• Products
  • Get started
  • Documentation
  • Resources

Integrate Opsgenie with Amazon Security Hub

With Amazon Security Hub, you can have a single place that aggregates, organizes, and prioritizes your security alerts, or findings, from multiple AWS services, such as Amazon GuardDuty, Amazon Inspector, and Amazon Macie, as well as from AWS Partner solutions..

What does Opsgenie offer Amazon Security Hub users?

Use Opsgenie’s Amazon Security Hub Integration to forward Amazon Security Hub findings to Opsgenie. Opsgenie determines the right people to notify based on on-call schedules– notifies via email, text messages (SMS), phone calls, and iOS & Android push notifications, and escalates alerts until the alert is acknowledged or closed.

Functionality of the integration

Amazon Security Hubsends findings that match with the corresponding CloudWatch Event rule to CloudWatch. Selecting an SNS topic for the target lets you publish the related event message for findings to SNS which will send this message to Opsgenie at the end.

Opsgenie also supports sending updates back to Amazon Security Hub when these actions are performed on Opsgenie alerts created by Amazon Security Hub integration :

  • When an alert is Acknowledged in Opsgenie update the Finding workflow status to Notified in Amazon Security Hub.

  • When an alert is Closed in Opsgenie update the Finding workflow status to Resolved in Amazon Security Hub.

  • When a Note is added to the alert in Opsgenie add the same Note to the Finding in Amazon Security Hub.

  • When an alert Priority is updated in Opsgenie update the severity of the Finding in Amazon Security Hub.

Add Amazon Security Hub Integration to Opsgenie

You can add this integration from your team dashboard

If you're using Opsgenie's Free or Essentials plan, or if you’re using Opsgenie with Jira Service Management's Standard plan, you can only add this integration from your team dashboard as the Integrations page under Settings is not available in your plan.

Adding the integration from your team dashboard will make your team the owner of the integration. This means Opsgenie will assign the alerts received through this integration to your team only.

To do that,

  1. Go to your team’s dashboard from Teams,

  2. Select Integrations, and select Add integration.

Follow the rest of the steps to complete the integration.

  1. Go to Settings > Integrations. Search for Amazon Security Hub and select Add

  2. Add people as Responders to notify of Amazon Security Hub alerts.

  3. Copy the integration endpoint Url.

  4. Select Save Integration.

Configuration in Amazon Security Hub

  1. Go to Security Hub, select Settings, and switch to the Custom actions tab.

  2. Select Create custom action and enter a Name, Description and, Custom action ID for this action.

You can use CloudFormation template to create CloudWatch Event Rule and SNS Topic.

Configuration in Amazon SNS

  1. Go to AWS SNS, select Topics > Create topic.

  2. When on the Subscription tab, select Create subscription. This is how you’ll send SNS messages to Opsgenie.

  3. In the Protocol field select HTTPS as an endpoint type.

  4. In the Endpoint field, enter the API endpoint provided to you from Opsgenie on the Instructions page of this integration.

Configuration in Amazon CloudWatch Events

  1. In your Amazon CloudWatch account select Events > Rules.

  2. Then select Create rule.

  3. In the Event Source section select the Event Pattern option.

  4. Then select Build event pattern to match all events from the dropdown menu.

  5. Select Edit in the Event Pattern Preview and enter the script below provided to you under this section.

  6. In the Targets section select the SNS topic from the dropdown menu, then select the topic you’ve created before.

  7. Select Configure details and enter a name, description, and other details.

  8. When done, select Create rule.

Event pattern preview script

Enter the script below in the Event pattern preview section of the Event Source.

JSON

1 2 3 4 5 6 7 8 9 10 11 { "source": [ "aws.securityhub" ], "detail-type": [ "Security Hub Findings - Custom Action" ], "resources": [ <custom action arn you created in security hub> ] }

Configuration in Amazon EventBridge Events

  1. Go to Amazon EventBridge and select Rules

  2. Select Create rule.

  3. In Step 1, enter a Name and Description for this rule.

  4. Select Rule with an event patterns as Rue type and select Next.

  5. In Step 2, select AWS events and EventBrigde partner events as the Event source.

  6. Then, select AWS services as Event source.

  7. Select Security Hub as AWS Service.

  8. In the Event Type section, select the custom action you created in the security hub.

  9. Select Next.

  10. In Step 3, select SNS topic from the dropdown menu in Target types, then select the topic you created before in the Topic field.

  11. Select Next.

  12. In Step 5, review and create the rule.

Enable sending updates back to Amazon Security Hub

  1. From Opsgenie’s Amazon Security HubIntegration page select the Send Alert Updates Back to AmazonSecurityHub checkbox.

  2. You will need to allow Opsgenie to access security hub resources using an IAM Role. To create a role that allows Opsgenie to access security hub resources, you can use the CloudFormation template.

  3. Make sure that all the input parameters to the cloudformation template are correct, like ApiKey from Opsgenie SecurityHub Integration page (pre-populated), Opsgenie Aws AccountId (pre-populated) and RoleName. Role name should be in opsgenieSecurityHubRole* format.

