AWS Security Hub
Security Hub collects security data from across AWS accounts, services, and supported third-party partner products. Configure FortiSIEM to gather this data collected by Security Hub, so FortiSIEM can analyze this data to identify the highest priority security issues.
What is Discovered and Monitored
Protocol | Information collected | Used for |
---|---|---|
AWS Security Hub SDK | Security data | Security and compliance |
Event Types
In RESOURCES > Event Types, enter "AWS Sechub" in the main content panel Search... field to see the event types associated with this device.
Rules
In RESOURCES > Rules, enter "AWS Sechub" in the main content panel Search... field to see the rules associated with this device.
Reports
In RESOURCES > Reports, enter "AWS Security Hub" in the main content panel Search... field to see the reports associated with this device.
Requirements
FortiSIEM uses PHP V3 SDK to integrate data from the security hub to perform comprehensive security analytics.
Configuring AWS Security Hub
Supported Regions in AWS
Security Hub only collects events from the region where you enabled Security Hub. If you don't enable the Security Hub for other regions, then you won't get events from those regions. FortiSIEM allows you to specify multiple regions when you create a new credential. In the regions you specify, the Security Hub will be enabled. These regions should use the following AWS region codes:
Region Name |
Region Code |
---|---|
US East (Ohio) |
us-east-2 |
US East (N. Virginia) |
us-east-1 |
US West (N. California) |
us-west-1 |
US West (Oregon) |
us-west-2 |
Asia Pacific (Hong Kong) |
ap-east-1 |
Asia Pacific (Mumbai) |
ap-south-1 |
Asia Pacific (Seoul) |
ap-northeast-2 |
Asia Pacific (Singapore) |
ap-southeast-1 |
Asia Pacific (Sydney) |
ap-southeast-2 |
Asia Pacific (Tokyo) |
ap-northeast-1 |
Canada (Central) |
ca-central-1 |
EU (Frankfurt) |
eu-central-1 |
EU (Ireland) |
eu-west-1 |
EU (London) |
eu-west-2 |
EU (Paris) |
eu-west-3 |
EU (Stockholm) |
eu-north-1 |
South America (São Paulo) |
sa-east-1 |
Step 1: Enable Security Hub
Permissions required to enable Security Hub
- The IAM identity (user, role, or group) that you use to enable Security Hub must have the required permissions. To grant the permissions required to enable Security Hub, attach the following policy to an IAM user, group, or role.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "securityhub:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "*",
"Condition": {
"StringLike": {
"iam:AWSServiceName": "securityhub.amazonaws.com"
}
}
}
]
}
- Use the credentials of the IAM identity from step 1 to sign in to the Security Hub console. When you open the Security Hub console for the first time, choose Get Started and then choose Enable Security Hub.
Step 2: Get an Access Key
This feature supports long-term access keys. Access keys consist of two parts: an access key ID and a secret access key.
Permissions Required
To create access keys for your own IAM user, you must have the permissions from the following policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "CreateOwnAccessKeys",
"Effect": "Allow",
"Action": [
"iam:CreateAccessKey",
"iam:GetUser",
"iam:ListAccessKeys"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
}
]
}
To Create, Modify, or Delete Your Own IAM User Access Keys (Console)
- Use your AWS account ID or account alias, your IAM user name, and your password to sign in to the IAM console.
- In the navigation bar on the upper right, choose your user name, and then choose My Security Credentials.
- On the AWS IAM Credentials tab, in the Access keys for CLI, SDK, and API access section, do any of the following:
- To create an access key, choose Create access key. Then choose Download .csv file to save the access key ID and secret access key to a .csv file on your computer. Store the file in a secure location. You will not have access to the secret access key again after this dialog box closes. After you have downloaded the .csv file, choose Close. When you create an access key, the key pair is active by default, and you can use the pair right away.
- To disable an active access key, choose Make inactive.
- To reenable an inactive access key, choose Make active.
- To delete an access key, choose its X button at the far right of the row. Then choose Delete to confirm. When you delete an access key, it's gone forever and cannot be retrieved. However, you can always create new keys.
Configuring FortiSIEM for AWS Security Hub Access
Complete these steps in the FortiSIEM UI:
- Go to the ADMIN > Setup > Credentials tab.
- In Step 1: Enter Credentials:
- Follow the instructions in “Setting Credentials“ in the User's Guide to create a new credential.
- Enter these settings in the Access Method Definition dialog box and click Save:
Settings Description Name Enter a name for the credential Device Type Amazon AWS Security Hub Access Protocol AWS Security Hub SDK Region You can enter one or more regions separated by a space, for example, “us-east-1 us-west-2”. See Supported Regions in AWS for a list of valid regions. Password Config Choose Manual, CyberArk SDK, CyberArk REST API, or RAX_Janus from the drop down list. For CyberArk SDK, see CyberArk SDK Password Configuration. For CyberArk REST API, see CyberArk REST API Password Configuration. For RAX_Janus, see RAX_Janus Password Configuration. Access Key Access key for your AWS Security Hub instance. See Step 2: Get an Access Key. Secret Key Secret key for your AWS Security Hub instance Session Token The session token is used by credentials from Rax Scan. If you obtained an access key as described in Step 2: Get an Access Key, then leave this field empty. Organization The organization the device belongs to. Description Description of the device.
