AWS - Security Hub

Use the AWS Security Hub integration to manage your high-priority security alerts and compliance status across AWS accounts.

Configure AWS - Security Hub on Demisto

  1. Navigate to Settings > Integrations > Servers & Services .
  2. Search for AWS - Security Hub.
  3. Click Add instance to create and configure a new integration instance.
    • Name : a textual name for the integration instance.
    • AWS Default Region
    • Role Arn
    • Fetch incidents
    • Incident type
    • Role Session Name
    • Role Session Duration
    • Security Hub Severity level (Low, Medium, High)
    • Additional Filters (Link to Filters table section)
    • Archive Findings after fetch
  4. Click Test to validate the URLs, token, and connection.

Commands

You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook.
After you successfully execute a command, a DBot message appears in the War Room with the command details.

  1. Get a list of findings: aws-securityhub-get-findings
  2. Get information for the master account: aws-securityhub-get-master-account
  3. Get information for member accounts: aws-securityhub-list-members
  4. Enable AWS Security Hub: aws-securityhub-enable-security-hub
  5. Disable AWS Security Hub: aws-securityhub-disable-security-hub
  6. Update the findings record state: aws-securityhub-update-finding

1. Get a list of findings


Lists and describes Security Hub-aggregated findings that are specified by filter attributes.

Base Command

aws-securityhub-get-findings

Input
Argument Name Description Required
filters The filter to use. Usage: filter=name=,value=,comparison=<EQUALS CONTAINS
region The AWS Region, if not specified the default region will be used False
roleArn The Amazon Resource Name (ARN) of the role to assume. False
roleSessionName An identifier for the assumed role session. False
roleSessionDuration The duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role. False

