AWS Security Hub (Beta)

Connecting AWS Security Hub logs to your Panther Console

Overview

AWS Security Hub ingestion is in open beta starting with Panther version 1.86, and is available to all customers. Please share any bug reports and feature requests with your Panther support team.

Panther supports ingesting AWS Security Hub findings. You will use AWS EventBridge to forward security findings to Panther, where you can reference them in detections and search.

How to onboard AWS Security Hub findings to Panther

Step 1: Create an AWS SNS topic

  • Follow Panther's instructions for creating an AWS SNS topic.

    • In the Name field, enter something that makes it easy to identify e.g. panther-aws-security-hub.

    • Copy the topic ARN value and store it in a secure location, as you will need it in the next steps.

      • Example ARN: arn:aws:sns:us-east-2:123456789012:panther-aws-security-hub

Step 2: Create Amazon EventBridge rule

  1. Navigate to Amazon EventBrige > Buses > Rules.

  2. Click Create Rule.

  3. Enter following values for the fields:

    • Name: panther-aws-security-hub

    • Event bus: default

    • Select Enable the rule on the selected event bus.

    • Rule type: Rule with an event pattern

  4. Click Next.

  5. Enter the following values for the fields:

    • Event source: AWS events or EventBridge partner events

    • Creation method: Use pattern form

    • Event pattern:

      • Event source: AWS services

      • AWS service: Security Hub

      • Event type: Security Hub Findings - Imported

  6. Click Next.

  7. Enter following values for the fields:

    • Target types: AWS Service

    • Select a target: SNS Topic

    • Topic: Select the topic you created in Step 1, panther-aws-security-hub

  8. Click Skip to review and create.

  9. Click Create rule.

Stay logged in to the AWS console. You will navigate to the Panther Console for Step 3 and return to the AWS console for Step 4.

Step 3: Create an AWS Security Hub source in Panther

  1. In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.

  2. Click Create New.

  3. Search for "AWS Security Hub," then click its tile.

    • In the slide-out panel, the Transport Mechanism dropdown in the upper-right corner will be pre-populated with the AWS SQS Queue option.

  4. Click Start Setup.

  5. Follow Panther's instructions for configuring an SQS Source.

    • In the Allowed Source ARNs field, enter the ARN of the SNS topic you created in Step 1.

  6. Click View Log Source.

  7. Click SQS Queue ARN to copy the ARN of the SQS queue. Save it in a secure location, as you will need it in the next step.

Step 4: Create an SNS topic subscription to SQS Queue

Supported AWS Security Hub logs

AWS.SecurityFindingFormat

Learn more about the structure of a finding on the AWS Security Finding Format (ASFF) page.

