Integrate Opsgenie with Amazon Security Hub
Overview
What does the integration offer?
With Amazon Security Hub, you can have a single place that aggregates, organizes, and prioritizes your security alerts, or findings, from multiple AWS services, such as Amazon GuardDuty, Amazon Inspector, and Amazon Macie, as well as from AWS Partner solutions.
Use the Amazon Security Hub integration to forward Amazon Security Hub findings to Opsgenie. Opsgenie determines the right people to notify based on on-call schedules – notifies via email, text messages (SMS), phone calls, and iOS & Android push notifications, and escalates alerts until they are acknowledged or closed.
How does the integration work?
Amazon Security Hub sends findings matching the corresponding CloudWatch Event rule to CloudWatch. Selecting an SNS topic for the target lets you publish the related event message for findings to SNS which will send this message to Opsgenie at the end.
Opsgenie also supports sending updates back to Amazon Security Hub when these actions are performed on Opsgenie alerts created by Amazon Security Hub integration:
When an alert is Acknowledged in Opsgenie, update the Finding workflow status to Notified in Amazon Security Hub.
When an alert is Closed in Opsgenie, update the Finding workflow status to Resolved in Amazon Security Hub.
When a Note is added to the alert in Opsgenie, add the same Note to the Finding in Amazon Security Hub.
When an alert Priority is updated in Opsgenie, update the severity of the Finding in Amazon Security Hub.
Set up the integration
Amazon Security Hub is a bidirectional integration. Adding it to Opsgenie and configuring it to send alert updates back to Amazon Security Hub (when some actions are performed on the alerts created in Opsgenie) involves a sequence of steps:
Add an Amazon Security Hub integration in Opsgenie
Configure the integration in Amazon Security Hub
Create subscriptions to send SNS messages to Opsgenie
Create an Amazon CloudWatch Event rule
Select an SNS topic for the target in Amazon EventBridge Events
Send updates back to Amazon Security Hub
Add an Amazon Security Hub integration
If you're using Opsgenie's Free or Essentials plan or if you’re using Opsgenie with Jira Service Management's Standard plan, you can add this integration from your team dashboard only. The Integrations page under Settings is not available in your plan.
Go to Teams and select your team.
Select Integrations on the left navigation and then select Add integration.
Adding the integration from your team dashboard will make your team the owner of the integration. This means Opsgenie will assign the alerts received through this integration to your team only. Follow the rest of the steps in this section to set up the integration.
To add an Amazon Security Hub integration in Opsgenie:
Go to Settings > Integrations.
Select Add integration.
Run a search and select “Amazon Security Hub”.
On the next screen, enter a name for the integration.
Optional: Select a team in Assignee team if you want a specific team to receive alerts from the integration.
Select Continue.
The integration is saved at this point.Expand the Steps to configure the integration section and copy the integration endpoint URL.
You will use this URL while configuring the integration in Amazon Security Hub later.Select Turn on integration.
The rules you create for the integration will work only if you turn on the integration.
Configure the integration in Amazon Security Hub
Create a custom Security Hub action.
Create a rule in CloudWatch Events for Security Hub findings and an SNS topic for CloudWatch Event target by using the CloudFormation template.
Paste the URL you copied while adding the integration in Opsgenie into SNSSubEndpoint in the CloudFormation template.
Copy-paste the following (after entering the custom Security Hub action ARN you created in Step 1) into EventPatternParameter in the CloudFormation template.
{ "source": [ "aws.securityhub" ], "detail-type": [ "Security Hub Findings - Custom Action" ], "resources": [ "< CUSTOM ACTION ARN YOU CREATED IN SECURITY HUB >" ] }If the configuration is successful, a confirmation alert is created in Opsgenie.
Select Send alert updates back to Amazon Security Hub to turn on the outgoing functionality.
Allow Opsgenie to access the Security Hub resources through an IAM Role.
Use CloudFormation template to create an IAM role.Copy-paste the IAM Role ARN into AmazonSecurityHub Role ARN.
Select the AWS region where you’ve set up the Security Hub.
Create subscriptions to send SNS messages to Opsgenie
Selecting an SNS topic for the target lets you publish the related event message for findings to SNS.
Go to AWS SNS, select Topics > Create topic.
When on the Subscription tab, select Create subscription.
This is how you’ll send SNS messages to Opsgenie.In the Protocol field, select HTTPS as an endpoint type.