Context Output
Path Type Description
AWS.SecurityHub.Findings.SchemaVersion string The schema version for which a finding is formatted.
AWS.SecurityHub.Findings.Id string The security findings provider-specific identifier for a finding.
AWS.SecurityHub.Findings.ProductArn string The ARN generated by Security Hub that uniquely identifies a third-party company (security findings provider) once this provider's product (solution that generates findings) is registered with Security Hub.
AWS.SecurityHub.Findings.GeneratorId string This is the identifier for the solution-specific component (a discrete unit of logic) that generated a finding. In various security findings provider's solutions, this generator can be called a rule, a check, a detector, a plug-in, etc.
AWS.SecurityHub.Findings.AwsAccountId string The AWS account ID in which a finding is generated.
AWS.SecurityHub.Findings.Types string One or more finding types in the format of 'namespace/category/classifier' that classify a finding.
AWS.SecurityHub.Findings.FirstObservedAt string An ISO8601-formatted timestamp that indicates when the potential security issue captured by a finding was first observed by the security findings provider.
AWS.SecurityHub.Findings.LastObservedAt string An ISO8601-formatted timestamp that indicates when the potential security issue captured by a finding was most recently observed by the security findings provider.
AWS.SecurityHub.Findings.CreatedAt string An ISO8601-formatted timestamp that indicates when the potential security issue captured by a finding was created by the security findings provider.
AWS.SecurityHub.Findings.UpdatedAt string An ISO8601-formatted timestamp that indicates when the finding record was last updated by the security findings provider.
AWS.SecurityHub.Findings.Severity.Product number The native severity as defined by the security findings provider's solution that generated the finding.
AWS.SecurityHub.Findings.Severity.Normalized number The normalized severity of a finding.
AWS.SecurityHub.Findings.Confidence number A finding's confidence. Confidence is defined as the likelihood that a finding accurately identifies the behavior or issue that it was intended to identify. Confidence is scored on a 0-100 basis using a ratio scale. 0 equates zero percent confidence and 100 equates to 100 percent confidence.
AWS.SecurityHub.Findings.Criticality number The level of importance assigned to the resources associated with the finding. A score of 0 means the underlying resources have no criticality, and a score of 100 is reserved for the most critical resources.
AWS.SecurityHub.Findings.Title string A finding's title.
AWS.SecurityHub.Findings.Description string A finding's description.
AWS.SecurityHub.Findings.Remediation.Recommendation.Text string The recommendation of what to do about the issue described in a finding.
AWS.SecurityHub.Findings.Remediation.Recommendation.Url string A URL to link to general remediation information for the finding type of a finding.
AWS.SecurityHub.Findings.SourceUrl string A URL that links to a page about the current finding in the security findings provider's solution.
AWS.SecurityHub.Findings.ProductFields string A data type where security findings providers can include additional solution-specific details that are not part of the defined AwsSecurityFinding format.
AWS.SecurityHub.Findings.UserDefinedFields string A list of name/value string pairs associated with the finding. These are custom, user-defined fields added to a finding.
AWS.SecurityHub.Findings.Malware.Name string The name of the malware that was observed.
AWS.SecurityHub.Findings.Malware.Type string The type of the malware that was observed.
AWS.SecurityHub.Findings.Malware.Path string The filesystem path of the malware that was observed.
AWS.SecurityHub.Findings.Malware.State string The state of the malware that was observed.
AWS.SecurityHub.Findings.Network.Direction string Indicates the direction of network traffic associated with a finding.
AWS.SecurityHub.Findings.Network.Protocol string The protocol of network-related information about a finding.
AWS.SecurityHub.Findings.Network.SourceIpV4 string The source IPv4 address of network-related information about a finding.
AWS.SecurityHub.Findings.Network.SourceIpV6 string The source IPv6 address of network-related information about a finding.
AWS.SecurityHub.Findings.Network.SourcePort string The source port of network-related information about a finding.
AWS.SecurityHub.Findings.Network.SourceDomain string The source domain of network-related information about a finding.
AWS.SecurityHub.Findings.Network.SourceMac string he source media access control (MAC) address of network-related information about a finding.
AWS.SecurityHub.Findings.Network.DestinationIpV4 string The destination IPv4 address of network-related information about a finding.
AWS.SecurityHub.Findings.Network.DestinationIpV6 string The destination IPv6 address of network-related information about a finding.
AWS.SecurityHub.Findings.Network.DestinationPort string The destination port of network-related information about a finding.
