[aws_securityhub] Initial release of AWS Security Hub #15932
Conversation
brijesh-elastic
added
documentation
andrewkroh
added
the
New Integration
…issions (#137866) Adding logs-aws_securityhub.finding-* data stream indices to the kibana_system privileges. This is required for the latest transform to work. Related: elastic/integrations#15932
|
Pinging @elastic/security-service-integrations (Team:Security-Service Integrations) |
🚀 Benchmarks reportTo see the full report comment with |
💚 Build Succeeded
History
|
|
|
||
| #### Finding | ||
|
|
||
| {{/* {{event "finding"}} */}} |
| }] | ||
| }, | ||
| "MaxResults": state.batch_size, | ||
| ?"NextToken": state.?next_token, |
There was a problem hiding this comment.
Does the API accept a null NextToken? What is the behaviour in that case?
| type: string | ||
| ignore_missing: true | ||
|
|
||
| # # populate ECS fields |
| - ISO8601 | ||
| - UNIX_MS | ||
| - yyyy-MM-dd HH:mm:ss[.SSSSSSSSS][.SSSSSSSS][.SSSSSSS][.SSSSSS][.SSSSS][.SSSS][.SSS][.SS][.S]X | ||
| on_failure: |
There was a problem hiding this comment.
Are these failures expected or exceptional? If they are exceptional, we should add a message to error.message on failure.
| target_field: _ingest._value.created_time | ||
| formats: | ||
| - UNIX_MS | ||
| on_failure: |
| - ISO8601 | ||
| - UNIX_MS | ||
| - yyyy-MM-dd HH:mm:ss[.SSSSSSSSS][.SSSSSSSS][.SSSSSSS][.SSSSSS][.SSSSS][.SSSS][.SSS][.SS][.S]X | ||
| on_failure: |
There was a problem hiding this comment.
Expected or exceptional? (also below)
There was a problem hiding this comment.
Do we want to provide the values here?
There was a problem hiding this comment.
No, because they need to be in _source for the Findings page to work: #11608 (comment)
There was a problem hiding this comment.
This is autogenerated from the OCSF schema, correct?
|
I think also that the document that forms the basis of the OCSF to ECS mapping should be made public and linked in the commit message. |
|
|
||
| ### How it works | ||
|
|
||
| The **finding** data stream uses the `/findingsv2` endpoint to gather all findings starting from the configured initial interval. Subsequently, it fetches the recent findings available at each specified interval. |
There was a problem hiding this comment.
| The **finding** data stream uses the `/findingsv2` endpoint to gather all findings starting from the configured initial interval. Subsequently, it fetches the recent findings available at each specified interval. | |
| The **finding** data stream uses the `/findingsv2` endpoint to gather all findings starting from the configured `Initial Interval`. Subsequently, it fetches the recent findings available at each specified `Interval`. |
|
|
||
| ## What data does this integration collect? | ||
|
|
||
| The AWS Security Hub integration collects log messages of the following types: |
There was a problem hiding this comment.
| The AWS Security Hub integration collects log messages of the following types: | |
| The AWS Security Hub integration collects logs of the following types: |
or events
| ### Supported use cases | ||
| Integrating AWS Security Hub with Elastic SIEM provides a comprehensive view of the security state of your AWS resources. Leveraging AWS Security Hub integration helps you analyze security trends to identify and prioritize security issues across your AWS environment. |
There was a problem hiding this comment.
| ### Supported use cases | |
| Integrating AWS Security Hub with Elastic SIEM provides a comprehensive view of the security state of your AWS resources. Leveraging AWS Security Hub integration helps you analyze security trends to identify and prioritize security issues across your AWS environment. | |
| ### Supported use cases | |
| Integrating AWS Security Hub with Elastic SIEM provides a comprehensive view of the security state of your AWS resources. Leveraging AWS Security Hub integration helps you analyze security trends to identify and prioritize security issues across your AWS environment. |
Also adding CNVM use case would help
|
@kcreddy @brijesh-elastic Tested the env with data ingested. All good except missing |
It looks like I missed it. I’ll update this in the next commit, along with the cluster. |
|
|
||
| #### Collecting data from AWS Security Hub API | ||
|
|
||
| Users can authenticate using permanent security credentials, as well as temporary security credentials. They can also select `shared_credential_file`, `credential_profile_name` to retrieve credentials. Additionally, they can use `role_arn` to specify which AWS IAM role to assume for generating temporary credentials. An `external_id` can also be provided when assuming a role in another account. |
There was a problem hiding this comment.
I think a link to documentation is important to understand what all these options mean, and where to configure them. Also use the user facing text (title instead of name).
| 1. In the top search bar in Kibana, search for **Integrations**. | ||
| 2. In the search bar, type **AWS Security Hub**. | ||
| 3. Select the **AWS Security Hub** integration from the search results. | ||
| 4. Select **Add AWS Security Hubs** to add the integration. |
There was a problem hiding this comment.
| 4. Select **Add AWS Security Hubs** to add the integration. | |
| 4. Select **Add AWS Security Hub** to add the integration. |
|
|
||
| ### Validation | ||
|
|
||
| #### Transforms healthy |
There was a problem hiding this comment.
Could we also add dashboards?
| # This can be removed after ES 8.14 is the minimum version. | ||
| # Relates: https://github.com/elastic/elasticsearch/pull/105689 | ||
| url.extension: '^.*$' |
| request_headers: | ||
| Content-Type: | ||
| - "application/json" | ||
| request_body: /^\{"Filters":\{"CompositeFilters":\[\{"DateFilters":\[\{"FieldName":"finding_info\.modified_time_dt","Filter":\{"End":.*,"Start":.*\}\}\]\}\]\},"MaxResults":2,"NextToken":"next_token_2","SortCriteria":\[\{"Field":"finding_info\.modified_time_dt","SortOrder":"asc"\}\]\}/ |
There was a problem hiding this comment.
Can we also test empty results case? Do we get empty "Findings": [] array?
| index: | ||
| mapping: | ||
| total_fields: | ||
| limit: 2000 |
There was a problem hiding this comment.
How many mapped fields do we have right now?
| title: Interval | ||
| description: Duration between requests to the AWS Security Hub API. Supported units for this parameter are h/m/s. | ||
| default: 1h | ||
| max_duration: 24h |
There was a problem hiding this comment.
What is the intention for having this max_duration on Interval?
| multi: false | ||
| required: true | ||
| show_user: false | ||
| default: 30s |
There was a problem hiding this comment.
Do you think we should we should increase the default based on our testing?
| if: ctx.aws_securityhub?.finding?.class_uid != null && ['2002','2003','2004','2006'].contains(ctx.aws_securityhub.finding.class_uid) | ||
| value: alert |
There was a problem hiding this comment.
I am not sure if we want to categorise vulnerability and misconfiguration as alert. CDR guide maps them as state.
| - set: | ||
| field: aws_securityhub.finding.transform_unique_id | ||
| tag: set_transform_unique_id | ||
| value: '{{event.id}}|{{vulnerability.id}}|{{resource.id}}|{{package.name}}|{{package.version}}' |
There was a problem hiding this comment.
Can you use condition that its populated only for vulnerabilities?
6 participants
Proposed commit message
Note
To Reviewers:
Checklist
changelog.ymlfile.How to test this PR locally
Related issues