In the Endpoint field, enter the API endpoint URL you copied while adding the integration in Opsgenie.
Create an Amazon CloudWatch Event rule
Create an Amazon CloudWatch Event rule so Amazon Security Hub can send findings matching the rule to CloudWatch.
In your Amazon CloudWatch account, select Events > Rules.
Select Create rule.
In the Event Source section, select the Event Pattern option.
Select Build event pattern to match all events from the dropdown menu.
Select Edit in the Event Pattern Preview and copy-paste the script given in this section.
In the Targets section, select the SNS topic from the dropdown menu, then select the topic you created before.
Select Configure details and enter a name, description, and other information.
Select Create rule.
Event pattern preview script
Copy the following script and paste it into the Event pattern preview section of Event Source.
Event pattern preview script (in JSON format)
{
"source": [
"aws.securityhub"
],
"detail-type": [
"Security Hub Findings - Custom Action"
],
"resources": [
<custom action arn you created in security hub>
]
}Select an SNS topic for the target in Amazon EventBridge Events
Selecting an SNS topic for the target lets you publish the related event message for findings to SNS which will send this message to Opsgenie at the end.
Go to Amazon EventBridge and select Rules.
Select Create rule.
In Step 1, enter a Name and Description for this rule.
Select Rule with an event pattern as Rule type and select Next.
In Step 2, select AWS events and EventBrigde partner events as the Event source.
Select AWS services as Event source.
Select Security Hub as AWS Service.
In the Event Type section, select the custom action you created in the security hub.
Select Next.
In Step 3, select SNS topic from the dropdown menu in Target types, then select the topic you created earlier in the Topic field.
Select Next.
In Step 5, review and create the rule.
Send alert updates back to Amazon Security Hub
Complete the following steps in Opsgenie to send alert updates back to Amazon Security Hub:
From the Amazon Security Hub integration page in Opsgenie, select the Send alert updates back to Amazon Security Hub checkbox.
Allow Opsgenie to access security hub resources using an IAM Role. To create a role that allows Opsgenie to access security hub resources, you can use the CloudFormation template.
Make sure that all the input parameters to the cloudformation template (such as the API URL from the integration page (pre-populated), Opsgenie Aws AccountId (pre-populated), and RoleName) are correct. The role name should be in opsgenieSecurityHubRole* format.
Copy the IAM role ARN created in the previous step and paste it into AmazonSecurityHub Role ARN.
Select the region where the Security Hub is enabled.
Sample payload from Amazon Security Hub
Sample payload (in JSON format)
{
"Type": "Notification",
"MessageId": "96d4c7c2-999e-57ab-aade",
"TopicArn": "arn:aws:sns:us-west-2:test",
"Message": "{\"version\":\"0\",\"id\":\"3ee38987-e0ce--91a1\",\"detail-type\":\"EC2 Instance State-change Notification\",\"source\":\"aws.ec2\",\"account\":\"abc\",\"time\":\"2017-09-11T10:49:41Z\",\"region\":\"us-west-2\",\"resources\":[\"arn:aws:ec2:us-west-2:asdf:instance/i-abc\"],\"detail\":{\"actionName\":\"custom-action-name\",\"actionDescription\":\"description of the action\",\"findings\":[{\"AwsAccountId\": \"abc\",\"Compliance\": {\"Status\": \"PASSED\"},\"Confidence\": 42,\"CreatedAt\": \"2017-03-22T13:22:13.933Z\",\"Criticality\": 99,\"Description\": \"The version of openssl found on instance i-abcd1234 is known to contain a vulnerability.