Fortinet black logo

External Systems Configuration Guide

AWS Security Hub

AWS Security Hub

Security Hub collects security data from across AWS accounts, services, and supported third-party partner products. FortiSIEM want to get this data collected by Security Hub and analyze this data to identify the highest priority security issues.

What is Discovered and Monitored

Protocol Information collected Used for
AWS Security Hub SDK Security data Security and compliance

Event Types

In RESOURCES > Event Types, enter "AWS Sechub" in the Search column to see the event types associated with this device.

Rules

In RESOURCES > Rules, enter "AWS Sechub" in the Search column to see the rules associated with this device.

Reports

In RESOURCES > Reports, enter "AWS Security Hub" in the Search column to see the reports associated with this device.

Requirements

FortiSIEM uses PHP V3 SDK to integrate data from the security hub to perform comprehensive security analytics.

Configuring AWS Security Hub

Supported Regions in AWS

Security Hub only collects events from the region where you enabled Security Hub. If you don't enable the Security Hub for other regions, then you won't get events from those regions. FortiSIEM allows you to specify multiple regions when you create a new credential. In the regions you specify, the Security Hub will be enabled. These regions should use the following AWS region codes:

Region Name

Region Code

US East (Ohio)

us-east-2

US East (N. Virginia)

us-east-1

US West (N. California)

us-west-1

US West (Oregon)

us-west-2

Asia Pacific (Hong Kong)

ap-east-1

Asia Pacific (Mumbai)

ap-south-1

Asia Pacific (Seoul)

ap-northeast-2

Asia Pacific (Singapore)

ap-southeast-1

Asia Pacific (Sydney)

ap-southeast-2

Asia Pacific (Tokyo)

ap-northeast-1

Canada (Central)

ca-central-1

EU (Frankfurt)

eu-central-1

EU (Ireland)

eu-west-1

EU (London)

eu-west-2

EU (Paris)

eu-west-3

EU (Stockholm)

eu-north-1

South America (São Paulo)

sa-east-1

Step 1: Enable Security Hub

Permissions required to enable Security Hub

  1. The IAM identity (user, role, or group) that you use to enable Security Hub must have the required permissions. To grant the permissions required to enable Security Hub, attach the following policy to an IAM user, group, or role.

    {

    "Version": "2012-10-17",

    "Statement": [

    {

    "Effect": "Allow",

    "Action": "securityhub:*",

    "Resource": "*"

    },

    {

    "Effect": "Allow",

    "Action": "iam:CreateServiceLinkedRole",

    "Resource": "*",

    "Condition": {

    "StringLike": {

    "iam:AWSServiceName": "securityhub.amazonaws.com"

    }

    }

    }

    ]

    }

  2. Use the credentials of the IAM identity from step 1 to sign in to the Security Hub console. When you open the Security Hub console for the first time, choose Get Started and then choose Enable Security Hub.
Step 2: Get an Access Key

This feature supports long-term access keys. Access keys consist of two parts: an access key ID and a secret access key.

Permissions Required

To create access keys for your own IAM user, you must have the permissions from the following policy:

{

"Version": "2012-10-17",

"Statement": [

{

"Sid": "CreateOwnAccessKeys",

"Effect": "Allow",

"Action": [

"iam:CreateAccessKey",

"iam:GetUser",

"iam:ListAccessKeys"

],

"Resource": "arn:aws:iam::*:user/${aws:username}"

}

]

}

To create, modify, or delete your own IAM user access keys (console):

  1. Use your AWS account ID or account alias, your IAM user name, and your password to sign in to the IAM console.
  2. In the navigation bar on the upper right, choose your user name, and then choose My Security Credentials.
  3. On the AWS IAM Credentials tab, in the Access keys for CLI, SDK, and API access section, do any of the following:
    • To create an access key, choose Create access key. Then choose Download .csv file to save the access key ID and secret access key to a .csv file on your computer. Store the file in a secure location. You will not have access to the secret access key again after this dialog box closes. After you have downloaded the .csv file, choose Close. When you create an access key, the key pair is active by default, and you can use the pair right away.
    • To disable an active access key, choose Make inactive.
    • To reenable an inactive access key, choose Make active.
    • To delete an access key, choose its X button at the far right of the row. Then choose Delete to confirm. When you delete an access key, it's gone forever and cannot be retrieved. However, you can always create new keys.