# Code generated by Panther; DO NOT EDIT. (@generated)
schema: AWS.SecurityFindingFormat
description: AWS Security Hub consumes, aggregates, organizes, and prioritizes findings from AWS security services and from the third-party product integrations.Security Hub processes these findings using a standard findings format called the AWS Security Finding Format (ASFF), which eliminates the need for time-consuming data conversion efforts.Then it correlates ingested findings across products to prioritize the most important ones
referenceURL: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format.html
fields:
  - name: Action
    description: The Action object provides details about an action that affects or that was taken on a resource
    type: object
    fields:
      - name: ActionType
        description: ActionType field
        type: string
      - name: AwsApiCallAction
        description: AwsApiCallAction field
        type: object
        fields:
          - name: AffectedResources
            description: AffectedResources field
            type: json
          - name: Api
            description: API field
            type: string
          - name: CallerType
            description: CallerType field
            type: string
          - name: DomainDetails
            description: DomainDetails field
            type: object
            fields:
              - name: Domain
                description: Domain field
                type: string
          - name: FirstSeen
            description: FirstSeen field
            type: timestamp
            timeFormats:
              - rfc3339
          - name: LastSeen
            description: LastSeen field
            type: timestamp
            timeFormats:
              - rfc3339
          - name: RemoteIpDetails
            description: RemoteIpDetails field
            type: object
            fields:
              - name: City
                description: City field
                type: object
                fields:
                  - name: CityName
                    description: CityName field
                    type: string
              - name: Country
                description: Country field
                type: object
                fields:
                  - name: CountryCode
                    description: CountryCode field
                    type: string
                  - name: CountryName
                    description: CountryName field
                    type: string
              - name: GeoLocation
                description: GeoLocation field
                type: object
                fields:
                  - name: Lat
                    description: Lat field
                    type: float
                  - name: Lon
                    description: Lon field
                    type: float
              - name: IpAddressV4
                description: IpAddressV4 field
                type: string
                indicators:
                  - ip
              - name: Organization
                description: Organization field
                type: object
                fields:
                  - name: Asn
                    description: Asn field
                    type: string
                  - name: AsnOrg
                    description: AsnOrg field
                    type: string
                  - name: Isp
                    description: Isp field
                    type: string
                  - name: Org
                    description: Org field
                    type: string
          - name: ServiceName
            description: ServiceName field
            type: string
      - name: DnsRequestAction
        description: DnsRequestAction field
        type: object
        fields:
          - name: Blocked
            description: Blocked field
            type: boolean
          - name: Domain
            description: Domain field
            type: string
          - name: Protocol
            description: Protocol field
            type: string
      - name: NetworkConnectionAction
        description: NetworkConnectionAction field
        type: object
        fields:
          - name: Blocked
            description: Blocked field
            type: boolean
          - name: ConnectionDirection
            description: ConnectionDirection field
            type: string
          - name: LocalPortDetails
            description: LocalPortDetails field
            type: object
            fields:
              - name: Port
                description: Port field
                type: bigint
              - name: PortName
                description: PortName field
                type: string
          - name: Protocol
            description: Protocol field
            type: string
          - name: RemoteIpDetails
            description: RemoteIpDetails field
            type: object
            fields:
              - name: City
                description: City field
                type: object
                fields:
                  - name: CityName
                    description: CityName field
                    type: string
              - name: Country
                description: Country field
                type: object
                fields:
                  - name: CountryCode
                    description: CountryCode field
                    type: string
                  - name: CountryName
                    description: CountryName field
                    type: string
              - name: GeoLocation
                description: GeoLocation field
                type: object
                fields:
                  - name: Lat
                    description: Lat field
                    type: float
                  - name: Lon
                    description: Lon field
                    type: float
              - name: IpAddressV4
                description: IpAddressV4 field
                type: string
                indicators:
                  - ip
              - name: Organization
                description: Organization field
                type: object
                fields:
                  - name: Asn
                    description: Asn field
                    type: string
                  - name: AsnOrg
                    description: AsnOrg field
                    type: string
                  - name: Isp
                    description: Isp field
                    type: string
                  - name: Org
                    description: Org field
                    type: string
          - name: RemotePortDetails
            description: RemotePortDetails field
            type: object
            fields:
              - name: Port
                description: Port field
                type: bigint
              - name: PortName
                description: PortName field
                type: string
      - name: PortProbeAction
        description: PortProbeAction field
        type: object
        fields:
          - name: Blocked
            description: Blocked field
            type: boolean
          - name: PortProbeDetails
            description: PortProbeDetails field
            type: array
            element:
              type: object
              fields:
                - name: LocalIpDetails
                  description: LocalIpDetails field
                  type: object
                  fields:
                    - name: IpAddressV4
                      description: IpAddressV4 field
                      type: string
                      indicators:
                        - ip
                - name: LocalPortDetails
                  description: LocalPortDetails field