\",\"FirstObservedAt\": \"2017-03-22T13:22:13.933Z\",\"GeneratorId\": \"acme-vuln-9ab348\",\"Id\": \"us-west-2/111111111111/98aebb2207407c87f51e89943f12b1ef\",\"LastObservedAt\": \"2017-03-23T13:22:13.933Z\",\"Malware\": [{\"Name\": \"Stringler\",\"Type\": \"COIN_MINER\",\"Path\": \"/usr/sbin/stringler\",\"State\": \"OBSERVED\"}],\"Network\": {\"Direction\": \"IN\",\"Protocol\": \"TCP\",\"SourceIpV4\": \"1.2.3.4\",\"SourceIpV6\": \"FE80:CD00:0000:0CDE:1257:0000:211E:729C\",\"SourcePort\": \"42\",\"SourceDomain\": \"here.com\",\"SourceMac\": \"00:0d:83:b1:c0:8e\",\"DestinationIpV4\": \"2.3.4.5\",\"DestinationIpV6\": \"FE80:CD00:0000:0CDE:1257:0000:211E:729C\",\"DestinationPort\": \"80\",\"DestinationDomain\": \"there.com\"},\"Note\": {\"Text\": \"Don't forget to check under the mat.\",\"UpdatedBy\": \"jsmith\",\"UpdatedAt\": \"2018-08-31T00:15:09Z\"},\"Process\": {\"Name\": \"syslogd\",\"Path\": \"/usr/sbin/syslogd\",\"Pid\": 12345,\"ParentPid\": 56789,\"LaunchedAt\": \"2018-09-27T22:37:31Z\",\"TerminatedAt\": \"2018-09-27T23:37:31Z\"},\"ProductArn\": \"arn:aws:securityhub:us-east-1:111111111111:product/111111111111/default\",\"ProductFields\": {\"generico/secure-pro/Count\": \"6\",\"Service_Name\": \"cloudtrail.amazonaws.com\",\"aws/inspector/AssessmentTemplateName\": \"My daily CVE assessment\",\"aws/inspector/AssessmentTargetName\": \"My prod env\",\"aws/inspector/RulesPackageName\": \"Common Vulnerabilities and Exposures\"},\"RecordState\": \"ACTIVE\",\"RelatedFindings\": [{ \"ProductArn\": \"arn:aws:securityhub:us-west-2::product/aws/guardduty\",\"Id\": \"123e4567-e89b-12d3-a456-426655440000\" },{ \"ProductArn\": \"arn:aws:securityhub:us-west-2::product/aws/guardduty\",\"Id\": \"AcmeNerfHerder--x189dx7824\" }],\"Remediation\": {\"Recommendation\": {\"Text\": \"Run sudo yum update and cross your fingers and toes.\",\"Url\": \"http://myfp.com/recommendations/dangerous_things_and_how_to_fix_them.html\"}},\"Resources\": [{\"Type\": \"AwsEc2Instance\",\"Id\": \"i-cafebabe\",\"Partition\": \"aws\",\"Region\": \"us-west-2\",\"Tags\": {\"billingCode\": \"Lotus-1-2-3\",\"needsPatching\": \"true\"},\"Details\": {\"AwsEc2Instance\": {\"Type\": \"i3.xlarge\",\"ImageId\": \"ami-abcd1234\",\"IpV4Addresses\": [ \"54.194.252.215\", \"192.168.1.88\" ],\"IpV6Addresses\": [ \"2001:db8:1234:1a2b::123\" ],\"KeyName\": \"my_keypair\",\"IamInstanceProfileArn\": \"arn:aws:iam:::instance-profile/AdminRole\",\"VpcId\": \"vpc-11112222\",\"SubnetId\": \"subnet-56f5f633\",\"LaunchedAt\": \"2018-05-08T16:46:19.000Z\"}}}],\"SchemaVersion\": \"2018-10-08\",\"Severity\": {\"Product\": 8.3,\"Normalized\": 25},\"SourceUrl\": \"string\",\"ThreatIntelIndicators\": [{\"Type\": \"IPV4_ADDRESS\",\"Value\": \"8.8.8.8\",\"Category\": \"BACKDOOR\",\"LastObservedAt\": \"2018-09-27T23:37:31Z\",\"Source\": \"Threat Intel Weekly\",\"SourceUrl\": \"http://threatintelweekly.org/backdoors/8888\"}],\"Title\": \"title\",\"Types\": [\"Software and Configuration Checks/Vulnerabilities/CVE\"],\"UpdatedAt\": \"123578964332\",\"UserDefinedFields\": {\"reviewedByCio\": \"true\",\"comeBackToLater\": \"Check this again on Monday\"},\"VerificationState\": \"string\",\"WorkflowState\": \"NEW\"}]}}",
"Timestamp": "2017-09-11T10:49:42.630Z",
"SignatureVersion": "1",
"Signature": "sign",
"SigningCertURL": "https://sns.us-west-2.amazonaws.com/SimpleNotification.pem",
"UnsubscribeURL": "https://sns.us-west-2.amazonaws.com/?Action=Unsubscribe&SubscriptionArn=arn:aws:sns:us-west-2:"
}Was this helpful?