Using custom product integrations to send findings to Amazon Security Hub - Amazon Security Hub
Requirements and recommendations for sending findings from custom security products Updating findings from custom productsExample custom integrations
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Using custom product integrations to send findings to Amazon Security Hub

In addition to findings generated by the integrated Amazon services and third-party products, Security Hub can consume findings that are generated by other custom security products.

You can send these findings to Security Hub manually by using the BatchImportFindings API operation.

When setting up the custom integration, use the guidelines and checklists provided in the Security Hub Partner Integration Guide.

Requirements and recommendations for sending findings from custom security products

Before you can successfully invoke the BatchImportFindings API operation, you must enable Security Hub.

You must provide the finding details using the Amazon Security Finding Format (ASFF). For the findings from your custom integration, use the following requirements and recommendations.

Setting the product ARN

When you enable Security Hub, a default product Amazon Resource Name (ARN) for Security Hub is generated in your current account.

This product ARN has the following format: arn:aws-cn:securityhub:<region>:<account-id>:product/<account-id>/default. For example, arn:aws-cn:securityhub:us-west-2:123456789012:product/123456789012/default.

Use this product ARN as the value for the ProductArn attribute when invoking the BatchImportFindings API operation.

Defining the company and product name

You can use BatchImportFindings to set a preferred company name and product name for the custom integration that is sending findings to Security Hub.

Your specified names replace the preconfigured company name and product name, called personal name and default name respectively, and appear in the Security Hub console and the JSON of each finding. See Using BatchImportFindings to create and update findings.

Setting the finding IDs

You must supply, manage, and increment your own finding IDs, using the Id attribute.

Each new finding should have a unique finding ID. If the custom product sends multiple findings with the same finding ID, Security Hub only processes the first finding.

Setting the account ID

You must specify your own account ID, using the AwsAccountId attribute.

Setting the created at and updated at dates

You must supply your own timestamps for the CreatedAt and UpdatedAt attributes.

Updating findings from custom products

In addition to sending new findings from custom products, you can also use the BatchImportFindings API operation to update existing findings from custom products.

To update existing findings, use the existing finding ID (via the Id attribute). Resend the full finding with the appropriate information updated in the request, including a modified UpdatedAt timestamp.

Example custom integrations

You can use the following example custom product integrations as a guide to create your own custom solution.

Sending findings from Chef InSpec scans to Security Hub

You can create an Amazon CloudFormation template that runs a Chef InSpec compliance scan and then sends findings to Security Hub.

For more details, see Continuous compliance monitoring with Chef InSpec and Amazon Security Hub.

Sending container vulnerabilities detected by Trivy to Security Hub

You can create an Amazon CloudFormation template that uses AquaSecurity Trivy to scan containers for vulnerabilities, and then sends those vulnerability findings to Security Hub.

For more details, see How to build a CI/CD pipeline for container vulnerability scanning with Trivy andAmazon Security Hub.