AWS Security Hub Integration
AWS Security Hub is a centralized security service that provides a comprehensive view of security findings and alerts from various AWS services and third-party integrations. It enables organizations to quickly identify and address security issues, enhancing their security posture and compliance capabilities.
AWS Security Hub integration is a convenient functionality that allows you to effortlessly receive notifications based on specific triggers or events. These alerts can be customized based on risk scores, findings, and other parameters such as publicly exposed resources, sensitive data, or administrative privileges. This outbound integration can be easily configured within the Plerion Platform for seamless implementation.
Note: The SecurityHub outbound integration is one-way only, meaning that alerts created or updated in Plerion will be reflected in SecurityHub, but changes made directly to SecurityHub findings will not be synced back to Plerion.
Steps for adding AWS Security Hub Integration
- Go to the Add AWS Security Hub integration page
- Give a name to your integration.
- Add the integration by clicking on the
Addbutton. - Go to the AWS Security Hub console and accept findings from Plerion.
- Add the integration as an action to any desired workflow .
Steps for removing AWS Security Hub Integration
- Go to the integration information page and click on icon
- Go to the AWS Security Hub console and stop accepting findings from Plerion
Architecture
The alerts generated by our platform are tailored to the user-configured workflow. These alerts are then directed to AWS Lambda via Amazon EventBridge and Amazon SQS. Within Lambda, a batch of alerts is processed, ensuring their validity before dispatching them to AWS Security Hub as findings in the ASFF format. The delivery status and state of alerts are tracked and stored in a database, with the system checking the alert delivery status prior to dispatching any alerts. Any failed scans are saved in a Dead-Letter Queue (DLQ) which is checked for any formatting errors and resubmitted to the Lambda function for processing after fixing the issue.
FAQ
What is the duration between the creation of a finding in your product and its transmission to AWS Security Hub?
Our platform takes around 2-3 minutes to deliver findings to AWS Security Hub.
Which categories of findings are sent to AWS Security Hub?
This depends on the workflow configured by the user. For e.g. If a user has configured a workflow to send findings when an asset is discovered to be publicly exposed, then only those findings will be sent to AWS Security Hub.
How is the Plerion risk score mapped to the ASFF severity label?
The Plerion risk score is mapped to the ASFF severity label as follows:
Risk Score ASFF Severity Label 0.0 INFORMATIONAL 0.1 - 3.999 LOW 4.0 - 6.999 MEDIUM 7.0 - 8.999 HIGH 9.0 - 10.0 CRITICAL How is an alert mapped to the ASFF (AWS Security Finding Format) format?
Alerts from Plerion are mapped to the ASFF (AWS Security Finding Format) format as follows:
{ "SchemaVersion": "2018-10-08", "Id": "<prn>/<workflowId>/<openedAtExecutionTimestamp>", "ProductName": "Plerion Workflow Engine", "CompanyName": "Plerion", "GeneratorId": "<integrationId>", "Types": [ "Software and Configuration Checks" ], "FirstObservedAt": "<openedAtExecutionTimestamp>", "Title": "<alertTitle>", "Description": "<alertSummary>", "ProductFields": { "IntegrationId": "<integrationId>", "IntegrationName": "<integrationName>", "WorkflowId": "<workflowId>", "WorkflowName": "<workflowName>", "TenantId": "<tenantId>", "TenantName": "<tenantName>" }, "Resources": [ { "Type": "<resourceTypeMappedToASFF>", "Id": "<fullResourceName>" } ], "Workflow": { "Status": "NEW" }, "FindingProviderFields": { "Severity": { "Label": "<riskScoreMappedToASFF>" } } }In which AWS region is AWS Security Hub integration not supported?
AWS Security Hub integration is not supported in the following AWS regions:
us-gov-east-1us-gov-west-1cn-north-1cn-northwest-1