• Products
  • Get started
  • Documentation
  • Resources

Integrate Opsgenie with Amazon Security Hub

With Amazon Security Hub, you can have a single place that aggregates, organizes, and prioritizes your security alerts, or findings, from multiple AWS services, such as Amazon GuardDuty, Amazon Inspector, and Amazon Macie, as well as from AWS Partner solutions.

What does Opsgenie offer Amazon Security Hub users?

Use Opsgenie’s Amazon Security Hub Integration to forward Amazon Security Hub findings to Opsgenie. Opsgenie determines the right people to notify based on on-call schedules– notifies via email, text messages (SMS), phone calls and iOS & Android push notifications, and escalates alerts until the alert is acknowledged or closed.

Functionality of the integration

Amazon Security Hubsends findings which match with the corresponding CloudWatch Event rule to CloudWatch. Selecting SNS topic for target let you publish the related event message for findings to SNS which will send this message to Opsgenie at the end.

Opsgenie also supports sending updates back to Amazon Security Hub when these actions are performed on Opsgenie alerts created by Amazon Security Hub integration :

  • When alert is Acknowledged in Opsgenie update Finding workflow status to Notified in Aws Security Hub.

  • When alert is Closed in Opsgenie update Finding workflow status to Resolved in Aws Security Hub.

  • When a Note is added to alert in Opsgenie add same Note to Finding in Aws Security Hub.

  • When alert Priority updated in Opsgenie update the severity of Finding in Aws Security Hub.

Add Amazon Security Hub Integration to Opsgenie

You can add this integration from your team dashboard

If you're using Opsgenie's Free or Essentials plan, or if you’re using Opsgenie with Jira Service Management's Standard plan, you can only add this integration from your team dashboard as the Integrations page under Settings is not available in your plan.

Adding the integration from your team dashboard will make your team the owner of the integration. This means Opsgenie will assign the alerts received through this integration to your team only.

To do that,

  1. Go to your team’s dashboard from Teams,

  2. Select Integrations, and select Add integration.

Follow the rest of the steps to complete the integration.

  1. Go to Settings > Integrations. Search for Amazon Security Hub and select Add

  2. Specify who is notified of Amazon Security Hub alerts using the Responders field. Auto-complete suggestions are provided as you type.

  3. Copy the integration endpoint Url.

  4. Select Save Integration.

Configuration in Amazon Security Hub

  1. Go to Security Hub, click Settings and select Custom actions from tab.

Amazon Security Hub Settings

2. Click Create custom action and fill the necessary fields.

Amazon Security Hub Custom Action

3. You will see the created action.

Amazon Security Hub custom action created

You can use CloudFormation template to create CloudWatch Event Rule and SNS Topic.

Configuration in Amazon SNS

  1. Go to AWS SNS and select Topics, then click Create topic.

Amazon Security Hub SNS topic

2. Then, click Create subscription to send SNS messages to Opsgenie.

Amazon Security Hub SNS subscription

3. Select HTTPS from protocol and give Opsgenie’s API endpoint using the URL provided from the integration.

Amazon Security Hub create subscription

Configuration in Amazon CloudWatch Events

  1. Go to Amazon CloudWatch and select Rules under Events, then select Create rule.

  2. Select Event Pattern as Event Source and select Build event pattern to match all events from the dropdown menu.

Amazon Security Hub create rules

3. Edit event pattern preview and copy & paste the following.


1 2 3 4 5 6 7 8 9 10 11 { "source": [ "aws.securityhub" ], "detail-type": [ "Security Hub Findings - Custom Action" ], "resources": [ <custom action arn you created in security hub> ] }

4. Then, select SNS topic from the dropdown menu in Targets part and select the topic you created before.

Amazon Security Hub select SNS topic

5. Select configure details and fill the necessary fields in the opening page.

Amazon Security Hub rule configuration

6. Then, select Create rule.

Enable sending updates back to Amazon Security Hub

  1. On Opsgenie Amazon Security Hub Integration page select the Send Alert Updates Back to AmazonSecurityHub checkbox.

Amazon Security Hub integration enable update

2. You will need to allow Opsgenie to access security hub resources using an IAM Role, To create a role which allows Opsgenie to access security hub resources, you can use the CloudFormation template.

Amazon Security Hub CloudFormation template

3. Make sure that all the input parameters to the cloudformation template are correct, like ApiKey from Opsgenie SecurityHub Integration page (pre-populated), Opsgenie Aws AccountId (pre-populated) and RoleName. Role name should be in opsgenieSecurityHubRole* format.