AWS.SecurityHub.Findings.Network.DestinationDomain string The destination domain of network-related information about a finding.
AWS.SecurityHub.Findings.Process.Name string The name of the process.
AWS.SecurityHub.Findings.Process.Path string The path to the process executable.
AWS.SecurityHub.Findings.Process.Pid number The process ID.
AWS.SecurityHub.Findings.Process.ParentPid number The parent process ID.
AWS.SecurityHub.Findings.Process.LaunchedAt string The date/time that the process was launched.
AWS.SecurityHub.Findings.Process.TerminatedAt string The date/time that the process was terminated.
AWS.SecurityHub.Findings.ThreatIntelIndicators.Type string The type of a threat intel indicator.
AWS.SecurityHub.Findings.ThreatIntelIndicators.Value string The value of a threat intel indicator.
AWS.SecurityHub.Findings.ThreatIntelIndicators.Category string The category of a threat intel indicator.
AWS.SecurityHub.Findings.ThreatIntelIndicators.LastObservedAt string The date/time of the last observation of a threat intel indicator.
AWS.SecurityHub.Findings.ThreatIntelIndicators.Source string The source of the threat intel.
AWS.SecurityHub.Findings.ThreatIntelIndicators.SourceUrl string The URL for more details from the source of the threat intel.
AWS.SecurityHub.Findings.Resources.Type string Specifies the type of the resource for which details are provided.
AWS.SecurityHub.Findings.Resources.Id string The canonical identifier for the given resource type.
AWS.SecurityHub.Findings.Resources.Partition string The canonical AWS partition name to which the region is assigned.
AWS.SecurityHub.Findings.Resources.Region string The canonical AWS external region name where this resource is located.
AWS.SecurityHub.Findings.Resources.Tags string A list of AWS tags associated with a resource at the time the finding was processed.
AWS.SecurityHub.Findings.Resources.Details.AwsEc2Instance.Type string The instance type of the instance.
AWS.SecurityHub.Findings.Resources.Details.AwsEc2Instance.ImageId string The Amazon Machine Image (AMI) ID of the instance.
AWS.SecurityHub.Findings.Resources.Details.AwsEc2Instance.IpV4Addresses string The IPv4 addresses associated with the instance.
AWS.SecurityHub.Findings.Resources.Details.AwsEc2Instance.IpV6Addresses string The IPv6 addresses associated with the instance.
AWS.SecurityHub.Findings.Resources.Details.AwsEc2Instance.KeyName string The key name associated with the instance.
AWS.SecurityHub.Findings.Resources.Details.AwsEc2Instance.IamInstanceProfileArn string The IAM profile ARN of the instance.
AWS.SecurityHub.Findings.Resources.Details.AwsEc2Instance.VpcId string The identifier of the VPC in which the instance was launched.
AWS.SecurityHub.Findings.Resources.Details.AwsEc2Instance.SubnetId string The identifier of the subnet in which the instance was launched.
AWS.SecurityHub.Findings.Resources.Details.AwsEc2Instance.LaunchedAt string The date/time the instance was launched.
AWS.SecurityHub.Findings.Resources.Details.AwsS3Bucket.OwnerId string The canonical user ID of the owner of the S3 bucket.
AWS.SecurityHub.Findings.Resources.Details.AwsS3Bucket.OwnerName string The display name of the owner of the S3 bucket.
AWS.SecurityHub.Findings.Resources.Details.AwsIamAccessKey.UserName string The user associated with the IAM access key related to a finding.
AWS.SecurityHub.Findings.Resources.Details.AwsIamAccessKey.Status string The status of the IAM access key related to a finding.
AWS.SecurityHub.Findings.Resources.Details.AwsIamAccessKey.CreatedAt string The creation date/time of the IAM access key related to a finding.
AWS.SecurityHub.Findings.Resources.Details.Container.Name string The name of the container related to a finding.
AWS.SecurityHub.Findings.Resources.Details.Container.ImageId string The identifier of the image related to a finding.
AWS.SecurityHub.Findings.Resources.Details.Container.ImageName string The name of the image related to a finding.
AWS.SecurityHub.Findings.Resources.Details.Container.LaunchedAt string The date/time that the container was started.
AWS.SecurityHub.Findings.Resources.Details.Other string The details of a resource that does not have a specific sub-field for the resource type defined.
AWS.SecurityHub.Findings.Compliance.Status string Indicates the result of a compliance check.
AWS.SecurityHub.Findings.VerificationState string Indicates the veracity of a finding.
AWS.SecurityHub.Findings.WorkflowState string The workflow state of a finding.
AWS.SecurityHub.Findings.RecordState string The record state of a finding.
AWS.SecurityHub.Findings.RelatedFindings.ProductArn string The ARN of the solution that generated a related finding.
AWS.SecurityHub.Findings.RelatedFindings.Id string The solution-generated identifier for a related finding.
AWS.SecurityHub.Findings.Note.Text string The text of a note.
AWS.SecurityHub.Findings.Note.UpdatedBy string The principal that created a note.
AWS.SecurityHub.Findings.Note.UpdatedAt string The timestamp of when the note was updated.

