AWS Security Hub
User Guide

Findings Providers in AWS Security Hub

Important

Currently, AWS Security Hub is in Preview release.

This section lists the AWS, third-party partner, and other custom findings providers supported in Security Hub. This section also provides instructions for subscribing to partner findings providers in Security Hub and instructions for importing findings generated by your own custom security products into Security Hub.

Important

Security Hub detects and consolidates only those security findings from the supported AWS and partner products that are generated after Security Hub is enabled in your AWS accounts. It doesn't retroactively detect and consolidate security findings that were generated before Security Hub was enabled.

AWS Findings Providers

Security Hub aggregates security findings generated by the following AWS services:

Once you enable Security Hub in an account, it immediately starts aggregating security and resource data across your AWS environment in that account from the AWS services previously listed. After Security Hub is enabled, if you don't have a supported AWS findings provider enabled, Security Hub doesn't detect and aggregate its findings. You can verify the enabled status of the supported AWS findings providers in the Provider status section of the Summary page of the Security Hub console. Once you enable a supported AWS findings provider service (using its respective console or APIs), Security Hub immediately starts aggregating and processing the findings that this service generates, with no additional Security Hub settings that you need to configure.

With GuardDuty, Security Hub processes and aggregates GuardDuty findings of all of the supported finding types. For more information about GuardDuty findings, see Amazon GuardDuty Findings.

With Inspector, Security Hub processes and aggregates Inspector findings generated through assessment runs based on all supported rules packages. For more information about Inspector rules packages and rules, see Amazon Inspector Rules Packages and Rules.

With Macie, a finding (currently known as alert) can be of the following three indexes: CloudTrail data, S3 bucket properties, and S3 objects. For more information, see Locating and Analyzing Macie Alerts. In this release, Security Hub only consumes and processes Macie findings of the S3 bucket properties and S3 objects indexes. In this release, Security Hub does NOT consume and process Macie findings of the CloudTrail data index.

Third-Party Partner Findings Providers

After you enable Security Hub, you can configure it to consume (via automatic or manual importing) and process findings from the integrated third-party providers (companies) and their findings-generating solutions (products).

In this release, you can configure Security Hub to consume and process findings from the following third-party partner products.

Company name Product name Product description
Alert Logic SIEMless ThreatManagement Get the right level of coverage: vulnerability and asset visibility, threat detection and incident management, WAF, and assigned SOC analyst options.
ARMOR Armor Anywhere Armor Anywhere delivers managed security and compliance for AWS.
Barracuda Networks Cloud Security Guardian Barracuda Cloud Security Sentry helps organizations stay secure while building applications in, and moving workloads to, the public cloud.
Checkpoint CloudGuard IaaS Check Point CloudGuard easily extends comprehensive threat prevention security to AWS while protecting assets in the cloud.
Checkpoint Dome9 Arc A SaaS platform that delivers verifiable cloud network security, advanced IAM protection, and comprehensive compliance and governance.
CrowdStrike CrowdStrike Falcon CrowdStrike Falcon's single lightweight sensor unifies next-generation antivirus, endpoint detection and response, and 24/7 managed hunting via the cloud.
CyberArk Privileged Threat Analytics Privileged Threat Analytics collect, detect, alert, and respond to high-risk activity and behavior of privileged accounts to contain in-progress attacks.
F5 Networks Advanced WAF Advanced WAF provides malicious bot protection, L7 DoS mitigation, API inspection, behavior analytics, and more to defend against web app attacks.
Fortinet FortiGate NGFW NGFW delivers complete content and network protection by combining stateful inspection with a comprehensive suite of security features.
GuardiCore Centra 4.0 GuardiCore Centra provides flow visualization, micro-segmentation, and breach detection for workloads in modern data centers and clouds.
IBM QRadar SIEM IBM QRadar SIEM provides security teams with the ability to quickly and accurately detect, prioritize, investigate, and respond to threats.
Imperva Attack Analytics Imperva Attack Analytics correlates and distills thousands of security events into a few readable security incidents.
McAfee MVISION Cloud for AWS McAfee MVISION Cloud for Amazon Web Services is a comprehensive monitoring, auditing, and remediation solution for your AWS environment.
Palo Alto Networks Redlock Protects your AWS deployment with cloud security analytics, advanced threat detection, and compliance monitoring.
Palo Alto Networks VM-Series Protects your AWS deployment from threats and data loss by dynamically updating firewall policies based on Security Hub findings.
Qualys Policy Compliance Qualys Policy Compliance (PC) is a cloud service that performs automated security configuration assessments on your assets to reduce risk.
Qualys Vulnerability Management Qualys Vulnerability Management (VM) continuously scans and identifies vulnerabilities, protecting your assets.
Rapid7 InsightVM Rapid7 InsightVM provides vulnerability management for modern environments, allowing you to efficiently find, prioritize, and remediate vulnerabilities.
Sophos Server Protection Sophos Server Protection defends the critical applications and data at the core of your organization, using comprehensive defense-in-depth techniques.
Splunk Splunk Enterprise Splunk uses Amazon CloudWatch Events as a consumer of Security Hub findings. Send your data to Splunk for advanced security analytics and SIEM.
Splunk Splunk Phantom Splunk Phantom enhances Security Hub and Splunk findings with additional threat intelligence information to perform automated response actions.
Sumo Logic Machine Data Analytics Sumo Logic is a secure, machine data analytics platform that enables DevSecOps teams build, run, and secure their AWS applications.
Symantec Cloud Workload Protection Cloud Workload Protection provides complete protection for your EC2 instances with anti-malware, intrusion prevention, and file integrity monitoring.
Trend Micro Deep Security 11.2 Security built to fit DevOps with robust APIs and automated protection. Defend against threats, malware, and vulnerabilities with a single product.
Turbot Turbot Turbot ensures that your cloud infrastructure is secure, compliant, scalable, and cost optimized.
Twistlock Enterprise Edition Twistlock is a cloud native cybersecurity platform that protects VMs, containers, and serverless platforms.