- In Step 2: Enter IP Range to Credential Associations, click New.
- Select the name of your AWS Security Hub credential from the Credentials drop-down list. The IP/Host Name field/destination should auto populate to "amazon.com".
- Click Save.
- Click the Test drop-down list and select Test Connectivity to test the connection to AWS Security Hub.
- To see the jobs associated with AWS Security Hub, select ADMIN > Setup > Pull Events.
- To see the received events select ANALYTICS, then enter "AWS Security Hub" in the search box.
Sample Events
[AWS_SECURITY_HUB_EVENT_DATA] ={ "AwsAccountId": "111111111111", "CreatedAt": "2019-08-06T04:56:44.894Z", "Description": "10.10.10.72 is performing SSH brute force attacks against i-0100ee1e110c011c1. Brute force attacks are used to gain unauthorized access to your instance by guessing the SSH password.", "FirstObservedAt": "2019-08-06T04:51:14Z", "GeneratorId": "arn:aws:guardduty:us-west-2:111111111111:detector/50b2ea07131dbe1530c23facb594b1fa", "Id": "arn:aws:guardduty:us-west-2:111111111111:detector/50b2ea07131dbe1530c23facb594b1fa/finding/8cb632a4b32f7c3b854d9f5347bf07a4", "LastObservedAt": "2019-08-06T05:22:54Z", "ProductArn": "arn:aws:securityhub:us-west-2::product/aws/guardduty", "ProductFields": { "action/actionType": "NETWORK_CONNECTION", "action/networkConnectionAction/blocked": "false", "action/networkConnectionAction/connectionDirection": "INBOUND", "action/networkConnectionAction/localPortDetails/port": "22", "action/networkConnectionAction/localPortDetails/portName": "SSH", "action/networkConnectionAction/protocol": "TCP", "action/networkConnectionAction/remoteIpDetails/country/countryName": "Ruritania", "action/networkConnectionAction/remoteIpDetails/geoLocation/lat": "12.7265", "action/networkConnectionAction/remoteIpDetails/geoLocation/lon": "132.7756", "action/networkConnectionAction/remoteIpDetails/ipAddressV4": "10.10.10.72", "action/networkConnectionAction/remoteIpDetails/organization/asn": "56047", "action/networkConnectionAction/remoteIpDetails/organization/asnOrg": "Ruritania Mobile communications corporation", "action/networkConnectionAction/remoteIpDetails/organization/isp": "Ruritania Mobile Yourtown", "action/networkConnectionAction/remoteIpDetails/organization/org": "Ruritania Mobile", "action/networkConnectionAction/remotePortDetails/port": "33242", "action/networkConnectionAction/remotePortDetails/portName": "Unknown", "archived": "false", "aws/securityhub/CompanyName": "Amazon", "aws/securityhub/FindingId": "arn:aws:securityhub:us-west-2::product/aws/guardduty/arn:aws:guardduty:us-west-2:111111111111:detector/50b2ea07131dbe1530c23facb594b1fa/finding/8cb632a4b32f7c3b854d9f5347bf07a4", "aws/securityhub/ProductName": "GuardDuty", "aws/securityhub/SeverityLabel": "MEDIUM", "count": "7", "detectorId": "50b2ea07131dbe1530c23facb594b1fa", "resourceRole": "TARGET" }, "RecordState": "ACTIVE", "Resources": [ { "Details": { "AwsEc2Instance": { "ImageId": "ami-f2c2408a", "IpV4Addresses": [ "10.10.10.20", "10.0.0.137" ], "LaunchedAt": "2019-08-05T17:10:47.000Z", "SubnetId": "subnet-931605f1", "Type": "m5.4xlarge", "VpcId": "vpc-c66576a4" } }, "Id": "arn:aws:ec2:us-west-2:111111111111:instance/i-0799ee6e490c078c5", "Partition": "aws", "Region": "us-west-2", "Tags": { "Name": "elasticsearch-node-coordinator" }, "Type": "AwsEc2Instance" } ], "SchemaVersion": "2018-10-08", "Severity": { "Normalized": 40, "Product": 2 }, "Title": "310.10.10.72 is performing SSH brute force attacks against i-0799ee6e490c078c5. ", "Types": [ "TTPs/Initial Access/UnauthorizedAccess:EC2-SSHBruteForce" ], "UpdatedAt": "2019-08-06T05:28:24.425Z", "WorkflowState": "NEW", "phCustId": 1, "serverIp": "10.10.10.22", "serverName": "amzon.com" }