Configuring FortiSIEM for AWS Security Hub Access

Complete these steps in the FortiSIEM UI:

  1. Go to the ADMIN > Setup > Credentials tab.
  2. In Step 1: Enter Credentials:
    1. Follow the instructions in “Setting Credentials“ in the User's Guide to create a new credential.
    2. Enter these settings in the Access Method Definition dialog box and click Save:

      Settings Description
      Name Enter a name for the credential
      Device Type Amazon AWS Security Hub
      Access Protocol AWS Security Hub SDK
      RegionYou can enter one or more regions separated by a space, for example, “us-east-1 us-west-2”. See Supported Regions in AWS for a list of valid regions.
      Password ConfigChoose Manual, CyberArk, or RAX_Janus from the drop down list. For CyberArk , see CyberArk Password Configuration. For RAX_Janus, see RAX_Janus Password Configuration.
      Access KeyAccess key for your AWS Security Hub instance. See Step 2: Get an Access Key.
      Secret Key Secret key for your AWS Security Hub instance
      Session TokenThe session token is used by credentials from Rax Scan. If you obtained an access key as described in Step 2: Get an Access Key, then leave this field empty.
      Organization The organization the device belongs to.
      Description Description of the device.
  3. In Step 2, Enter IP Range to Credential Associations:
    1. Select the name of your AWS Security Hub credential from the Credentials drop-down list.
    2. Enter a host name, an IP, or an IP range in the IP/Host Name field.
    3. Click Save.
  4. Click Test to test the connection to AWS Security Hub.
  5. To see the jobs associated with AWS Security Hub, select ADMIN > Pull Events.
  6. To see the received events select ANALYTICS, then enter AWS Security Hubin the search box.

Sample Events

[AWS_SECURITY_HUB_EVENT_DATA] ={
 "AwsAccountId": "111111111111", 
 "CreatedAt": "2019-08-06T04:56:44.894Z",
 "Description": "10.10.10.72 is performing SSH brute force attacks against i-0100ee1e110c011c1. Brute force attacks are used to gain unauthorized access to your instance by guessing the SSH password.",
 "FirstObservedAt": "2019-08-06T04:51:14Z",
 "GeneratorId": "arn:aws:guardduty:us-west-2:111111111111:detector/50b2ea07131dbe1530c23facb594b1fa", 
 "Id": "arn:aws:guardduty:us-west-2:111111111111:detector/50b2ea07131dbe1530c23facb594b1fa/finding/8cb632a4b32f7c3b854d9f5347bf07a4",
 "LastObservedAt": "2019-08-06T05:22:54Z",
 "ProductArn": "arn:aws:securityhub:us-west-2::product/aws/guardduty",
 "ProductFields": {
  "action/actionType": "NETWORK_CONNECTION",
  "action/networkConnectionAction/blocked": "false",
  "action/networkConnectionAction/connectionDirection": "INBOUND",
  "action/networkConnectionAction/localPortDetails/port": "22",
  "action/networkConnectionAction/localPortDetails/portName": "SSH",
  "action/networkConnectionAction/protocol": "TCP",
  "action/networkConnectionAction/remoteIpDetails/country/countryName": "China",
  "action/networkConnectionAction/remoteIpDetails/geoLocation/lat": "34.7725",
  "action/networkConnectionAction/remoteIpDetails/geoLocation/lon": "113.7266",
  "action/networkConnectionAction/remoteIpDetails/ipAddressV4": "10.10.10.72",  
  "action/networkConnectionAction/remoteIpDetails/organization/asn": "56047",
  "action/networkConnectionAction/remoteIpDetails/organization/asnOrg": "China Mobile communications corporation",
  "action/networkConnectionAction/remoteIpDetails/organization/isp": "China Mobile Guangdong",
  "action/networkConnectionAction/remoteIpDetails/organization/org": "China Mobile",
  "action/networkConnectionAction/remotePortDetails/port": "33242",
  "action/networkConnectionAction/remotePortDetails/portName": "Unknown",
  "archived": "false",
  "aws/securityhub/CompanyName": "Amazon",
  "aws/securityhub/FindingId": "arn:aws:securityhub:us-west-2::product/aws/guardduty/arn:aws:guardduty:us-west-2:111111111111:detector/50b2ea07131dbe1530c23facb594b1fa/finding/8cb632a4b32f7c3b854d9f5347bf07a4",
  "aws/securityhub/ProductName": "GuardDuty",
  "aws/securityhub/SeverityLabel": "MEDIUM",
  "count": "7",
  "detectorId": "50b2ea07131dbe1530c23facb594b1fa",
  "resourceRole": "TARGET"
 },
 "RecordState": "ACTIVE",
 "Resources": [
  {
  "Details": {
   "AwsEc2Instance": {
    "ImageId": "ami-f2c2408a",
     "IpV4Addresses": [
       "10.10.10.20",
       "10.0.0.137"
   ],
   "LaunchedAt": "2019-08-05T17:10:47.000Z",
   "SubnetId": "subnet-931605f1",
   "Type": "m5.4xlarge",
   "VpcId": "vpc-c66576a4"
  }
  },
  "Id": "arn:aws:ec2:us-west-2:111111111111:instance/i-0799ee6e490c078c5",
  "Partition": "aws",
  "Region": "us-west-2",
  "Tags": {
   "Name": "elasticsearch-node-coordinator"
  },
  "Type": "AwsEc2Instance"
  }
 ],
 "SchemaVersion": "2018-10-08",
 "Severity": {
 "Normalized": 40,
 "Product": 2
},
"Title": "310.10.10.72 is performing SSH brute force attacks against i-0799ee6e490c078c5. ",
"Types": [
 "TTPs/Initial Access/UnauthorizedAccess:EC2-SSHBruteForce"
],
 "UpdatedAt": "2019-08-06T05:28:24.425Z",
 "WorkflowState": "NEW",
 "phCustId": 1,
 "serverIp": "10.10.10.22",
 "serverName": "amzon.com"
}			

