Using custom product integrations to send findings to Amazon Security Hub
In addition to findings generated by the integrated Amazon services and third-party products, Security Hub can consume findings that are generated by other custom security products.
You can send these findings to Security Hub manually by using the BatchImportFindings
API operation.
When setting up the custom integration, use the guidelines and checklists provided in the Security Hub Partner Integration Guide.
Requirements and recommendations for sending findings from custom security products
Before you can successfully invoke the BatchImportFindings
API operation, you
must enable Security Hub.
You must provide the finding details using the Amazon Security Finding Format (ASFF). For the findings from your custom integration, use the following requirements and recommendations.
- Setting the product ARN
-
When you enable Security Hub, a default product Amazon Resource Name (ARN) for Security Hub is generated in your current account.
This product ARN has the following format:
arn:aws-cn:securityhub:
. For example,<region>
:<account-id>
:product/<account-id>
/defaultarn:aws-cn:securityhub:us-west-2:123456789012:product/123456789012/default
.Use this product ARN as the value for the
ProductArn
attribute when invoking theBatchImportFindings
API operation. - Defining the company and product name
-
You can use
BatchImportFindings
to set a preferred company name and product name for the custom integration that is sending findings to Security Hub.Your specified names replace the preconfigured company name and product name, called personal name and default name respectively, and appear in the Security Hub console and the JSON of each finding. See Using BatchImportFindings to create and update findings.
- Setting the finding IDs
-
You must supply, manage, and increment your own finding IDs, using the
Id
attribute.Each new finding should have a unique finding ID. If the custom product sends multiple findings with the same finding ID, Security Hub only processes the first finding.
- Setting the account ID
-
You must specify your own account ID, using the
AwsAccountId
attribute. - Setting the created at and updated at dates
-
You must supply your own timestamps for the
CreatedAt
andUpdatedAt
attributes.
Updating findings from custom products
In addition to sending new findings from custom products, you can also use the BatchImportFindings
API operation to
update existing findings from custom products.
To update existing findings, use the existing finding ID (via the Id
attribute). Resend the full finding
with the appropriate information updated in the request, including a modified UpdatedAt
timestamp.
Example custom integrations
You can use the following example custom product integrations as a guide to create your own custom solution.
- Sending findings from Chef InSpec scans to Security Hub
-
You can create an Amazon CloudFormation template that runs a Chef InSpec compliance scan and then sends findings to Security Hub.
For more details, see Continuous compliance monitoring with Chef InSpec and Amazon Security Hub
. - Sending container vulnerabilities detected by Trivy to Security Hub
-
You can create an Amazon CloudFormation template that uses AquaSecurity Trivy to scan containers for vulnerabilities, and then sends those vulnerability findings to Security Hub.
For more details, see How to build a CI/CD pipeline for container vulnerability scanning with Trivy andAmazon Security Hub
.