• Products
  • Get started
  • Documentation
  • Resources

Integrate Opsgenie with Amazon Security Hub

With Amazon Security Hub, you can have a single place that aggregates, organizes, and prioritizes your security alerts, or findings, from multiple AWS services, such as Amazon GuardDuty, Amazon Inspector, and Amazon Macie, as well as from AWS Partner solutions.

What does Opsgenie offer Amazon Security Hub users?

Use Opsgenie’s Amazon Security Hub Integration to forward Amazon Security Hub findings to Opsgenie. Opsgenie determines the right people to notify based on on-call schedules– notifies via email, text messages (SMS), phone calls and iOS & Android push notifications, and escalates alerts until the alert is acknowledged or closed.

Functionality of the integration

Amazon Security Hubsends findings which match with the corresponding CloudWatch Event rule to CloudWatch. Selecting SNS topic for target let you publish the related event message for findings to SNS which will send this message to Opsgenie at the end.

Opsgenie also supports sending updates back to Amazon Security Hub when these actions are performed on Opsgenie alerts created by Amazon Security Hub integration :

  • When alert is Acknowledged in Opsgenie update Finding workflow status to Notified in Aws Security Hub.

  • When alert is Closed in Opsgenie update Finding workflow status to Resolved in Aws Security Hub.

  • When a Note is added to alert in Opsgenie add same Note to Finding in Aws Security Hub.

  • When alert Priority updated in Opsgenie update the severity of Finding in Aws Security Hub.

Add Amazon Security Hub Integration to Opsgenie

  1. Go to Opsgenie Amazon Security Hub Integration page.

Under the Free and Essentials plans, the tabs under the Team dashboard are limited to Main, Integrations, Members, and Activity Stream.

2. Specify who is notified of Amazon Security Hub alerts using the Teams field. Auto-complete suggestions are provided as you type.

An alternative for Step 1) and Step 2) is to add the integration from the Team Dashboard of the team which will own the integration. To add an integration directly to a team, navigate to the Team Dashboard and open Integrations tab. Click Add Integration and select the integration that you would like to add.

4. Copy the integration endpoint Url.

5. Click Save Integration.

Amazon Security Hub Integration

Configuration in Amazon Security Hub

  1. Go to Security Hub, click Settings and select Custom actions from tab.

Amazon Security Hub Settings

2. Click Create custom action and fill the necessary fields.

Amazon Security Hub Custom Action

3. You will see the created action.

Amazon Security Hub custom action created

You can use CloudFormation template to create CloudWatch Event Rule and SNS Topic.

Configuration in Amazon SNS

  1. Go to AWS SNS and select Topics, then click Create topic.

Amazon Security Hub SNS topic

2. Then, click Create subscription to send SNS messages to Opsgenie.

Amazon Security Hub SNS subscription

3. Select HTTPS from protocol and give Opsgenie’s API endpoint using the URL provided from the integration.

Amazon Security Hub create subscription

Configuration in Amazon CloudWatch Events

  1. Go to Amazon CloudWatch and select Rules under Events, then click Create rule.

  2. Select Event Pattern as Event Source and select Build event pattern to match all events from the dropdown menu.

Amazon Security Hub create rules

3. Edit event pattern preview and copy & paste the following.

JSON

1 2 3 4 5 6 7 8 9 10 11 { "source": [ "aws.securityhub" ], "detail-type": [ "Security Hub Findings - Custom Action" ], "resources": [ <custom action arn you created in security hub> ] }

4. Then, select SNS topic from the dropdown menu in Targets part and select the topic you created before.

Amazon Security Hub select SNS topic

5. Click configure details and fill the necessary fields in the opening page.

Amazon Security Hub rule configuration

6. Then, click Create rule.

Enable sending updates back to Amazon Security Hub

  1. On Opsgenie Amazon Security Hub Integration page tick the Send Alert Updates Back to AmazonSecurityHub checkbox.

Amazon Security Hub integration enable update

2. You will need to allow Opsgenie to access security hub resources using an IAM Role, To create a role which allows Opsgenie to access security hub resources, you can use this CloudFormation template.

Amazon Security Hub CloudFormation template

3. Make sure that all the input parameters to the cloudformation template are correct, like ApiKey from Opsgenie SecurityHub Integration page (pre-populated), Opsgenie Aws AccountId (pre-populated) & RoleName.