To configure Security Hub to consume and process findings from a third-party partner product

  1. Open the Security Hub console at https://console.aws.amazon.com/securityhub/, choose Settings, then choose Providers.

  2. Locate the company whose product's findings you want Security Hub to consume and process and then do the following:

    • If you don't already have it in your AWS environment, you must choose the Purchase link to navigate to AWS Marketplace and purchase this third-party partner product.

    • If you have not done so already, you must choose the Configure link to navigate to the step-by-step instructions that you must follow to install this third-party partner product and configure its integration with Security Hub.

  3. Choose Subscribe to create a product subscription in your account for the third-party partner product whose findings you want to import to Security Hub. After you subscribe to a product, a resource policy is automatically attached to that product subscription. This resource policy defines the permissions that Security Hub needs to consume and process that product's findings.

    Note

    You can also create a product subscription in your account for the third-party partner product by running the EnableImportFindingsForProduct API operation.

Once you complete the steps above, Security Hub is configured to automatically consume and process findings from the third-party partner product to which you subscribed.

Importing Findings from Custom Products into Security Hub

In addition to findings generated by the AWS and third-party partner providers, Security Hub can also consume findings generated by various custom security products that you are using. You can import these findings into Security Hub manually using the BatchImportFindings API operation.

Make sure you follow these instructions when invoking the BatchImportFindings API operation to import findings generated by custom security products:

  • You must present your findings' details using the AWS Security Finding format.

  • Security Hub must be enabled before you can successfully invoke the BatchImportFindings API operation.

  • When you enable Security Hub, a default product ARN for Security Hub is generated in your current AWS account. This product ARN has the following format: arn:aws:securityhub:<region>:<account-id>:product/<account-id>/default. For example, arn:aws:securityhub:us-west-2:123456789012:product/123456789012/default.

    Use this product ARN as the value for the ProductArn attribute when invoking BatchImportFindings API operation.

  • It is recommended to use the ProductFields attribute to define the name of the product whose findings you're importing. For example, if you are integrating Cloud Custodian with Security Hub, you could use the following values:

    "ProductFields": { "ProviderName": "CloudCustodian", "ProviderVersion": "0.8.32.1", }

    Note

    Cloud Custodian is a flexible rules engine that is commonly used as a solution for automated security, compliance, and cost management in the cloud. For more information about integrating Cloud Custodian with Security Hub, see Announcing Cloud Custodian Integration with AWS Security Hub.

  • You must supply, manage, and increment your own finding IDs, using the Id attribute. Each new finding must have a unique finding ID.

  • You must specify your own AWS account ID, using the AwsAccountId attribute.

  • You must supply your own timestamps for the CreatedAt and UpdatedAt attributes.

  • In addition to importing new findings from custom products, you can also update existing findings from custom products using the BatchImportFindings API operation. To update existing findings, use the existing finding ID (via the Id attribute) while resending the full finding with the appropriate information updated in the request, including a modified UpdatedAt timestamp.