                  type: object
                  fields:
                    - name: PortName
                      description: PortName field
                      type: string
                    - name: Port
                      description: Port field
                      type: bigint
                - name: RemoteIpDetails
                  description: RemoteIpDetails field
                  type: object
                  fields:
                    - name: City
                      description: City field
                      type: object
                      fields:
                        - name: CityName
                          description: CityName field
                          type: string
                    - name: Country
                      description: Country field
                      type: object
                      fields:
                        - name: CountryCode
                          description: CountryCode field
                          type: string
                        - name: CountryName
                          description: CountryName field
                          type: string
                    - name: GeoLocation
                      description: GeoLocation field
                      type: object
                      fields:
                        - name: Lat
                          description: Lat field
                          type: float
                        - name: Lon
                          description: Lon field
                          type: float
                    - name: IpAddressV4
                      description: IpAddressV4 field
                      type: string
                      indicators:
                        - ip
                    - name: Organization
                      description: Organization field
                      type: object
                      fields:
                        - name: Asn
                          description: Asn field
                          type: string
                        - name: AsnOrg
                          description: AsnOrg field
                          type: string
                        - name: Isp
                          description: Isp field
                          type: string
                        - name: Org
                          description: Org field
                          type: string
  - name: AwsAccountId
    description: The AWS account ID that the finding applies to
    type: string
    indicators:
      - aws_account_id
  - name: CompanyName
    description: The name of the company for the product that generated the finding. For control-based findings, the company is AWS
    type: string
  - name: Compliance
    description: The Compliance object provides finding details related to a control. This attribute is returned for findings generated from a Security Hub control and for findings that AWS Config sends to Security Hub
    type: object
    fields:
      - name: AssociatedStandards
        description: AssociatedStandards field
        type: array
        element:
          type: object
          fields:
            - name: StandardsId
              description: StandardsId field
              type: string
      - name: RelatedRequirements
        description: RelatedRequirements field
        type: array
        element:
          type: string
      - name: SecurityControlId
        description: SecurityControlId field
        type: string
      - name: Status
        description: Status field
        type: string
      - name: StatusReasons
        description: StatusReasons field
        type: array
        element:
          type: object
          fields:
            - name: Description
              description: Description field
              type: string
            - name: ReasonCode
              description: ReasonCode field
              type: string
  - name: Confidence
    description: The likelihood that a finding accurately identifies the behavior or issue that it was intended to identify. Confidence is scored on a 0–100 basis using a ratio scale. 0 means 0 percent confidence, and 100 means 100 percent confidence. For example, a data exfiltration detection based on a statistical deviation of network traffic has low confidence because an actual exfiltration hasn't been verified
    type: bigint
  - name: CreatedAt
    required: true
    description: Indicates when the potential security issue captured by a finding was created
    type: timestamp
    timeFormats:
      - rfc3339
    isEventTime: true
  - name: ProcessedAt
    description: Indicates when the finding record was created or last updated. This value is typically the same as the value for the CreatedAt timestamp on the finding
    type: string
    timeFormats:
      - rfc3339
  - name: Criticality
    description: The level of importance that is assigned to the resources that are associated with a finding.
    type: bigint
  - name: Description
    required: true
    description: A finding's description. This field can be nonspecific boilerplate text or details that are specific to the instance of the finding.
    type: string
  - name: FindingProviderFields
    description: The FindingProviderFields object contains information about the provider of the finding
    type: object
    fields:
      - name: ConfidenceLevel
        description: ConfidenceLevel field
        type: bigint
      - name: Criticality
        description: Criticality field
        type: bigint
      - name: RelatedFindings
        description: RelatedFindings field
        type: array
        element:
          type: object
          fields:
            - name: ProductArn
              description: ProductArn field
              type: string
              indicators:
                - aws_arn
            - name: Id
              description: ID field
              type: string
      - name: Severity
        description: Severity field
        type: object
        fields:
          - name: Label
            description: Label field
            type: string
          - name: Normalized
            description: Normalized field
            type: bigint
          - name: Original
            description: Original field
            type: string
      - name: Types
        description: Types field
        type: array
        element:
          type: string
  - name: FirstObservedAt
    description: Indicates when the potential security issue captured by a finding was first observed. This timestamp reflects the time of when the event or vulnerability was first observed. Consequently, it can differ from the CreatedAt timestamp, which reflects the time this finding record was created.
    type: timestamp
    timeFormats:
      - rfc3339
  - name: GeneratorId
    required: true
    description: The identifier for the solution-specific component (a discrete unit of logic) that generated a finding
    type: string
  - name: Id
    required: true
    description: The product-specific identifier for a finding. For control findings that Security Hub generates, this field provides the Amazon Resource Name (ARN) of the finding
    type: string
    indicators:
      - aws_arn
  - name: LastObservedAt
    description: Indicates when the potential security issue that was captured by a finding was most recently observed by the security findings product. This timestamp reflects the time when the event or vulnerability was last or most recently observed. Consequently, it can differ from the UpdatedAt timestamp, which reflects when this finding record was last or most recently updated
    type: timestamp
    timeFormats:
      - rfc3339
  - name: Malware