AWS Security Hub

Security Hub collects security data from across AWS accounts, services, and supported third-party partner products. FortiSIEM want to get this data collected by Security Hub and analyze this data to identify the highest priority security issues.

What is Discovered and Monitored

Protocol Information collected Used for
AWS Security Hub SDK Security data Security and compliance

Event Types

In RESOURCES > Event Types, enter "AWS Sechub" in the Search column to see the event types associated with this device.

Rules

In RESOURCES > Rules, enter "AWS Sechub" in the Search column to see the rules associated with this device.

Reports

In RESOURCES > Reports, enter "AWS Security Hub" in the Search column to see the reports associated with this device.

Requirements

FortiSIEM uses PHP V3 SDK to integrate data from the security hub to perform comprehensive security analytics.

Configuring AWS Security Hub

Supported Regions in AWS

Security Hub only collects events from the region where you enabled Security Hub. If you don't enable the Security Hub for other regions, then you won't get events from those regions. FortiSIEM allows you to specify multiple regions when you create a new credential. In the regions you specify, the Security Hub will be enabled. These regions should use the following AWS region codes:

Region Name

Region Code

US East (Ohio)

us-east-2

US East (N. Virginia)

us-east-1

US West (N. California)

us-west-1

US West (Oregon)

us-west-2

Asia Pacific (Hong Kong)

ap-east-1

Asia Pacific (Mumbai)

ap-south-1

Asia Pacific (Seoul)

ap-northeast-2

Asia Pacific (Singapore)

ap-southeast-1

Asia Pacific (Sydney)

ap-southeast-2

Asia Pacific (Tokyo)

ap-northeast-1

Canada (Central)

ca-central-1

EU (Frankfurt)

eu-central-1

EU (Ireland)

eu-west-1

EU (London)

eu-west-2

EU (Paris)

eu-west-3

EU (Stockholm)

eu-north-1

South America (São Paulo)

sa-east-1

Step 1: Enable Security Hub

Permissions required to enable Security Hub

  1. The IAM identity (user, role, or group) that you use to enable Security Hub must have the required permissions. To grant the permissions required to enable Security Hub, attach the following policy to an IAM user, group, or role.

