Delete |
|
TTPs/Impact:S3-AnomalousBehavior.Permission |
|
TTPs/Impact:S3-AnomalousBehavior.Write |
|
TTPs/Impact:S3-ObjectDelete.Unusual |
|
TTPs/Impact:S3-PermissionsModification.Unusual |
|
TTPs/Impact:S3-MaliciousIPCaller |
|
TTPs/Initial Access/IAMUser-AnomalousBehavior |
|
TTPs/Object/Object:S3-MaliciousFile |
|
TTPs/PenTest:IAMUser/KaliLinux |
|
TTPs/PenTest:IAMUser/ParrotLinux |
|
TTPs/PenTest:IAMUser/PentooLinux |
|
TTPs/PenTest:S3-KaliLinux |
|
TTPs/PenTest:S3-ParrotLinux |
|
TTPs/PenTest:S3-PentooLinux |
|
TTPs/Persistence/IAMUser-AnomalousBehavior | |
TTPs/Persistence/Persistence:IAMUser-NetworkPermissions |
|
TTPs/Persistence/Persistence:IAMUser-ResourcePermissions |
|
TTPs/Persistence/Persistence:IAMUser-UserPermissions |
|
TTPs/Policy:IAMUser-RootCredentialUsage |
|
Software and Configuration Checks/AWS Security Best Practices/Policy:Kubernetes-AdminAccessToDefaultServiceAccount |
|
Software and Configuration Checks/AWS Security Best Practices/Policy:Kubernetes-AnonymousAccessGranted |
|
Software and Configuration Checks/AWS Security Best Practices/Policy:Kubernetes-ExposedDashboard |
|
Software and Configuration Checks/AWS Security Best Practices/Policy:Kubernetes-KubeflowDashboardExposed |
|
TTPs/Policy:S3-AccountBlockPublicAccessDisabled |
|
TTPs/Policy:S3-BucketAnonymousAccessGranted |
|
Effects/Data Exposure/Policy:S3-BucketBlockPublicAccessDisabled |
|
TTPs/Policy:S3-BucketPublicAccessGranted |
|
TTPs/Privilege Escalation/IAMUser-AnomalousBehavior | |
TTPs/Privilege Escalation/PrivilegeEscalation:IAMUser-AdministrativePermissions |
|
PrivilegeEscalation:Kubernetes/AnomalousBehavior.RoleBindingCreated |
TTPs/AnomalousBehavior/PrivilegeEscalation:Kubernetes-RoleBindingCreated |
PrivilegeEscalation:Kubernetes/AnomalousBehavior.RoleCreated |
TTPs/AnomalousBehavior/PrivilegeEscalation:Kubernetes-RoleCreated |
TTPs/PrivilegeEscalation/PrivilegeEscalation:Kubernetes-PrivilegedContainer |
|
TTPs/Privilege Escalation/PrivilegeEscalation:Runtime-ContainerMountsHostDirectory |
|
TTPs/Privilege Escalation/PrivilegeEscalation:Runtime-CGroupsReleaseAgentModified |
|
TTPs/Privilege Escalation/PrivilegeEscalation:Runtime-DockerSocketAccessed |
|
TTPs/Privilege Escalation/PrivilegeEscalation:Runtime-ElevationToRoot |
|
TTPs/Privilege Escalation/PrivilegeEscalation:Runtime-RuncContainerEscape |
|
TTPs/Privilege Escalation/PrivilegeEscalation:Runtime-UserfaultfdUsage |
|
TTPs/Discovery/Recon:EC2-PortProbeEMRUnprotectedPort |
|
TTPs/Discovery/Recon:EC2-PortProbeUnprotectedPort |
|
TTPs/Discovery/Recon:EC2-Portscan |
|
TTPs/Discovery/Recon:IAMUser-MaliciousIPCaller |
|
TTPs/Discovery/Recon:IAMUser-MaliciousIPCaller.Custom |
|
TTPs/Discovery/Recon:IAMUser-NetworkPermissions |
|
TTPs/Discovery/Recon:IAMUser-ResourcePermissions |
|
TTPs/Discovery/Recon:IAMUser-TorIPCaller |
|
TTPs/Discovery/Recon:IAMUser-UserPermissions |
|
Unusual Behaviors/User/ResourceConsumption:IAMUser-ComputeResources |
|
TTPs/Defense Evasion/Stealth:IAMUser-CloudTrailLoggingDisabled |