    description: The Malware object provides a list of malware related to a finding
    type: array
    element:
      type: object
      fields:
        - name: Name
          description: Name field
          type: string
        - name: Path
          description: Path field
          type: string
        - name: State
          description: State field
          type: string
        - name: Type
          description: Type field
          type: string
  - name: Network
    description: The Network object provides network-related information about a finding. This object is retired
    type: object
    fields:
      - name: DestinationDomain
        description: DestinationDomain field
        type: string
        indicators:
          - domain
      - name: DestinationIpV4
        description: DestinationIpV4 field
        type: string
        indicators:
          - ip
      - name: DestinationIpV6
        description: DestinationIpV6 field
        type: string
        indicators:
          - ip
      - name: DestinationPort
        description: DestinationPort field
        type: bigint
      - name: Direction
        description: Direction field
        type: string
      - name: OpenPortRange
        description: OpenPortRange field
        type: object
        fields:
          - name: Begin
            description: Begin field
            type: bigint
          - name: End
            description: End field
            type: bigint
      - name: Protocol
        description: Protocol field
        type: string
      - name: SourceDomain
        description: SourceDomain field
        type: string
        indicators:
          - domain
      - name: SourceIpV4
        description: SourceIpV4 field
        type: string
        indicators:
          - ip
      - name: SourceIpV6
        description: SourceIpV6 field
        type: string
        indicators:
          - ip
      - name: SourceMac
        description: SourceMac field
        type: string
        indicators:
          - mac
      - name: SourcePort
        description: SourcePort field
        type: bigint
  - name: NetworkPath
    description: The NetworkPath object provides information about a network path that is related to a finding. Each entry in NetworkPath represents a component of the path
    type: array
    element:
      type: object
      fields:
        - name: ComponentId
          description: ComponentId field
          type: string
        - name: ComponentType
          description: ComponentType field
          type: string
        - name: Egress
          description: Egress field
          type: object
          fields:
            - name: Protocol
              description: Protocol field
              type: string
            - name: Destination
              description: Destination field
              type: object
              fields:
                - name: Address
                  description: Address field
                  type: array
                  element:
                    type: string
                    indicators:
                      - ip
                - name: PortRanges
                  description: PortRanges field
                  type: array
                  element:
                    type: object
                    fields:
                      - name: Begin
                        description: Begin field
                        type: bigint
                      - name: End
                        description: End field
                        type: bigint
            - name: Source
              description: Source field
              type: object
              fields:
                - name: Address
                  description: Address field
                  type: array
                  element:
                    type: string
                    indicators:
                      - ip
                - name: PortRanges
                  description: PortRanges field
                  type: array
                  element:
                    type: object
                    fields:
                      - name: Begin
                        description: Begin field
                        type: bigint
                      - name: End
                        description: End field
                        type: bigint
        - name: Ingress
          description: Ingress field
          type: object
          fields:
            - name: Protocol
              description: Protocol field
              type: string
            - name: Destination
              description: Destination field
              type: object
              fields:
                - name: Address
                  description: Address field
                  type: array
                  element:
                    type: string
                    indicators:
                      - ip
                - name: PortRanges
                  description: PortRanges field
                  type: array
                  element:
                    type: object
                    fields:
                      - name: Begin
                        description: Begin field
                        type: bigint
                      - name: End
                        description: End field
                        type: bigint
            - name: Source
              description: Source field
              type: object
              fields:
                - name: Address
                  description: Address field
                  type: array
                  element:
                    type: string
                    indicators:
                      - ip
                - name: PortRanges
                  description: PortRanges field
                  type: array
                  element:
                    type: object
                    fields:
                      - name: Begin
                        description: Begin field
                        type: bigint
                      - name: End
                        description: End field
                        type: bigint
  - name: Note
    description: The Note object specifies a user-defined note that you can add to a finding
    type: object
    fields:
      - name: Text
        description: Text field
        type: string
      - name: UpdatedAt
        description: UpdatedAt field
        type: timestamp
        timeFormats:
          - rfc3339
      - name: UpdatedBy
        description: UpdatedBy field
        type: string
        indicators:
          - username
  - name: PatchSummary
    description: The PatchSummary object provides a summary of the patch compliance status for an instance against a selected compliance standard
    type: object
    fields:
      - name: FailedCount
        description: FailedCount field
        type: bigint
      - name: Id
        description: ID field
        type: string
      - name: InstalledCount
        description: InstalledCount field
        type: bigint
      - name: InstalledOtherCount
        description: InstalledOtherCount field
        type: bigint
      - name: InstalledPendingReboot
        description: InstalledPendingReboot field
        type: bigint
      - name: InstalledRejectedCount
        description: InstalledRejectedCount field
        type: bigint
      - name: MissingCount
        description: MissingCount field
        type: bigint
      - name: Operation
        description: Operation field
        type: string
      - name: OperationEndTime
        description: OperationEndTime field
        type: timestamp
        timeFormats:
          - rfc3339
      - name: OperationStartTime
        description: OperationStartTime field
        type: timestamp