AWS CloudFormation Template

4. Copy the IAM role Arn created above and paste it here & select the region where security hub is enabled.

AWS Security Hub Iam roles

5. Click on Save Integration and alert action updates will be send back to Amazon Security Hub findings now.

Sample Payload from Amazon Security Hub


1 2 3 4 5 6 7 8 9 10 11 { "Type": "Notification", "MessageId": "96d4c7c2-999e-57ab-aade", "TopicArn": "arn:aws:sns:us-west-2:test", "Message": "{\"version\":\"0\",\"id\":\"3ee38987-e0ce--91a1\",\"detail-type\":\"EC2 Instance State-change Notification\",\"source\":\"aws.ec2\",\"account\":\"abc\",\"time\":\"2017-09-11T10:49:41Z\",\"region\":\"us-west-2\",\"resources\":[\"arn:aws:ec2:us-west-2:asdf:instance/i-abc\"],\"detail\":{\"actionName\":\"custom-action-name\",\"actionDescription\":\"description of the action\",\"findings\":[{\"AwsAccountId\": \"abc\",\"Compliance\": {\"Status\": \"PASSED\"},\"Confidence\": 42,\"CreatedAt\": \"2017-03-22T13:22:13.933Z\",\"Criticality\": 99,\"Description\": \"The version of openssl found on instance i-abcd1234 is known to contain a vulnerability.\",\"FirstObservedAt\": \"2017-03-22T13:22:13.933Z\",\"GeneratorId\": \"acme-vuln-9ab348\",\"Id\": \"us-west-2/111111111111/98aebb2207407c87f51e89943f12b1ef\",\"LastObservedAt\": \"2017-03-23T13:22:13.933Z\",\"Malware\": [{\"Name\": \"Stringler\",\"Type\": \"COIN_MINER\",\"Path\": \"/usr/sbin/stringler\",\"State\": \"OBSERVED\"}],\"Network\": {\"Direction\": \"IN\",\"Protocol\": \"TCP\",\"SourceIpV4\": \"\",\"SourceIpV6\": \"FE80:CD00:0000:0CDE:1257:0000:211E:729C\",\"SourcePort\": \"42\",\"SourceDomain\": \"here.com\",\"SourceMac\": \"00:0d:83:b1:c0:8e\",\"DestinationIpV4\": \"\",\"DestinationIpV6\": \"FE80:CD00:0000:0CDE:1257:0000:211E:729C\",\"DestinationPort\": \"80\",\"DestinationDomain\": \"there.com\"},\"Note\": {\"Text\": \"Don't forget to check under the mat.\",\"UpdatedBy\": \"jsmith\",\"UpdatedAt\": \"2018-08-31T00:15:09Z\"},\"Process\": {\"Name\": \"syslogd\",\"Path\": \"/usr/sbin/syslogd\",\"Pid\": 12345,\"ParentPid\": 56789,\"LaunchedAt\": \"2018-09-27T22:37:31Z\",\"TerminatedAt\": \"2018-09-27T23:37:31Z\"},\"ProductArn\": \"arn:aws:securityhub:us-east-1:111111111111:product/111111111111/default\",\"ProductFields\": {\"generico/secure-pro/Count\": \"6\",\"Service_Name\": \"cloudtrail.amazonaws.com\",\"aws/inspector/AssessmentTemplateName\": \"My daily CVE assessment\",\"aws/inspector/AssessmentTargetName\": \"My prod env\",\"aws/inspector/RulesPackageName\": \"Common Vulnerabilities and Exposures\"},\"RecordState\": \"ACTIVE\",\"RelatedFindings\": [{ \"ProductArn\": \"arn:aws:securityhub:us-west-2::product/aws/guardduty\",\"Id\": \"123e4567-e89b-12d3-a456-426655440000\" },{ \"ProductArn\": \"arn:aws:securityhub:us-west-2::product/aws/guardduty\",\"Id\": \"AcmeNerfHerder--x189dx7824\" }],\"Remediation\": {\"Recommendation\": {\"Text\": \"Run sudo yum update and cross your fingers and toes.\",\"Url\": \"http://myfp.com/recommendations/dangerous_things_and_how_to_fix_them.html\"}},\"Resources\": [{\"Type\": \"AwsEc2Instance\",\"Id\": \"i-cafebabe\",\"Partition\": \"aws\",\"Region\": \"us-west-2\",\"Tags\": {\"billingCode\": \"Lotus-1-2-3\",\"needsPatching\": \"true\"},\"Details\": {\"AwsEc2Instance\": {\"Type\": \"i3.xlarge\",\"ImageId\": \"ami-abcd1234\",\"IpV4Addresses\": [ \"\", \"\" ],\"IpV6Addresses\": [ \"2001:db8:1234:1a2b::123\" ],\"KeyName\": \"my_keypair\",\"IamInstanceProfileArn\": \"arn:aws:iam:::instance-profile/AdminRole\",\"VpcId\": \"vpc-11112222\",\"SubnetId\": \"subnet-56f5f633\",\"LaunchedAt\": \"2018-05-08T16:46:19.000Z\"}}}],\"SchemaVersion\": \"2018-10-08\",\"Severity\": {\"Product\": 8.3,\"Normalized\": 25},\"SourceUrl\": \"string\",\"ThreatIntelIndicators\": [{\"Type\": \"IPV4_ADDRESS\",\"Value\": \"\",\"Category\": \"BACKDOOR\",\"LastObservedAt\": \"2018-09-27T23:37:31Z\",\"Source\": \"Threat Intel Weekly\",\"SourceUrl\": \"http://threatintelweekly.org/backdoors/8888\"}],\"Title\": \"title\",\"Types\": [\"Software and Configuration Checks/Vulnerabilities/CVE\"],\"UpdatedAt\": \"123578964332\",\"UserDefinedFields\": {\"reviewedByCio\": \"true\",\"comeBackToLater\": \"Check this again on Monday\"},\"VerificationState\": \"string\",\"WorkflowState\": \"NEW\"}]}}", "Timestamp": "2017-09-11T10:49:42.630Z", "SignatureVersion": "1", "Signature": "sign", "SigningCertURL": "https://sns.us-west-2.amazonaws.com/SimpleNotification.pem", "UnsubscribeURL": "https://sns.us-west-2.amazonaws.com/?Action=Unsubscribe&SubscriptionArn=arn:aws:sns:us-west-2:" }


Additional Help