|
TTPs/Defense Evasion/Stealth:IAMUser-LoggingConfigurationModified |
|
TTPs/Defense Evasion/Stealth:IAMUser-PasswordPolicyChange |
|
TTPs/Defense Evasion/Stealth:S3-ServerAccessLoggingDisabled |
|
TTPs/Command and Control/Trojan:EC2-BlackholeTraffic |
|
TTPs/Command and Control/Trojan:EC2-BlackholeTraffic!DNS |
|
TTPs/Command and Control/Trojan:EC2-DGADomainRequest.B |
|
TTPs/Command and Control/Trojan:EC2-DGADomainRequest.C!DNS |
|
TTPs/Command and Control/Trojan:EC2-DNSDataExfiltration |
|
TTPs/Initial Access/Trojan:EC2-DriveBySourceTraffic!DNS |
|
Effects/Data Exfiltration/Trojan:EC2-DropPoint |
|
Effects/Data Exfiltration/Trojan:EC2-DropPoint!DNS |
|
TTPs/Command and Control/Trojan:EC2-PhishingDomainRequest!DNS |
|
TTPs/Command and Control/Trojan:Lambda-BlackholeTraffic |
|
Effects/Data Exfiltration/Trojan:Lambda-DropPoint |
|
TTPs/Command and Control/Trojan:Runtime-BlackholeTraffic |
|
TTPs/Command and Control/Trojan:Runtime-BlackholeTraffic!DNS |
|
TTPs/Command and Control/Trojan:Runtime-DGADomainRequest.C!DNS |
|
TTPs/Initial Access/Trojan:Runtime-DriveBySourceTraffic!DNS |
|
Effects/Data Exfiltration/Trojan:Runtime-DropPoint |
|
Effects/Data Exfiltration/Trojan:Runtime-DropPoint!DNS |
|
TTPs/Command and Control/Trojan:Runtime-PhishingDomainRequest!DNS |
|
TTPs/Command and Control/UnauthorizedAccess:EC2-MaliciousIPCaller.Custom |
|
TTPs/UnauthorizedAccess:EC2-MetadataDNSRebind |
|
TTPs/Initial Access/UnauthorizedAccess:EC2-RDPBruteForce |
|
TTPs/Initial Access/UnauthorizedAccess:EC2-SSHBruteForce |
|
Effects/Resource Consumption/UnauthorizedAccess:EC2-TorClient |
|
Effects/Resource Consumption/UnauthorizedAccess:EC2-TorRelay |
|
Unusual Behaviors/User/UnauthorizedAccess:IAMUser-ConsoleLogin |
|
TTPs/UnauthorizedAccess:IAMUser-ConsoleLoginSuccess.B |
|
UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.InsideAWS |
Effects/Data Exfiltration/UnauthorizedAccess:IAMUser-InstanceCredentialExfiltration.InsideAWS |
UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.OutsideAWS |
Effects/Data Exfiltration/UnauthorizedAccess:IAMUser-InstanceCredentialExfiltration.OutsideAWS |
TTPs/UnauthorizedAccess:IAMUser-MaliciousIPCaller |
|
TTPs/UnauthorizedAccess:IAMUser-MaliciousIPCaller.Custom |
|
TTPs/Command and Control/UnauthorizedAccess:IAMUser-TorIPCaller |
|
TTPs/Command and Control/UnauthorizedAccess:Lambda-MaliciousIPCaller.Custom |
|
Effects/Resource Consumption/UnauthorizedAccess:Lambda-TorClient |
|
Effects/Resource Consumption/UnauthorizedAccess:Lambda-TorRelay |
|
TTPs/UnauthorizedAccess:Runtime-MetadataDNSRebind |
|
Effects/Resource Consumption/UnauthorizedAccess:Runtime-TorRelay |
|
Effects/Resource Consumption/UnauthorizedAccess:Runtime-TorClient |
|
TTPs/UnauthorizedAccess:S3-MaliciousIPCaller.Custom |
|
TTPs/UnauthorizedAccess:S3-TorIPCaller |
Descoberta típica do GuardDuty
GuardDuty envia descobertas para o Security Hub usando o AWS Security Finding Format (ASFF).
Aqui está um exemplo de uma descoberta típica de GuardDuty.