    {

    "Version": "2012-10-17",

    "Statement": [

    {

    "Effect": "Allow",

    "Action": "securityhub:*",

    "Resource": "*"

    },

    {

    "Effect": "Allow",

    "Action": "iam:CreateServiceLinkedRole",

    "Resource": "*",

    "Condition": {

    "StringLike": {

    "iam:AWSServiceName": "securityhub.amazonaws.com"

    }

    }

    }

    ]

    }

  2. Use the credentials of the IAM identity from step 1 to sign in to the Security Hub console. When you open the Security Hub console for the first time, choose Get Started and then choose Enable Security Hub.
Step 2: Get an Access Key

This feature supports long-term access keys. Access keys consist of two parts: an access key ID and a secret access key.

Permissions Required

To create access keys for your own IAM user, you must have the permissions from the following policy:

{

"Version": "2012-10-17",

"Statement": [

{

"Sid": "CreateOwnAccessKeys",

"Effect": "Allow",

"Action": [

"iam:CreateAccessKey",

"iam:GetUser",

"iam:ListAccessKeys"

],

"Resource": "arn:aws:iam::*:user/${aws:username}"

}

]

}

To create, modify, or delete your own IAM user access keys (console):

  1. Use your AWS account ID or account alias, your IAM user name, and your password to sign in to the IAM console.
  2. In the navigation bar on the upper right, choose your user name, and then choose My Security Credentials.
  3. On the AWS IAM Credentials tab, in the Access keys for CLI, SDK, and API access section, do any of the following:
    • To create an access key, choose Create access key. Then choose Download .csv file to save the access key ID and secret access key to a .csv file on your computer. Store the file in a secure location. You will not have access to the secret access key again after this dialog box closes. After you have downloaded the .csv file, choose Close. When you create an access key, the key pair is active by default, and you can use the pair right away.
    • To disable an active access key, choose Make inactive.
    • To reenable an inactive access key, choose Make active.
    • To delete an access key, choose its X button at the far right of the row. Then choose Delete to confirm. When you delete an access key, it's gone forever and cannot be retrieved. However, you can always create new keys.

Configuring FortiSIEM for AWS Security Hub Access

Complete these steps in the FortiSIEM UI:

  1. Go to the ADMIN > Setup > Credentials tab.
  2. In Step 1: Enter Credentials:
    1. Follow the instructions in “Setting Credentials“ in the User's Guide to create a new credential.
    2. Enter these settings in the Access Method Definition dialog box and click Save:

      Settings Description
      Name Enter a name for the credential
      Device Type Amazon AWS Security Hub
      Access Protocol AWS Security Hub SDK
      RegionYou can enter one or more regions separated by a space, for example, “us-east-1 us-west-2”. See Supported Regions in AWS for a list of valid regions.
      Password ConfigChoose Manual, CyberArk, or RAX_Janus from the drop down list. For CyberArk , see CyberArk Password Configuration. For RAX_Janus, see RAX_Janus Password Configuration.
      Access KeyAccess key for your AWS Security Hub instance. See Step 2: Get an Access Key.
      Secret Key Secret key for your AWS Security Hub instance
      Session TokenThe session token is used by credentials from Rax Scan. If you obtained an access key as described in Step 2: Get an Access Key, then leave this field empty.
      Organization The organization the device belongs to.
      Description Description of the device.
  3. In Step 2, Enter IP Range to Credential Associations:
    1. Select the name of your AWS Security Hub credential from the Credentials drop-down list.
    2. Enter a host name, an IP, or an IP range in the IP/Host Name field.
    3. Click Save.
  4. Click Test to test the connection to AWS Security Hub.
  5. To see the jobs associated with AWS Security Hub, select ADMIN > Pull Events.
  6. To see the received events select ANALYTICS, then enter AWS Security Hubin the search box.

