AWS Security Hub (Beta)
Connecting AWS Security Hub logs to your Panther Console
Overview
AWS Security Hub ingestion is in open beta starting with Panther version 1.86, and is available to all customers. Please share any bug reports and feature requests with your Panther support team.
Panther supports ingesting AWS Security Hub findings. You will use AWS EventBridge to forward security findings to Panther, where you can reference them in detections and search.
How to onboard AWS Security Hub findings to Panther
Step 1: Create an AWS SNS topic
Follow Panther's instructions for creating an AWS SNS topic.
In the Name field, enter something that makes it easy to identify e.g.
panther-aws-security-hub.Copy the topic ARN value and store it in a secure location, as you will need it in the next steps.
Example ARN:
arn:aws:sns:us-east-2:123456789012:panther-aws-security-hub
Step 2: Create Amazon EventBridge rule
Navigate to Amazon EventBrige > Buses > Rules.
Click Create Rule.
Enter following values for the fields:
Name:
panther-aws-security-hubEvent bus:
defaultSelect Enable the rule on the selected event bus.
Rule type:
Rule with an event pattern
Click Next.
Enter the following values for the fields:
Event source:
AWS events or EventBridge partner eventsCreation method:
Use pattern formEvent pattern:
Event source:
AWS servicesAWS service:
Security HubEvent type:
Security Hub Findings - Imported
Click Next.
Enter following values for the fields:
Target types:
AWS ServiceSelect a target:
SNS TopicTopic: Select the topic you created in Step 1,
panther-aws-security-hub
Click Skip to review and create.
Click Create rule.
Stay logged in to the AWS console. You will navigate to the Panther Console for Step 3 and return to the AWS console for Step 4.
Step 3: Create an AWS Security Hub source in Panther
In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.
Click Create New.
Search for "AWS Security Hub," then click its tile.
In the slide-out panel, the Transport Mechanism dropdown in the upper-right corner will be pre-populated with the AWS SQS Queue option.
Click Start Setup.
Follow Panther's instructions for configuring an SQS Source.
In the Allowed Source ARNs field, enter the ARN of the SNS topic you created in Step 1.
Click View Log Source.
Click SQS Queue ARN to copy the ARN of the SQS queue. Save it in a secure location, as you will need it in the next step.
Step 4: Create an SNS topic subscription to SQS Queue
Supported AWS Security Hub logs
AWS.SecurityFindingFormat
Learn more about the structure of a finding on the AWS Security Finding Format (ASFF) page.
# Code generated by Panther; DO NOT EDIT. (@generated)
schema: AWS.SecurityFindingFormat
description: AWS Security Hub consumes, aggregates, organizes, and prioritizes findings from AWS security services and from the third-party product integrations.Security Hub processes these findings using a standard findings format called the AWS Security Finding Format (ASFF), which eliminates the need for time-consuming data conversion efforts.Then it correlates ingested findings across products to prioritize the most important ones
referenceURL: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format.html
fields:
- name: Action
description: The Action object provides details about an action that affects or that was taken on a resource
type: object
fields:
- name: ActionType
description: ActionType field
type: string
- name: AwsApiCallAction
description: AwsApiCallAction field
type: object
fields:
- name: AffectedResources
description: AffectedResources field
type: json
- name: Api
description: API field
type: string
- name: CallerType
description: CallerType field
type: string
- name: DomainDetails
description: DomainDetails field
type: object
fields:
- name: Domain
description: Domain field
type: string
- name: FirstSeen
description: FirstSeen field
type: timestamp
timeFormats:
- rfc3339
- name: LastSeen
description: LastSeen field
type: timestamp
timeFormats:
- rfc3339
- name: RemoteIpDetails
description: RemoteIpDetails field
type: object
fields:
- name: City
description: City field
type: object
fields:
- name: CityName
description: CityName field
type: string
- name: Country
description: Country field
type: object
fields:
- name: CountryCode
description: CountryCode field
type: string
- name: CountryName
description: CountryName field
type: string
- name: GeoLocation
description: GeoLocation field
type: object
fields:
- name: Lat
description: Lat field
type: float
- name: Lon
description: Lon field
type: float
- name: IpAddressV4
description: IpAddressV4 field
type: string
indicators:
- ip
- name: Organization
description: Organization field
type: object
fields:
- name: Asn
description: Asn field
type: string
- name: AsnOrg
description: AsnOrg field
type: string
- name: Isp
description: Isp field
type: string
- name: Org
description: Org field
type: string
- name: ServiceName
description: ServiceName field
type: string
- name: DnsRequestAction
description: DnsRequestAction field
type: object
fields:
- name: Blocked
description: Blocked field
type: boolean
- name: Domain
description: Domain field
type: string
- name: Protocol
description: Protocol field
type: string
