Processing and enriching AWS Security Hub findings in Tines
With AWS Security Hub, Amazon have provided a way for AWS customers to “quickly see their entire AWS security and compliance state in one place, and so help to identify specific accounts and resources that require attention.”
Security Hub went GA in July 2019 and although there is debate around the material value the service will provide, specifically in terms of ROI (when it’s enabled, 30+ Config rules are created per account, this can quickly become expensive), the benefit for enterprise security teams of having a centralised portal for Inspector, GuardDuty and CIS benchmark findings is intriguing.
In this post we will explore how to send findings from Security Hub to Tines so they can be enriched, prioritised, deduplicated and ticketed.
How AWS Security Hub Works
When you enable Security Hub, it immediately begins consuming, aggregating, organizing, and prioritizing findings from AWS services, such as Amazon GuardDuty, Amazon Inspector, and Amazon Macie, and from AWS partner security products. Security Hub generates its own findings by running continuous, automated compliance checks based on AWS best practices and supported industry standards. It then correlates and consolidates findings across providers to help you to prioritize the most significant findings.
Tines AWS Security Hub Automation Story
Here you will find a Tines automation story which you should download and import into your Tines tenant. The story contains five agents. including a Webhook agent which we’ll use to receive events from Security Hub.
Take a note of the Webhook URL from the Summary tab in the Tines agent view, we’ll need to provide this to AWS. In the above example, the Webhook URL is:
Using the Tines AWS Security Hub CloudFormation Template
Next you will need to configure AWS Security Hub to send CloudWatch Events to Tines. Although you can do this manually, we also provide a CloudFormation template which does the hard work for you.
Download the template from here and upload it to CloudFormation.
Once you have uploaded the file, click Next and give the stack a name, then provide the following parameters:
TinesWebhookURL: The Webhook URL taken from the Receive AWS Security Hub Notification.
After selecting Create Stack, CloudFormation will begin creating the stack. When CloudFormation is finished creating the stack, it sends a new SNS Subscription Confirmation Event to Tines (sample below).
We’ve configured the Confirm subscription HTTP Request Agent to send a GET request to the SubscribeURL defined by SNS. This confirms the SNS subscription so Security Hub so it will now send Findings to Tines.
Receiving AWS Notifications in Tines
You should now have everything needed to begin automating response to Security Hub Findings in Tines. When Security Hub triggers a Finding, it will send a notification event to the Tines Webhook agent. A sample event is shown below:
The important information describing the Security Hub finding is in an escaped JSON string, this makes further automation challenging. To parse this string into a “friendlier” format, we use the Liquid Filter json_parse in a message_only mode Event Transformation Agent.
Events emitted by this agent will contain the Finding’s details in a format we can easily use in Tines to further enrich, deduplicate, prioritise and even automatically remediate the Finding.