AWS CloudFormation Template

4. Copy the IAM role Arn created above and paste it here & select the region where security hub is enabled.

AWS Security Hub Iam roles

5. Click on Save Integration and alert action updates will be send back to Amazon Security Hub findings now.

Sample Payload from Amazon Security Hub

JSON

1 2 3 4 5 6 7 8 9 10 11 { "Type": "Notification", "MessageId": "96d4c7c2-999e-57ab-aade", "TopicArn": "arn:aws:sns:us-west-2:test", "Message": "{\"version\":\"0\",\"id\":\"3ee38987-e0ce--91a1\",\"detail-type\":\"EC2 Instance State-change Notification\",\"source\":\"aws.ec2\",\"account\":\"abc\",\"time\":\"2017-09-11T10:49:41Z\",\"region\":\"us-west-2\",\"resources\":[\"arn:aws:ec2:us-west-2:asdf:instance/i-abc\"],\"detail\":{\"actionName\":\"custom-action-name\",\"actionDescription\":\"description of the action\",\"findings\":[{\"AwsAccountId\": \"abc\",\"Compliance\": {\"Status\": \"PASSED\"},\"Confidence\": 42,\"CreatedAt\": \"2017-03-22T13:22:13.933Z\",\"Criticality\": 99,\"Description\": \"The version of openssl found on instance i-abcd1234 is known to contain a vulnerability.\",\"FirstObservedAt\": \"2017-03-22T13:22:13.933Z\",\"GeneratorId\": \"acme-vuln-9ab348\",\"Id\": \"us-west-2/111111111111/98aebb2207407c87f51e89943f12b1ef\",\"LastObservedAt\": \"2017-03-23T13:22:13.933Z\",\"Malware\": [{\"Name\": \"Stringler\",\"Type\": \"COIN_MINER\",\"Path\": \"/usr/sbin/stringler\",\"State\": \"OBSERVED\"}],\"Network\": {\"Direction\": \"IN\",\"Protocol\": \"TCP\",\"SourceIpV4\": \"1.2.3.4\",\"SourceIpV6\": \"FE80:CD00:0000:0CDE:1257:0000:211E:729C\",\"SourcePort\": \"42\",\"SourceDomain\": \"here.com\",\"SourceMac\": \"00:0d:83:b1:c0:8e\",\"DestinationIpV4\": \"2.3.4.5\",\"DestinationIpV6\": \"FE80:CD00:0000:0CDE:1257:0000:211E:729C\",\"DestinationPort\": \"80\",\"DestinationDomain\": \"there.com\"},\"Note\": {\"Text\": \"Don't forget to check under the mat.\",\"UpdatedBy\": \"jsmith\",\"UpdatedAt\": \"2018-08-31T00:15:09Z\"},\"Process\": {\"Name\": \"syslogd\",\"Path\": \"/usr/sbin/syslogd\",\"Pid\": 12345,\"ParentPid\": 56789,\"LaunchedAt\": \"2018-09-27T22:37:31Z\",\"TerminatedAt\": \"2018-09-27T23:37:31Z\"},\"ProductArn\": \"arn:aws:securityhub:us-east-1:111111111111:product/111111111111/default\",\"ProductFields\": {\"generico/secure-pro/Count\": \"6\",\"Service_Name\": \"cloudtrail.amazonaws.com\",\"aws/inspector/AssessmentTemplateName\": \"My daily CVE assessment\",\"aws/inspector/AssessmentTargetName\": \"My prod env\",\"aws/inspector/RulesPackageName\": \"Common Vulnerabilities and Exposures\"},\"RecordState\": \"ACTIVE\",\"RelatedFindings\": [{ \"ProductArn\": \"arn:aws:securityhub:us-west-2::product/aws/guardduty\",\"Id\": \"123e4567-e89b-12d3-a456-426655440000\" },{ \"ProductArn\": \"arn:aws:securityhub:us-west-2::product/aws/guardduty\",\"Id\": \"AcmeNerfHerder--x189dx7824\" }],\"Remediation\": {\"Recommendation\": {\"Text\": \"Run sudo yum update and cross your fingers and toes.\",\"Url\": \"http://myfp.com/recommendations/dangerous_things_and_how_to_fix_them.html\"}},\"Resources\": [{\"Type\": \"AwsEc2Instance\",\"Id\": \"i-cafebabe\",\"Partition\": \"aws\",\"Region\": \"us-west-2\",\"Tags\": {\"billingCode\": \"Lotus-1-2-3\",\"needsPatching\": \"true\"},\"Details\": {\"AwsEc2Instance\": {\"Type\": \"i3.xlarge\",\"ImageId\": \"ami-abcd1234\",\"IpV4Addresses\": [ \"54.194.252.215\", \"192.168.1.88\" ],\"IpV6Addresses\": [ \"2001:db8:1234:1a2b::123\" ],\"KeyName\": \"my_keypair\",\"IamInstanceProfileArn\": \"arn:aws:iam:::instance-profile/AdminRole\",\"VpcId\": \"vpc-11112222\",\"SubnetId\": \"subnet-56f5f633\",\"LaunchedAt\": \"2018-05-08T16:46:19.000Z\"}}}],\"SchemaVersion\": \"2018-10-08\",\"Severity\": {\"Product\": 8.3,\"Normalized\": 25},\"SourceUrl\": \"string\",\"ThreatIntelIndicators\": [{\"Type\": \"IPV4_ADDRESS\",\"Value\": \"8.8.8.8\",\"Category\": \"BACKDOOR\",\"LastObservedAt\": \"2018-09-27T23:37:31Z\",\"Source\": \"Threat Intel Weekly\",\"SourceUrl\": \"http://threatintelweekly.org/backdoors/8888\"}],\"Title\": \"title\",\"Types\": [\"Software and Configuration Checks/Vulnerabilities/CVE\"],\"UpdatedAt\": \"123578964332\",\"UserDefinedFields\": {\"reviewedByCio\": \"true\",\"comeBackToLater\": \"Check this again on Monday\"},\"VerificationState\": \"string\",\"WorkflowState\": \"NEW\"}]}}", "Timestamp": "2017-09-11T10:49:42.630Z", "SignatureVersion": "1", "Signature": "sign", "SigningCertURL": "https://sns.us-west-2.amazonaws.com/SimpleNotification.pem", "UnsubscribeURL": "https://sns.us-west-2.amazonaws.com/?Action=Unsubscribe&SubscriptionArn=arn:aws:sns:us-west-2:" }

 

Last modified on Jan 4, 2021
Cached at 8:56 PM on May 8, 2021 |

Additional Help

Ask the Community