- name: NetworkConnectionAction
description: NetworkConnectionAction field
type: object
fields:
- name: Blocked
description: Blocked field
type: boolean
- name: ConnectionDirection
description: ConnectionDirection field
type: string
- name: LocalPortDetails
description: LocalPortDetails field
type: object
fields:
- name: Port
description: Port field
type: bigint
- name: PortName
description: PortName field
type: string
- name: Protocol
description: Protocol field
type: string
- name: RemoteIpDetails
description: RemoteIpDetails field
type: object
fields:
- name: City
description: City field
type: object
fields:
- name: CityName
description: CityName field
type: string
- name: Country
description: Country field
type: object
fields:
- name: CountryCode
description: CountryCode field
type: string
- name: CountryName
description: CountryName field
type: string
- name: GeoLocation
description: GeoLocation field
type: object
fields:
- name: Lat
description: Lat field
type: float
- name: Lon
description: Lon field
type: float
- name: IpAddressV4
description: IpAddressV4 field
type: string
indicators:
- ip
- name: Organization
description: Organization field
type: object
fields:
- name: Asn
description: Asn field
type: string
- name: AsnOrg
description: AsnOrg field
type: string
- name: Isp
description: Isp field
type: string
- name: Org
description: Org field
type: string
- name: RemotePortDetails
description: RemotePortDetails field
type: object
fields:
- name: Port
description: Port field
type: bigint
- name: PortName
description: PortName field
type: string
- name: PortProbeAction
description: PortProbeAction field
type: object
fields:
- name: Blocked
description: Blocked field
type: boolean
- name: PortProbeDetails
description: PortProbeDetails field
type: array
element:
type: object
fields:
- name: LocalIpDetails
description: LocalIpDetails field
type: object
fields:
- name: IpAddressV4
description: IpAddressV4 field
type: string
indicators:
- ip
- name: LocalPortDetails
description: LocalPortDetails field
type: object
fields:
- name: PortName
description: PortName field
type: string
- name: Port
description: Port field
type: bigint
- name: RemoteIpDetails
description: RemoteIpDetails field
type: object
fields:
- name: City
description: City field
type: object
fields:
- name: CityName
description: CityName field
type: string
- name: Country
description: Country field
type: object
fields:
- name: CountryCode
description: CountryCode field
type: string
- name: CountryName
description: CountryName field
type: string
- name: GeoLocation
description: GeoLocation field
type: object
fields:
- name: Lat
description: Lat field
type: float
- name: Lon
description: Lon field
type: float
- name: IpAddressV4
description: IpAddressV4 field
type: string
indicators:
- ip
- name: Organization
description: Organization field
type: object
fields:
- name: Asn
description: Asn field
type: string
- name: AsnOrg
description: AsnOrg field
type: string
- name: Isp
description: Isp field
type: string
- name: Org
description: Org field
type: string
- name: AwsAccountId
description: The AWS account ID that the finding applies to
type: string
indicators:
- aws_account_id
- name: CompanyName
description: The name of the company for the product that generated the finding. For control-based findings, the company is AWS
type: string
- name: Compliance
description: The Compliance object provides finding details related to a control. This attribute is returned for findings generated from a Security Hub control and for findings that AWS Config sends to Security Hub
type: object
fields:
- name: AssociatedStandards
description: AssociatedStandards field
type: array
element:
type: object
fields:
- name: StandardsId
description: StandardsId field
type: string
- name: RelatedRequirements
description: RelatedRequirements field
type: array
element:
type: string
- name: SecurityControlId
description: SecurityControlId field
type: string
- name: Status
description: Status field
type: string
- name: StatusReasons
description: StatusReasons field
type: array
element:
type: object
fields:
- name: Description
description: Description field
type: string
- name: ReasonCode
description: ReasonCode field
type: string
- name: Confidence
description: The likelihood that a finding accurately identifies the behavior or issue that it was intended to identify. Confidence is scored on a 0–100 basis using a ratio scale. 0 means 0 percent confidence, and 100 means 100 percent confidence. For example, a data exfiltration detection based on a statistical deviation of network traffic has low confidence because an actual exfiltration hasn't been verified
type: bigint
- name: CreatedAt
required: true
description: Indicates when the potential security issue captured by a finding was created
type: timestamp
timeFormats:
- rfc3339
isEventTime: true
- name: ProcessedAt
description: Indicates when the finding record was created or last updated. This value is typically the same as the value for the CreatedAt timestamp on the finding
type: string
timeFormats:
- rfc3339
- name: Criticality
description: The level of importance that is assigned to the resources that are associated with a finding.