  4. Copy the IAM role ARN created above and paste it here & select the region where the security hub is enabled.

  5. Select Save Integration to send alert action updates back to Amazon Security Hub findings.

Sample Payload from Amazon Security Hub

JSON

1 2 3 4 5 6 7 8 9 10 11 { "Type": "Notification", "MessageId": "96d4c7c2-999e-57ab-aade", "TopicArn": "arn:aws:sns:us-west-2:test", "Message": "{\"version\":\"0\",\"id\":\"3ee38987-e0ce--91a1\",\"detail-type\":\"EC2 Instance State-change Notification\",\"source\":\"aws.ec2\",\"account\":\"abc\",\"time\":\"2017-09-11T10:49:41Z\",\"region\":\"us-west-2\",\"resources\":[\"arn:aws:ec2:us-west-2:asdf:instance/i-abc\"],\"detail\":{\"actionName\":\"custom-action-name\",\"actionDescription\":\"description of the action\",\"findings\":[{\"AwsAccountId\": \"abc\",\"Compliance\": {\"Status\": \"PASSED\"},\"Confidence\": 42,\"CreatedAt\": \"2017-03-22T13:22:13.933Z\",\"Criticality\": 99,\"Description\": \"The version of openssl found on instance i-abcd1234 is known to contain a vulnerability.\",\"FirstObservedAt\": \"2017-03-22T13:22:13.933Z\",\"GeneratorId\": \"acme-vuln-9ab348\",\"Id\": \"us-west-2/111111111111/98aebb2207407c87f51e89943f12b1ef\",\"LastObservedAt\": \"2017-03-23T13:22:13.933Z\",\"Malware\": [{\"Name\": \"Stringler\",\"Type\": \"COIN_MINER\",\"Path\": \"/usr/sbin/stringler\",\"State\": \"OBSERVED\"}],\"Network\": {\"Direction\": \"IN\",\"Protocol\": \"TCP\",\"SourceIpV4\": \"1.2.3.4\",\"SourceIpV6\": \"FE80:CD00:0000:0CDE:1257:0000:211E:729C\",\"SourcePort\": \"42\",\"SourceDomain\": \"here.com\",\"SourceMac\": \"00:0d:83:b1:c0:8e\",\"DestinationIpV4\": \"2.3.4.5\",\"DestinationIpV6\": \"FE80:CD00:0000:0CDE:1257:0000:211E:729C\",\"DestinationPort\": \"80\",\"DestinationDomain\": \"there.com\"},\"Note\": {\"Text\": \"Don't forget to check under the mat.\",\"UpdatedBy\": \"jsmith\",\"UpdatedAt\": \"2018-08-31T00:15:09Z\"},\"Process\": {\"Name\": \"syslogd\",\"Path\": \"/usr/sbin/syslogd\",\"Pid\": 12345,\"ParentPid\": 56789,\"LaunchedAt\": \"2018-09-27T22:37:31Z\",\"TerminatedAt\": \"2018-09-27T23:37:31Z\"},\"ProductArn\": \"arn:aws:securityhub:us-east-1:111111111111:product/111111111111/default\",\"ProductFields\": {\"generico/secure-pro/Count\": \"6\",\"Service_Name\": \"cloudtrail.amazonaws.com\",\"aws/inspector/AssessmentTemplateName\": \"My daily CVE assessment\",\"aws/inspector/AssessmentTargetName\": \"My prod env\",\"aws/inspector/RulesPackageName\": \"Common Vulnerabilities and Exposures\"},\"RecordState\": \"ACTIVE\",\"RelatedFindings\": [{ \"ProductArn\": \"arn:aws:securityhub:us-west-2::product/aws/guardduty\",\"Id\": \"123e4567-e89b-12d3-a456-426655440000\" },{ \"ProductArn\": \"arn:aws:securityhub:us-west-2::product/aws/guardduty\",\"Id\": \"AcmeNerfHerder--x189dx7824\" }],\"Remediation\": {\"Recommendation\": {\"Text\": \"Run sudo yum update and cross your fingers and toes.\",\"Url\": \"http://myfp.com/recommendations/dangerous_things_and_how_to_fix_them.html\"}},\"Resources\": [{\"Type\": \"AwsEc2Instance\",\"Id\": \"i-cafebabe\",\"Partition\": \"aws\",\"Region\": \"us-west-2\",\"Tags\": {\"billingCode\": \"Lotus-1-2-3\",\"needsPatching\": \"true\"},\"Details\": {\"AwsEc2Instance\": {\"Type\": \"i3.xlarge\",\"ImageId\": \"ami-abcd1234\",\"IpV4Addresses\": [ \"54.194.252.215\", \"192.168.1.88\" ],\"IpV6Addresses\": [ \"2001:db8:1234:1a2b::123\" ],\"KeyName\": \"my_keypair\",\"IamInstanceProfileArn\": \"arn:aws:iam:::instance-profile/AdminRole\",\"VpcId\": \"vpc-11112222\",\"SubnetId\": \"subnet-56f5f633\",\"LaunchedAt\": \"2018-05-08T16:46:19.000Z\"}}}],\"SchemaVersion\": \"2018-10-08\",\"Severity\": {\"Product\": 8.3,\"Normalized\": 25},\"SourceUrl\": \"string\",\"ThreatIntelIndicators\": [{\"Type\": \"IPV4_ADDRESS\",\"Value\": \"8.8.8.8\",\"Category\": \"BACKDOOR\",\"LastObservedAt\": \"2018-09-27T23:37:31Z\",\"Source\": \"Threat Intel Weekly\",\"SourceUrl\": \"http://threatintelweekly.org/backdoors/8888\"}],\"Title\": \"title\",\"Types\": [\"Software and Configuration Checks/Vulnerabilities/CVE\"],\"UpdatedAt\": \"123578964332\",\"UserDefinedFields\": {\"reviewedByCio\": \"true\",\"comeBackToLater\": \"Check this again on Monday\"},\"VerificationState\": \"string\",\"WorkflowState\": \"NEW\"}]}}", "Timestamp": "2017-09-11T10:49:42.630Z", "SignatureVersion": "1", "Signature": "sign", "SigningCertURL": "https://sns.us-west-2.amazonaws.com/SimpleNotification.pem", "UnsubscribeURL": "https://sns.us-west-2.amazonaws.com/?Action=Unsubscribe&SubscriptionArn=arn:aws:sns:us-west-2:" }

 

Additional Help