Skip to content

Comments

[aws_securityhub] Initial release of AWS Security Hub#15932

Merged
brijesh-elastic merged 12 commits intoelastic:mainfrom
brijesh-elastic:package-aws_securityhub
Dec 15, 2025
Merged

[aws_securityhub] Initial release of AWS Security Hub#15932
brijesh-elastic merged 12 commits intoelastic:mainfrom
brijesh-elastic:package-aws_securityhub

Conversation

@brijesh-elastic
Copy link
Collaborator

@brijesh-elastic brijesh-elastic commented Nov 11, 2025
edited
Loading

Proposed commit message

aws_securityhub: Initial release of AWS Security Hub

the integration collects findings in OCSF format using GetFindingsV2 API, it supports
OCSF v1.5 classes(2002, 2003, 2004, 2006).

ECS mapping and transforms have also been added to facilitate with the
Cloud Native Vulnerability Management (CNVM)[1] workflow.

[1] https://www.elastic.co/guide/en/security/current/vuln-management-overview.html

Note

To Reviewers:

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

How to test this PR locally

  • Clone integrations repo.
  • Install elastic package locally.
  • Start elastic stack using elastic-package.
  • Move to integrations/packages/aws_securityhub directory.
  • Run the following command to run tests.

elastic-package test

Related issues

@brijesh-elastic brijesh-elastic self-assigned this Nov 11, 2025
@brijesh-elastic brijesh-elastic added documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. enhancement New feature or request Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] Team:Sit-Crest Crest developers on the Security Integrations team [elastic/sit-crest-contractors] Category: CDR labels Nov 11, 2025
@brijesh-elastic brijesh-elastic mentioned this pull request Nov 11, 2025
Merged
@andrewkroh andrewkroh added the New Integration Issue or pull request for creating a new integration package. label Nov 11, 2025
kcreddy added a commit to elastic/elasticsearch that referenced this pull request Nov 14, 2025
@kcreddy
Add aws_securityhub.finding source indices to kibana_system role perm…
9495281 
…issions (#137866)

Adding logs-aws_securityhub.finding-* data stream indices to the kibana_system privileges. This is required for the latest transform to work.

Related: elastic/integrations#15932
@brijesh-elastic brijesh-elastic marked this pull request as ready for review December 2, 2025 04:12
@brijesh-elastic brijesh-elastic requested a review from a team as a code owner December 2, 2025 04:12
@elasticmachine
Copy link

elasticmachine commented Dec 2, 2025

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

@elastic-vault-github-plugin-prod
Copy link

elastic-vault-github-plugin-prod bot commented Dec 2, 2025

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

efd6
efd6 reviewed Dec 2, 2025
View reviewed changes
@efd6
Copy link
Contributor

efd6 commented Dec 3, 2025

I think also that the document that forms the basis of the OCSF to ECS mapping should be made public and linked in the commit message.

kcreddy
kcreddy reviewed Dec 3, 2025
View reviewed changes
@maxcold
Copy link
Contributor

maxcold commented Dec 3, 2025

@kcreddy @brijesh-elastic Tested the env with data ingested. All good except missing host.name . In the mapping sheet we discussed that we want to provide the instance id in the host.name. Did we miss this requirement or were there any technical challenges doing so?

@brijesh-elastic
Copy link
Collaborator Author

brijesh-elastic commented Dec 3, 2025

@kcreddy @brijesh-elastic Tested the env with data ingested. All good except missing host.name . In the mapping sheet we discussed that we want to provide the instance id in the host.name. Did we miss this requirement or were there any technical challenges doing so?

It looks like I missed it. I’ll update this in the next commit, along with the cluster.

kcreddy
kcreddy reviewed Dec 3, 2025
View reviewed changes
Copy link
Contributor

@kcreddy kcreddy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To be merged after #16195

@brijesh-elastic
Copy link
Collaborator Author

brijesh-elastic commented Dec 5, 2025
edited
Loading

I think also that the document that forms the basis of the OCSF to ECS mapping should be made public and linked in the commit message.

@kcreddy @ShourieG, should we make the CDR mapping sheet and RFC document for OCSF to ECS public?

@kcreddy
Copy link
Contributor

kcreddy commented Dec 5, 2025
edited
Loading

CDR mapping sheet

@brijesh-elastic, spreadsheet permissions already there. You can share the link with reviewers, but Dan's point is on OCSF to ECS.

@ShourieG
Copy link
Contributor

ShourieG commented Dec 8, 2025

I think also that the document that forms the basis of the OCSF to ECS mapping should be made public and linked in the commit message.

@kcreddy @ShourieG, should we make the CDR mapping sheet and RFC document for OCSF to ECS public?

Yes, I agree with making the OCSF to ECS mapping documents public, we can link it in the PR description

@maxcold maxcold self-requested a review December 8, 2025 15:32
maxcold
maxcold approved these changes Dec 8, 2025
View reviewed changes
Copy link
Contributor

@maxcold maxcold left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

tested on provided environment, everything working as expected from our flows perspective

kcreddy
kcreddy reviewed Dec 9, 2025
View reviewed changes
kcreddy
kcreddy approved these changes Dec 10, 2025
View reviewed changes
Copy link
Contributor

@kcreddy kcreddy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Thanks @brijesh-elastic

@andrewkroh andrewkroh added the dashboard Relates to a Kibana dashboard bug, enhancement, or modification. label Dec 10, 2025
@elasticmachine
Copy link

elasticmachine commented Dec 12, 2025

💚 Build Succeeded

History

cc @brijesh-elastic

ShourieG
ShourieG approved these changes Dec 15, 2025
View reviewed changes
Copy link
Contributor

@ShourieG ShourieG left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@brijesh-elastic brijesh-elastic merged commit 4fe1f8c into elastic:main Dec 15, 2025
8 checks passed
@elastic-vault-github-plugin-prod
Copy link

elastic-vault-github-plugin-prod bot commented Dec 15, 2025

Package aws_securityhub - 0.1.0 containing this change is available at https://epr.elastic.co/package/aws_securityhub/0.1.0/

@nick-alayil nick-alayil mentioned this pull request Dec 17, 2025
Closed
@andrewkroh andrewkroh added the Integration:aws_securityhub AWS Security Hub label Jan 8, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@maxcold maxcold maxcold approved these changes

@kcreddy kcreddy kcreddy approved these changes

@ShourieG ShourieG ShourieG approved these changes

@efd6 efd6 Awaiting requested review from efd6

Assignees

@brijesh-elastic brijesh-elastic

Labels

Category: CDR dashboard Relates to a Kibana dashboard bug, enhancement, or modification. documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. enhancement New feature or request Integration:aws_securityhub AWS Security Hub New Integration Issue or pull request for creating a new integration package. Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] Team:Sit-Crest Crest developers on the Security Integrations team [elastic/sit-crest-contractors]

Projects

None yet

Milestone

No milestone

7 participants

@brijesh-elastic @elasticmachine @efd6 @maxcold @kcreddy @ShourieG @andrewkroh