type: bigint
- name: Description
required: true
description: A finding's description. This field can be nonspecific boilerplate text or details that are specific to the instance of the finding.
type: string
- name: FindingProviderFields
description: The FindingProviderFields object contains information about the provider of the finding
type: object
fields:
- name: ConfidenceLevel
description: ConfidenceLevel field
type: bigint
- name: Criticality
description: Criticality field
type: bigint
- name: RelatedFindings
description: RelatedFindings field
type: array
element:
type: object
fields:
- name: ProductArn
description: ProductArn field
type: string
indicators:
- aws_arn
- name: Id
description: ID field
type: string
- name: Severity
description: Severity field
type: object
fields:
- name: Label
description: Label field
type: string
- name: Normalized
description: Normalized field
type: bigint
- name: Original
description: Original field
type: string
- name: Types
description: Types field
type: array
element:
type: string
- name: FirstObservedAt
description: Indicates when the potential security issue captured by a finding was first observed. This timestamp reflects the time of when the event or vulnerability was first observed. Consequently, it can differ from the CreatedAt timestamp, which reflects the time this finding record was created.
type: timestamp
timeFormats:
- rfc3339
- name: GeneratorId
required: true
description: The identifier for the solution-specific component (a discrete unit of logic) that generated a finding
type: string
- name: Id
required: true
description: The product-specific identifier for a finding. For control findings that Security Hub generates, this field provides the Amazon Resource Name (ARN) of the finding
type: string
indicators:
- aws_arn
- name: LastObservedAt
description: Indicates when the potential security issue that was captured by a finding was most recently observed by the security findings product. This timestamp reflects the time when the event or vulnerability was last or most recently observed. Consequently, it can differ from the UpdatedAt timestamp, which reflects when this finding record was last or most recently updated
type: timestamp
timeFormats:
- rfc3339
- name: Malware
description: The Malware object provides a list of malware related to a finding
type: array
element:
type: object
fields:
- name: Name
description: Name field
type: string
- name: Path
description: Path field
type: string
- name: State
description: State field
type: string
- name: Type
description: Type field
type: string
- name: Network
description: The Network object provides network-related information about a finding. This object is retired
type: object
fields:
- name: DestinationDomain
description: DestinationDomain field
type: string
indicators:
- domain
- name: DestinationIpV4
description: DestinationIpV4 field
type: string
indicators:
- ip
- name: DestinationIpV6
description: DestinationIpV6 field
type: string
indicators:
- ip
- name: DestinationPort
description: DestinationPort field
type: bigint
- name: Direction
description: Direction field
type: string
- name: OpenPortRange
description: OpenPortRange field
type: object
fields:
- name: Begin
description: Begin field
type: bigint
- name: End
description: End field
type: bigint
- name: Protocol
description: Protocol field
type: string
- name: SourceDomain
description: SourceDomain field
type: string
indicators:
- domain
- name: SourceIpV4
description: SourceIpV4 field
type: string
indicators:
- ip
- name: SourceIpV6
description: SourceIpV6 field
type: string
indicators:
- ip
- name: SourceMac
description: SourceMac field
type: string
indicators:
- mac
- name: SourcePort
description: SourcePort field
type: bigint
- name: NetworkPath
description: The NetworkPath object provides information about a network path that is related to a finding. Each entry in NetworkPath represents a component of the path
type: array
element:
type: object
fields:
- name: ComponentId
description: ComponentId field
type: string
- name: ComponentType
description: ComponentType field
type: string
- name: Egress
description: Egress field
type: object
fields:
- name: Protocol
description: Protocol field
type: string
- name: Destination
description: Destination field
type: object
fields:
- name: Address
description: Address field
type: array
element:
type: string
indicators:
- ip
- name: PortRanges
description: PortRanges field
type: array
element:
type: object
fields:
- name: Begin
description: Begin field
type: bigint
- name: End
description: End field
type: bigint
- name: Source
description: Source field
type: object
fields:
- name: Address
description: Address field
type: array
element:
type: string
indicators:
- ip
- name: PortRanges
description: PortRanges field
type: array
element:
type: object
fields:
- name: Begin
description: Begin field
type: bigint
- name: End
description: End field
type: bigint
- name: Ingress
description: Ingress field
type: object
fields:
- name: Protocol
description: Protocol field
type: string
- name: Destination
description: Destination field
type: object
fields:
- name: Address
description: Address field
type: array
element:
type: string
indicators:
- ip
- name: PortRanges
description: PortRanges field
type: array
