Enabling and managing integrations in Security Hub - AWS Security Hub

Enabling and managing integrations in Security Hub

AWS Security Hub can ingest security findings from several AWS services and supported third-party AWS Partner Network security solutions. These integrations can help you get a comprehensive view of security and compliance across your AWS environment.

Important

From the supported AWS and third-party product integrations, Security Hub receives and consolidates only findings that are generated after you enable Security Hub in your AWS accounts.

The service doesn't retroactively receive and consolidate security findings that were generated before you enabled Security Hub.

The Integrations page of the Security Hub console provides access to available AWS and third-party product integrations. The Security Hub API also has operations for managing integrations.

Note

Integrations might not be available in all AWS Regions. If an integration isn't supported in the current Region, it doesn't appear on the Integrations page.

For a list of integrations that are available in the China Regions and AWS GovCloud (US), see Integrations that are supported in China (Beijing) and China (Ningxia) and Integrations that are supported in AWS GovCloud (US-East) and AWS GovCloud (US-West).

This section provides information about how to manage built-in AWS service and third-party integrations. You can also integrate custom security products with Security Hub. For information, see Integrating Security Hub with custom products.

Viewing integration options and details

Choose your preferred method, and follow the steps to view a list of integrations in Security Hub or details about a specific integration.

Security Hub console
To view integration options and details (console)
  1. Open the AWS Security Hub console at https://console.aws.amazon.com/securityhub/.

  2. In the Security Hub navigation pane, choose Integrations.

On the Integrations page, the integrations with other AWS services are listed first, followed by the integrations with third-party products.

For each integration, the Integrations page provides the following information:

  • The name of the company

  • The name of the product

  • A description of the integration

  • The categories that the integration applies to

  • How to enable the integration

  • The current status of the integration

You can filter the list by entering text from the following fields:

  • Company name

  • Product name

  • Integration description

  • Categories

Security Hub API

To view integration options and details (API)

To get a list of integrations, use the DescribeProducts operation. If you're using the AWS CLI, run the describe-products command.

To retrieve details for a specific product integration, provide the integration's Amazon Resource Name (ARN) in the ProductArn field.

For example, the following AWS CLI command retrieves details about the Security Hub integration with 3CORESec. This example is formatted for Linux, macOS, or Unix, and it uses the backslash (\) line-continuation character to improve readability.

$ aws securityhub describe-products --product-arn "arn:aws:securityhub:us-east-1::product/3coresec/3coresec"

Enabling the flow of findings from an integration

On the Integrations page of the Security Hub console, you can see the required steps to enable each integration.

For most of the integrations with other AWS services, the only required step to enable the integration is to enable the other service. The integration information includes a link to the other service's home page. When you enable the other service, a resource-level permission that allows Security Hub to receive findings from the service is then automatically created and applied.

For third-party product integrations, you may need to purchase the integration from the AWS Marketplace, and then configure the integration. The integration information provides links to complete these tasks.

If more than one version of a product is available in AWS Marketplace, select the version that you wan to subscribe to, and then choose Continue to Subscribe. For example, some products offer a standard version and an AWS GovCloud (US) version.

When you enable a product integration, a resource policy is automatically attached to that product subscription. This resource policy defines the permissions that Security Hub needs to receive findings from that product.

After you complete any preliminary steps to enable an integration, you can then disable and re-enable the flow of findings from that integration. On the Integrations page, for integrations that send findings, the Status information indicates whether you are currently accepting findings.

Security Hub console
To enable the flow of findings from an integration (console)
  1. Open the AWS Security Hub console at https://console.aws.amazon.com/securityhub/.

  2. In the Security Hub navigation pane, choose Integrations.

  3. For integrations that send findings, the Status information indicates whether Security Hub is currently accepting findings from that integration.

  4. Choose Accept findings.

Security Hub API

Use the EnableImportFindingsForProduct operation. If you're using the AWS CLI, run the enable-import-findings-for-product command. To enable Security Hub to receive findings from an integration, you need the product ARN. To obtain the ARNs for the available integrations, use the DescribeProducts operation. If you're using the AWS CLI, run the describe-products.

For example, the following AWS CLI command enables Security Hub to receive findings from the CrowdStrike Falcon integration. This example is formatted for Linux, macOS, or Unix, and it uses the backslash (\) line-continuation character to improve readability.

$ aws securityhub enable-import-findings-for product --product-arn "arn:aws:securityhub:us-east-1:123456789333:product/crowdstrike/crowdstrike-falcon"

Disabling the flow of findings from an integration

Choose your preferred method, and follow the steps to disable the flow of findings from an integration.

Security Hub console
To disable the flow of findings from an integration (console)
  1. Open the AWS Security Hub console at https://console.aws.amazon.com/securityhub/.

  2. In the Security Hub navigation pane, choose Integrations.

  3. For integrations that send findings, the Status information indicates whether Security Hub is currently accepting findings from that integration.

  4. Choose Stop accepting findings.

Security Hub API

Use the DisableImportFindingsForProduct operation. If you're using the AWS CLI, run the disable-import-findings-for-product command. To disable the flow of findings from an integration, you need the subscription ARN for the enabled integration. To obtain the subscription ARN, use the ListEnabledProductsForImport operation. If you're using the AWS CLI, run the list-enabled-products-for-import.

For example, the following AWS CLI command disables the flow of findings to Security Hub from the CrowdStrike Falcon integration. This example is formatted for Linux, macOS, or Unix, and it uses the backslash (\) line-continuation character to improve readability.

$ aws securityhub disable-import-findings-for-product --product-subscription-arn "arn:aws:securityhub:us-west-1:123456789012:product-subscription/crowdstrike/crowdstrike-falcon"

Viewing the findings from an integration

When you start accepting findings from an integration, the Integrations page of the Security Hub console displays the Status of the integration as Accepting findings. To view a list of findings from the integration, choose See findings.

The findings list shows the active findings for the selected integration that have a workflow status of NEW or NOTIFIED.

If you enable cross-Region aggregation, then in the aggregation Region, the list includes findings from the aggregation Region and from linked Regions where the integration is enabled. Security Hub does not automatically enable integrations based on the cross-Region aggregation configuration.

In other Regions, the finding list for an integration only contains findings from the current Region.

For information on how to configure cross-Region aggregation, see Understanding cross-Region aggregation in Security Hub.

From the findings list, you can perform the following actions.