Security Hub event types in EventBridge
Security Hub uses the following Amazon EventBridge event types to integrate with EventBridge.
On the EventBridge dashboard for Security Hub, All Events includes all of these event types.
All findings (Security Hub Findings - Imported)
Security Hub automatically sends all new findings and all updates to existing findings to EventBridge as Security Hub Findings - Imported events. Each Security Hub Findings - Imported event contains a single finding.
Every BatchImportFindings
and BatchUpdateFindings
request triggers a Security Hub Findings - Imported
event.
For administrator accounts, the event feed in EventBridge includes events for findings from both their account and from their member accounts.
In an aggregation Region, the event feed includes events for findings from the aggregation Region and the linked Regions. Cross-Region findings are included in the event feed in near real time. For information on how to configure finding aggregation, see Understanding cross-Region aggregation in Security Hub.
You can define rules in EventBridge that automatically route findings to a remediation workflow, third-party tool, or other supported EventBridge target. The rules can include filters that only apply the rule if the finding has specific attribute values.
You use this method to automatically send all findings, or all findings that have specific characteristics, to a response or remediation workflow.
See Configuring an EventBridge rule for Security Hub findings.
Findings for custom actions (Security Hub Findings - Custom Action)
Security Hub also sends findings that are associated with custom actions to EventBridge as Security Hub Findings - Custom Action events.
This is useful for analysts working with the Security Hub console who want to send a specific finding, or a small set of findings, to a response or remediation workflow. You can select a custom action for up to 20 findings at a time. Each finding is sent to EventBridge as a separate EventBridge event.
When you create a custom action, you assign it a custom action ID. You can use this ID to create an EventBridge rule that takes a specified action after receiving a finding that is associated with that custom action ID.
See Using custom actions to send findings and insight results to EventBridge.
For example, you can create a custom action in Security Hub called
send_to_ticketing
. Then in EventBridge, you create a rule that is
triggered when EventBridge receives a finding that includes the
send_to_ticketing
custom action ID. The rule includes logic to send
the finding to your ticketing system. You can then select findings within Security Hub and
use the custom action in Security Hub to manually send findings to your ticketing
system.
For examples of how to send Security Hub findings to EventBridge for further processing, see
How to Integrate AWS Security Hub Custom Actions with PagerDuty
Insight results for custom actions (Security Hub Insight Results)
You can also use custom actions to send sets of insight results to EventBridge as Security Hub Insight Results events. Insight results are the resources that match an insight. Note that when you send insight results to EventBridge, you are not sending the findings to EventBridge. You are only sending the resource identifiers that are associated with the insight results. You can send up to 100 resource identifiers at a time.
Similar to custom actions for findings, you first create the custom action in Security Hub, and then create a rule in EventBridge.
See Using custom actions to send findings and insight results to EventBridge.
For example, suppose you see a particular insight result of interest that you want to share with a colleague. In that case, you can use a custom action to send that insight result to the colleague through a chat or ticketing system.