Command Example

!aws-securityhub-get-findings
!aws-securityhub-get-findings filters="name=Id,value=arn:aws:guardduty:us-west-2:676921422616:detector/e8b3c9a6a818f7aa3219914360e9c6ab/finding/1ab3c9a70d2859d3891fef07d3af35a6,comparison=EQUALS"

Context Example

image

Human Readable Output

image

2. Get information about the master account


Provides the details for the Security Hub master account to the current member account.

Base Command

aws-securityhub-get-master-account

Input
Argument Name Description Required
region The AWS Region, if not specified the default region will be used Optional
roleArn The Amazon Resource Name (ARN) of the role to assume. Optional
roleSessionName An identifier for the assumed role session. Optional
roleSessionDuration The duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role. Optional
Context Output
Path Type Description
AWS.SecurityHub.MasterAccount.AccountId string The account ID of the master Security Hub account who sent the invitation.
AWS.SecurityHub.MasterAccount.InvitationId string The ID of the invitation sent by the master Security Hub account.
AWS.SecurityHub.MasterAccount.InvitedAt date The timestamp of when the invitation was sent.
AWS.SecurityHub.MasterAccount.MemberStatus string The current relationship status between the inviter and invitee accounts.
AWS.SecurityHub.MasterAccount.Region string The AWS Region.

3. Get informaiton about member accounts


Lists details about all member accounts for the current Security Hub master account.

Base Command

aws-securityhub-list-members

Input
Argument Name Description Required
onlyAssociated Specifies what member accounts the response includes based on their relationship status with the master account. The default value is TRUE. If onlyAssociated is set to TRUE, the response includes member accounts whose relationship status with the master is set to ENABLED or DISABLED. If onlyAssociated is set to FALSE, the response includes all existing member accounts. Required
region The AWS Region, if not specified the default region will be used Optional
roleArn The Amazon Resource Name (ARN) of the role to assume. Optional
roleSessionName An identifier for the assumed role session. Optional
roleSessionDuration The duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role. Optional

Context Output
Path Type Description
AWS.SecurityHub.MemberAccounts.AccountId string The AWS account ID of a Security Hub member account.
AWS.SecurityHub.MemberAccounts.Email string The email of a Security Hub member account.
AWS.SecurityHub.MemberAccounts.MasterId string The AWS account ID of the master Security Hub account to this member account.
AWS.SecurityHub.MemberAccounts.MemberStatus string The status of the relationship between the member account and its master account.
AWS.SecurityHub.MemberAccounts.InvitedAt date Time stamp at which the member account was invited to Security Hub.
AWS.SecurityHub.MemberAccounts.UpdatedAt date Time stamp at which this member account was updated.
AWS.SecurityHub.MemberAccounts.Region string The AWS Region

Command Example

!aws-securityhub-list-members onlyAssociated=True

Context Example

image

Human Readable Output

image

4. Enable AWS Securty Hub


Enables the AWS Security Hub service.

Base Command

aws-securityhub-enable-security-hub

Input
Argument Name Description Required
region The AWS Region, if not specified the default region will be used Optional
roleArn The Amazon Resource Name (ARN) of the role to assume. Optional
roleSessionName An identifier for the assumed role session. Optional
roleSessionDuration The duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role. Optional

Context Output

There is no context output for this command.

Command Example

!aws-securityhub-enable-security-hub

Human Readable Output

image

5. Disable AWS Security Hub


Disables the AWS Security Hub Service.

Base Command

aws-securityhub-disable-security-hub

Input
Argument Name Description Required
region The AWS Region, if not specified the default region will be used Optional
roleArn The Amazon Resource Name (ARN) of the role to assume. Optional
roleSessionName An identifier for the assumed role session. Optional
roleSessionDuration The duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role. Optional

Context Output

There is no context output for this command.

Command Example

!aws-securityhub-disable-security-hub

Human Readable Output

image

6. Update the findings record state


Updates the AWS Security Hub-aggregated findings Record state.

Base Command

aws-securityhub-update-finding

Input
Argument Name Description Required
findingId The security hub finding id. Required
recordState The desired record state. Required
region The AWS Region, if not specified the default region will be used Optional
roleArn The Amazon Resource Name (ARN) of the role to assume. Optional
roleSessionName An identifier for the assumed role session. Optional
roleSessionDuration The duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role. Optional
note add a note, must be used with updatedBy argument. Optional
updatedBy The principal that updated the note. Optional

Context Output

There is no context output for this command.