Sample Events

[AWS_SECURITY_HUB_EVENT_DATA] ={
 "AwsAccountId": "111111111111", 
 "CreatedAt": "2019-08-06T04:56:44.894Z",
 "Description": "10.10.10.72 is performing SSH brute force attacks against i-0100ee1e110c011c1. Brute force attacks are used to gain unauthorized access to your instance by guessing the SSH password.",
 "FirstObservedAt": "2019-08-06T04:51:14Z",
 "GeneratorId": "arn:aws:guardduty:us-west-2:111111111111:detector/50b2ea07131dbe1530c23facb594b1fa", 
 "Id": "arn:aws:guardduty:us-west-2:111111111111:detector/50b2ea07131dbe1530c23facb594b1fa/finding/8cb632a4b32f7c3b854d9f5347bf07a4",
 "LastObservedAt": "2019-08-06T05:22:54Z",
 "ProductArn": "arn:aws:securityhub:us-west-2::product/aws/guardduty",
 "ProductFields": {
  "action/actionType": "NETWORK_CONNECTION",
  "action/networkConnectionAction/blocked": "false",
  "action/networkConnectionAction/connectionDirection": "INBOUND",
  "action/networkConnectionAction/localPortDetails/port": "22",
  "action/networkConnectionAction/localPortDetails/portName": "SSH",
  "action/networkConnectionAction/protocol": "TCP",
  "action/networkConnectionAction/remoteIpDetails/country/countryName": "China",
  "action/networkConnectionAction/remoteIpDetails/geoLocation/lat": "34.7725",
  "action/networkConnectionAction/remoteIpDetails/geoLocation/lon": "113.7266",
  "action/networkConnectionAction/remoteIpDetails/ipAddressV4": "10.10.10.72",  
  "action/networkConnectionAction/remoteIpDetails/organization/asn": "56047",
  "action/networkConnectionAction/remoteIpDetails/organization/asnOrg": "China Mobile communications corporation",
  "action/networkConnectionAction/remoteIpDetails/organization/isp": "China Mobile Guangdong",
  "action/networkConnectionAction/remoteIpDetails/organization/org": "China Mobile",
  "action/networkConnectionAction/remotePortDetails/port": "33242",
  "action/networkConnectionAction/remotePortDetails/portName": "Unknown",
  "archived": "false",
  "aws/securityhub/CompanyName": "Amazon",
  "aws/securityhub/FindingId": "arn:aws:securityhub:us-west-2::product/aws/guardduty/arn:aws:guardduty:us-west-2:111111111111:detector/50b2ea07131dbe1530c23facb594b1fa/finding/8cb632a4b32f7c3b854d9f5347bf07a4",
  "aws/securityhub/ProductName": "GuardDuty",
  "aws/securityhub/SeverityLabel": "MEDIUM",
  "count": "7",
  "detectorId": "50b2ea07131dbe1530c23facb594b1fa",
  "resourceRole": "TARGET"
 },
 "RecordState": "ACTIVE",
 "Resources": [
  {
  "Details": {
   "AwsEc2Instance": {
    "ImageId": "ami-f2c2408a",
     "IpV4Addresses": [
       "10.10.10.20",
       "10.0.0.137"
   ],
   "LaunchedAt": "2019-08-05T17:10:47.000Z",
   "SubnetId": "subnet-931605f1",
   "Type": "m5.4xlarge",
   "VpcId": "vpc-c66576a4"
  }
  },
  "Id": "arn:aws:ec2:us-west-2:111111111111:instance/i-0799ee6e490c078c5",
  "Partition": "aws",
  "Region": "us-west-2",
  "Tags": {
   "Name": "elasticsearch-node-coordinator"
  },
  "Type": "AwsEc2Instance"
  }
 ],
 "SchemaVersion": "2018-10-08",
 "Severity": {
 "Normalized": 40,
 "Product": 2
},
"Title": "310.10.10.72 is performing SSH brute force attacks against i-0799ee6e490c078c5. ",
"Types": [
 "TTPs/Initial Access/UnauthorizedAccess:EC2-SSHBruteForce"
],
 "UpdatedAt": "2019-08-06T05:28:24.425Z",
 "WorkflowState": "NEW",
 "phCustId": 1,
 "serverIp": "10.10.10.22",
 "serverName": "amzon.com"
}