element:
type: object
fields:
- name: Begin
description: Begin field
type: bigint
- name: End
description: End field
type: bigint
- name: Source
description: Source field
type: object
fields:
- name: Address
description: Address field
type: array
element:
type: string
indicators:
- ip
- name: PortRanges
description: PortRanges field
type: array
element:
type: object
fields:
- name: Begin
description: Begin field
type: bigint
- name: End
description: End field
type: bigint
- name: Note
description: The Note object specifies a user-defined note that you can add to a finding
type: object
fields:
- name: Text
description: Text field
type: string
- name: UpdatedAt
description: UpdatedAt field
type: timestamp
timeFormats:
- rfc3339
- name: UpdatedBy
description: UpdatedBy field
type: string
indicators:
- username
- name: PatchSummary
description: The PatchSummary object provides a summary of the patch compliance status for an instance against a selected compliance standard
type: object
fields:
- name: FailedCount
description: FailedCount field
type: bigint
- name: Id
description: ID field
type: string
- name: InstalledCount
description: InstalledCount field
type: bigint
- name: InstalledOtherCount
description: InstalledOtherCount field
type: bigint
- name: InstalledPendingReboot
description: InstalledPendingReboot field
type: bigint
- name: InstalledRejectedCount
description: InstalledRejectedCount field
type: bigint
- name: MissingCount
description: MissingCount field
type: bigint
- name: Operation
description: Operation field
type: string
- name: OperationEndTime
description: OperationEndTime field
type: timestamp
timeFormats:
- rfc3339
- name: OperationStartTime
description: OperationStartTime field
type: timestamp
timeFormats:
- rfc3339
- name: RebootOption
description: RebootOption field
type: string
- name: Process
description: The Process object provides process-related details about a finding
type: object
fields:
- name: LaunchedAt
description: LaunchedAt field
type: timestamp
timeFormats:
- rfc3339
- name: Name
description: Name field
type: string
- name: ParentPid
description: ParentPid field
type: bigint
- name: Path
description: Path field
type: string
- name: Pid
description: Pid field
type: bigint
- name: TerminatedAt
description: TerminatedAt field
type: timestamp
timeFormats:
- rfc3339
- name: ProductArn
required: true
description: The Amazon Resource Name (ARN) generated by Security Hub that uniquely identifies a third-party findings product after the product is registered with Security Hub
type: string
indicators:
- aws_arn
- name: ProductFields
description: A data type where security findings products can include additional solution-specific details that are not part of the defined AWS Security Finding Format. For findings generated by Security Hub controls, ProductFields includes information about the control.
type: json
- name: ProductName
description: Provides the name of the product that generated the finding. For control-based findings, the product name is Security Hub
type: string
- name: RecordState
description: Provides the record state of a finding. By default, when initially generated by a service, findings are considered ACTIVE. The ARCHIVED state indicates that a finding should be hidden from view. Archived findings are not immediately deleted. You can search, review, and report on them. Security Hub automatically archives control-based findings if the associated resource is deleted, the resource does not exist, or the control is disabled.
type: string
- name: Region
description: Specifies the AWS Region from which the finding was generated
type: string
- name: RelatedFindings
description: Provides a list of findings that are related to the current finding
type: array
element:
type: object
fields:
- name: Id
description: ID field
type: string
- name: ProductArn
description: ProductArn field
type: string
indicators:
- aws_arn
- name: Remediation
description: The Remediation object provides information about recommended remediation steps to address the finding
type: object
fields:
- name: Recommendation
description: Recommendation field
type: object
fields:
- name: Text
description: Text field
type: string
- name: Url
description: Url field
type: string
indicators:
- url
- name: Resources
required: true
description: The Resources object provides a set of resource data types that describe the AWS resources that the finding refers to
type: array
element:
type: json
- name: SchemaVersion
required: true
description: The schema version that a finding is formatted for
type: string
- name: Severity
description: The Severity object provides CVSS-based severity information about a finding
type: object
fields:
- name: Label
description: Label field
type: string
- name: Normalized
description: Normalized field
type: bigint
- name: Original
description: Original field
type: string
- name: Sample
description: Indicates whether the finding is a sample finding. A sample finding is a finding that uses example data to demonstrate what a finding might contain
type: boolean
- name: SourceUrl
description: Provides an HTTP URL that links to a page about the current finding in the security findings provider's solution
type: string
indicators:
- url
- name: Threats