{ "SchemaVersion": "2018-10-08", "Id": "arn:aws::guardduty:us-east-1:193043430472:detector/d4b040365221be2b54a6264dc9a4bc64/finding/46ba0ac2845071e23ccdeb2ae03bfdea", "ProductArn": "arn:aws::securityhub:us-east-1:product/aws/guardduty", "GeneratorId": "arn:aws::guardduty:us-east-1:193043430472:detector/d4b040365221be2b54a6264dc9a4bc64", "AwsAccountId": "193043430472", "Types": [ "TTPs/Initial Access/UnauthorizedAccess:EC2-SSHBruteForce" ], "FirstObservedAt": "2020-08-22T09:15:57Z", "LastObservedAt": "2020-09-30T11:56:49Z", "CreatedAt": "2020-08-22T09:34:34.146Z", "UpdatedAt": "2020-09-30T12:14:00.206Z", "Severity": { "Product": 2, "Label": "MEDIUM", "Normalized": 40 }, "Title": "199.241.229.197 is performing SSH brute force attacks against i-0c10c2c7863d1a356.", "Description": "199.241.229.197 is performing SSH brute force attacks against i-0c10c2c7863d1a356. Brute force attacks are used to gain unauthorized access to your instance by guessing the SSH password.", "SourceUrl": "https://us-east-1.console.aws.amazon.com/guardduty/home?region=us-east-1#/findings?macros=current&fId=46ba0ac2845071e23ccdeb2ae03bfdea", "ProductFields": { "aws/guardduty/service/action/networkConnectionAction/remotePortDetails/portName": "Unknown", "aws/guardduty/service/archived": "false", "aws/guardduty/service/action/networkConnectionAction/remoteIpDetails/organization/asnOrg": "CENTURYLINK-US-LEGACY-QWEST", "aws/guardduty/service/action/networkConnectionAction/remoteIpDetails/geoLocation/lat": "42.5122", "aws/guardduty/service/action/networkConnectionAction/remoteIpDetails/ipAddressV4": "199.241.229.197", "aws/guardduty/service/action/networkConnectionAction/remoteIpDetails/geoLocation/lon": "-90.7384", "aws/guardduty/service/action/networkConnectionAction/blocked": "false", "aws/guardduty/service/action/networkConnectionAction/remotePortDetails/port": "46717", "aws/guardduty/service/action/networkConnectionAction/remoteIpDetails/country/countryName": "United States", "aws/guardduty/service/serviceName": "guardduty", "aws/guardduty/service/evidence": "", "aws/guardduty/service/action/networkConnectionAction/localIpDetails/ipAddressV4": "172.31.43.6", "aws/guardduty/service/detectorId": "d4b040365221be2b54a6264dc9a4bc64", "aws/guardduty/service/action/networkConnectionAction/remoteIpDetails/organization/org": "CenturyLink", "aws/guardduty/service/action/networkConnectionAction/connectionDirection": "INBOUND", "aws/guardduty/service/eventFirstSeen": "2020-08-22T09:15:57Z", "aws/guardduty/service/eventLastSeen": "2020-09-30T11:56:49Z", "aws/guardduty/service/action/networkConnectionAction/localPortDetails/portName": "SSH", "aws/guardduty/service/action/actionType": "NETWORK_CONNECTION", "aws/guardduty/service/action/networkConnectionAction/remoteIpDetails/city/cityName": "Dubuque", "aws/guardduty/service/additionalInfo": "", "aws/guardduty/service/resourceRole": "TARGET", "aws/guardduty/service/action/networkConnectionAction/localPortDetails/port": "22", "aws/guardduty/service/action/networkConnectionAction/protocol": "TCP", "aws/guardduty/service/count": "74", "aws/guardduty/service/action/networkConnectionAction/remoteIpDetails/organization/asn": "209", "aws/guardduty/service/action/networkConnectionAction/remoteIpDetails/organization/isp": "CenturyLink", "aws/securityhub/FindingId": "arn:aws::securityhub:us-east-1::product/aws/guardduty/arn:aws::guardduty:us-east-1:193043430472:detector/d4b040365221be2b54a6264dc9a4bc64/finding/46ba0ac2845071e23ccdeb2ae03bfdea", "aws/securityhub/ProductName": "GuardDuty", "aws/securityhub/CompanyName": "Amazon" }, "Resources": [ { "Type": "AwsEc2Instance", "Id": "arn:aws::ec2:us-east-1:193043430472:instance/i-0c10c2c7863d1a356", "Partition": "aws", "Region": "us-east-1", "Tags": { "Name": "kubectl" }, "Details": { "AwsEc2Instance": { "Type": "t2.micro", "ImageId": "ami-02354e95b39ca8dec", "IpV4Addresses": [ "18.234.130.16", "172.31.43.6" ], "VpcId": "vpc-a0c2d7c7", "SubnetId": "subnet-4975b475", "LaunchedAt": "2020-08-03T23:21:57Z" } } } ], "WorkflowState": "NEW", "Workflow": { "Status": "NEW" }, "RecordState": "ACTIVE" }
Habilitar e configurar a integração
Para usar a integração com AWS Security Hub, você deve habilitar o Security Hub. Para obter informações sobre como habilitar o Security Hub, consulte Configurar o Security Hub no Guia do usuário AWS Security Hub .
Quando você ativa o Security Hub GuardDuty e o Security Hub, a integração é ativada automaticamente. GuardDutyimediatamente começa a enviar as descobertas para o Security Hub.
Usando GuardDuty controles no Security Hub
AWS Security Hub usa controles de segurança para avaliar seus AWS recursos e verificar sua conformidade com os padrões e as melhores práticas do setor de segurança. Você pode usar os controles relacionados aos GuardDuty recursos e aos planos de proteção selecionados. Para obter mais informações, consulte GuardDuty os controles da Amazon no Guia AWS Security Hub do usuário.
Para obter uma lista de todos os controles entre AWS serviços e recursos, consulte a referência de controles do Security Hub no Guia AWS Security Hub do Usuário.
Interromper a publicação de descobertas no Security Hub da
Para parar de enviar descobertas para o Security Hub, você pode usar o console do Security Hub ou API o.
Consulte Desabilitar e habilitar o fluxo de descobertas de uma integração (console) ou Desabilitar o fluxo de descobertas de uma integração (Security HubAPI, AWS CLI) no Guia do AWS Security Hub Usuário.