Available Filters

Filter Name Description
ProductArn The ARN generated by Security Hub that uniquely identifies a third-party company (security findings provider) once this provider's product (solution that generates findings) is registered with Security Hub.
AwsAccountId The AWS account ID in which a finding is generated.
Id The security findings provider-specific identifier for a finding.
GeneratorId This is the identifier for the solution-specific component (a discrete unit of logic) that generated a finding. In various security findings provider's solutions, this generator can be called a rule, a check, a detector, a plug-in, etc.
Type A finding type in the format of 'namespace/category/classifier' that classifies a finding.
SeverityLabel The label of a finding's severity.
Title A finding's title.
Description A finding's description.
RecommendationText The recommendation of what to do about the issue described in a finding.
SourceUrl A URL that links to a page about the current finding in the security findings provider's solution.
ProductName The name of the solution (product) that generates findings.
CompanyName The name of the findings provider (company) that owns the solution (product) that generates findings.
MalwareName The name of the malware that was observed.
MalwareType The type of the malware that was observed.
MalwarePath The filesystem path of the malware that was observed.
MalwareState The state of the malware that was observed.
NetworkDirection Indicates the direction of network traffic associated with a finding.
NetworkProtocol The protocol of network-related information about a finding.
NetworkSourceDomain The source domain of network-related information about a finding.
NetworkSourceMac The source media access control (MAC) address of network-related information about a finding.
NetworkDestinationDomain The destination domain of network-related information about a finding.
ProcessName The name of the process.
ProcessPath The path to the process executable.
ThreatIntelIndicatorType The type of a threat intel indicator.
ThreatIntelIndicatorValue The value of a threat intel indicator.
ThreatIntelIndicatorCategory The category of a threat intel indicator.
ThreatIntelIndicatorSource The source of the threat intel.
ThreatIntelIndicatorSourceUrl The URL for more details from the source of the threat intel.
ResourceType Specifies the type of the resource for which details are provided.
ResourceId The canonical identifier for the given resource type.
ResourcePartition The canonical AWS partition name to which the region is assigned.
ResourceRegion The canonical AWS external region name where this resource is located.
ResourceAwsEc2InstanceType The instance type of the instance.
ResourceAwsEc2InstanceImageId The Amazon Machine Image (AMI) ID of the instance.
ResourceAwsEc2InstanceKeyName The key name associated with the instance.
ResourceAwsEc2InstanceIamInstanceProfileArn The IAM profile ARN of the instance.
ResourceAwsEc2InstanceVpcId The identifier of the VPC in which the instance was launched.
ResourceAwsEc2InstanceSubnetId The identifier of the subnet in which the instance was launched.
ResourceAwsS3BucketOwnerId The canonical user ID of the owner of the S3 bucket.
ResourceAwsS3BucketOwnerName The display name of the owner of the S3 bucket.
ResourceAwsIamAccessKeyUserName The user associated with the IAM access key related to a finding.
ResourceAwsIamAccessKeyStatus The status of the IAM access key related to a finding.
ResourceContainerName The name of the container related to a finding.
ResourceContainerImageId The identifier of the image related to a finding.
ResourceContainerImageName The name of the image related to a finding.
ComplianceStatus Exclusive to findings that are generated as the result of a check run against a specific rule in a supported standard (for example, AWS CIS Foundations). Contains compliance-related finding details.
VerificationState Indicates the veracity of a finding.
WorkflowState The workflow state of a finding.
RecordState The updated record state for the finding.
RelatedFindingsProductArn The ARN of the solution that generated a related finding.
RelatedFindingsId The solution-generated identifier for a related finding.
NoteText The text of a note.
NoteUpdatedBy The principal that created a note.

Filter Usage

filter=name=,value=,comparison=<EQUALS | CONTAINS | PREFIX> .