description: The Threats object provides details about the threat detected by a finding
type: array
element:
type: object
fields:
- name: FilePaths
description: FilePaths field
type: array
element:
type: object
fields:
- name: FileName
description: FileName field
type: string
- name: FilePath
description: FilePath field
type: string
- name: Hash
description: Hash field
type: string
indicators:
- md5
- sha1
- sha256
- name: ResourceId
description: ResourceId field
type: string
indicators:
- aws_arn
- name: ItemCount
description: ItemCount field
type: bigint
- name: Name
description: Name field
type: string
- name: Severity
description: Severity field
type: string
- name: ThreatIntelIndicators
description: The ThreatIntelIndicator object provides threat intelligence details that are related to a finding
type: array
element:
type: object
fields:
- name: Category
description: Category field
type: string
- name: LastObservedAt
description: LastObservedAt field
type: timestamp
timeFormats:
- rfc3339
- name: Source
description: Source field
type: string
- name: SourceUrl
description: SourceUrl field
type: string
indicators:
- url
- name: Type
description: Type field
type: string
- name: Value
description: Value field
type: string
- name: Title
description: A finding's title. This field can be nonspecific boilerplate text or the actual title of the security issue or vulnerability
type: string
- name: Types
description: One or more finding types in the format of namespace/category/classifier that classify a finding
type: array
element:
type: string
- name: UpdatedAt
description: Indicates when the finding record was updated. This value is typically the same as the value for the ProcessedAt timestamp on the finding
type: timestamp
timeFormats:
- rfc3339
- name: UserDefinedFields
description: A data type where security findings providers can include additional solution-specific details that are not part of the defined AWS Security Finding Format
type: json
- name: VerificationState
description: 'Indicates the veracity of a finding. The available values for VerificationState are as follows: TRUE—The finding has been verified as accurate FALSE—The finding has been proven to be inaccurate or remediated UNKNOWN—The finding cannot be verified'
type: string
- name: Vulnerabilities
description: Vulnerabilities field
type: array
element:
type: object
fields:
- name: CodeVulnerabilities
description: CodeVulnerabilities field
type: array
element:
type: object
fields:
- name: Cwes
description: Cwes field
type: array
element:
type: string
- name: FilePath
description: FilePath field
type: object
fields:
- name: EndLine
description: EndLine field
type: bigint
- name: FileName
description: FileName field
type: string
- name: FilePath
description: FilePath field
type: string
- name: StartLine
description: StartLine field
type: bigint
- name: Cvss
description: Cvss field
type: array
element:
type: object
fields:
- name: BaseScore
description: BaseScore field
type: float
- name: BaseVector
description: BaseVector field
type: string
- name: Source
description: Source field
type: string
- name: Version
description: Version field
type: string
- name: EpssScore
description: EpssScore field
type: float
- name: ExploitAvailable
description: ExploitAvailable field
type: string
- name: FixAvailable
description: FixAvailable field
type: string
- name: Id
description: Id field
type: string
- name: ReferenceUrls
description: ReferenceUrls field
type: array
element:
type: string
indicators:
- url
- name: RelatedVulnerabilities
description: RelatedVulnerabilities field
type: array
element:
type: string
- name: Vendor
description: Vendor field
type: object
fields:
- name: Name
description: Name field
type: string
- name: Url
description: Url field
type: string
indicators:
- url
- name: VendorCreatedAt
description: VendorCreatedAt field
type: timestamp
timeFormats:
- rfc3339
- name: VendorSeverity
description: VendorSeverity field
type: string
- name: VendorUpdatedAt
description: VendorUpdatedAt field
type: timestamp
timeFormats:
- rfc3339
- name: VulnerablePackages
description: VulnerablePackages field
type: array
element:
type: object
fields:
- name: Architecture
description: Architecture field
type: string
- name: Epoch
description: Epoch field
type: string
- name: FilePath
description: FilePath field
type: string
- name: FixedInVersion
description: FixedInVersion field
type: string
- name: Name
description: Name field
type: string
- name: PackageManager
description: PackageManager field
type: string
- name: Release
description: Release field
type: string
- name: Remediation
description: Remediation field
type: string
- name: SourceLayerArn
description: SourceLayerArn field
type: string
indicators:
- aws_arn
- name: SourceLayerHash
description: SourceLayerHash field
type: string
indicators:
- md5
- sha1
- sha256
- name: Version
description: Version field
type: string
- name: Workflow
description: Provides information about the status of the investigation into a finding
type: object
fields:
- name: Status
description: Status field
type: string
- name: WorkflowState
description: The workflow state of a finding. This field is only provided for findings that are generated by a Security Hub control. It is not provided for findings that are imported manually
type: stringLast updated