Skip to main content
Sumo Logic

Send findings to AWS Security Hub

This page shows you how to enable Sumo Logic as a Finding Provider, deploy the AWS Security Hub forwarder, create a Webhook connection, and create a scheduled search.

The AWS Security Hub forwarder sends scheduled search results and alerts as findings to AWS Security Hub. This page covers the following topics. Click a link to jump to a section:

AWS Security Hub forwarder overview

AWS Security Hub forwarder creates a Lambda function along with an Identity Access and Management (IAM) authentication secured API Gateway endpoint. A Sumo Logic scheduled search then sends the results to the endpoint using Webhook for Lambda. The triggered Lambda function parses the search results, transforming them into Amazon Finding Format (AFF). Each of the rows of the AFF data is sent as a finding to AWS Security Hub.


Step 1: Enable Sumo Logic as a Finding Provider

AWS Security Hub detects and consolidates those security findings from the supported AWS services that are generated after Security Hub is enabled in your AWS accounts. This section demonstrates how to enable Sumo Logic as an AWS Finding Provider (FP) to communicate with AWS Security Hub.

To enable Sumo Logic for AWS Security Hub, do the following:
  1. Open the Security Hub console at, and choose Settings > Providers.
  2. Search for “Sumo Logic” and click Subscribe for Sumo Logic Machine Data Analytics.


Step 2: Deploy the AWS Security Hub forwarder

This section demonstrates how to deploy the AWS Security Hub forwarder, a serverless application based on AWS SAM specification

To deploy the AWS Security Hub forwarder, do the following: 
  1. Open a browser window and go to the following URL:
  2. In the Serverless Application Repository, search for sumologic. 
  3. Select the Show apps that create custom IAM roles or resource policies checkbox, click the 
    sumo-logic-securityhub-forwarder app link, and then click Deploy


  1. After the stack is deployed, go to CloudFormation > Stacks > Stack details > Outputs and copy the value of SecurityHubForwarderApiUrl. This is the API Gateway endpoint.


Step 3: Create a Webhook connection

This section demonstrates how to create a Webhook connection to trigger an AWS Lambda function.

To create a Webhook connection, do the following:
  1. Follow the instructions for creating a Webhook connection, and use the value from step 4 as the URL.
  2. Verify that it has the following payload:
{"Types": "<type> Ex: Software and Configuration Checks/Industry and Regulatory Standards/PCI-DSS Controls",
 "Description": "{{SearchDescription}}",
 "SourceUrl": "{{SearchQueryUrl}}",
 "GeneratorID": "{{SearchName}}",
 "Severity": <number from 0 to 100>,
 "Rows": "{{AggregateResultsJson}}",
 "ComplianceStatus": "(Optional)<status> - PASSED/WARNING/FAILED/NOT_AVAILABLE"

Types, Description, SourceUrl, GeneratorID, Severity, and Compliance.Status are mapped to corresponding fields specified in Amazon Finding Format.

  1. Ensure that the IAM role or IAM user (whose credentials are used) has permissions to invoke the API in API Gateway, as described in Control Access for Invoking an API Amazon documentation.

Step 4: Create scheduled searches

When you save a search, you can add a schedule to run it at a regularly scheduled time, and add alerts. This section demonstrates how to write a query and then create a scheduled search for AWS Security Hub.

The purpose of search is to identify a security or compliance issue, when it was generated, and which resource was affected.  

In the following example, the query generates a finding that there is direct external traffic to a secured port which violates one of the PCI requirement checks.

_sourceCategory=Labs/AWS/VPC ACCEPT (3306 or 5439 or 5432 or 1433 or 2638 or 5984)
| json "message" as _rawvpc nodrop | if (_raw matches "{*", _rawvpc,_raw) as message
| parse field=message "* * * * * * * * * * * * * *" as version,aws_account_id,interfaceID,src_ip,dest_ip,src_port,dest_port,Protocol,Packets,bytes,StartSample,EndSample,Action,status
| where Action="ACCEPT" and dest_port in ("3306", "5439", "5432", "1433", "2638", "5984")
| where (compareCIDRPrefix("", dest_ip, toInt(12)) or compareCIDRPrefix("", dest_ip, toInt(16)) or compareCIDRPrefix("", dest_ip, toInt(8)) and (dest_port in ("3306", "5439", "5432", "1433", "2638", "5984")))
| where (!compareCIDRPrefix("", src_ip, toInt(12)) and !compareCIDRPrefix("", src_ip, toInt(16)) and !compareCIDRPrefix("", src_ip, toInt(8)))
| "Direct external traffic to secure port" as message | "Critical" as Severity
| concat("PCI Req 01: Traffic to Cardholder Environment: Direct external traffic to secure port on ", dest_ip) as title   
| _messagetime as finding_time
| dest_ip as resource_id
| "AwsEc2Instance" as resource_type  
| count by finding_time, resource_id, resource_type, title, aws_account_id
| fields -_count 
To write a query and create a scheduled search, do the following:
  1. Write a search query that contains following mandatory fields, as described in the AWS Security Hub documentation:
"finding_time", "resource_type", "resource_id", "title"
  1. Create a scheduled search, as described in this document, and configure the following settings:
  • Alert condition is set to “Greater than >” and Number of Results is set to 0.
  • Alert Type is set to “Webhook”.
  • Connection is set to the name configured in step 2 (of the link document instructions).
  • Toggle the  customize payload button and fill the fields in the following dialog. The following table explains each field.
Types Type of Finding in the format namespace/category/classifier. This field should match one of the finding types, as defined in Finding Type Taxonomy in AWS docs.
Description Details specific to the instance of the finding.This should be non empty.
SourceURL Search Query URL pointing to the exact query that generated the finding.
GeneratorID Scheduled Search Name that generated this finding.
Severity Impact of a finding has on a customer (data loss, malware activity, configuration weakness etc), displayed as an integer ranging from 0 to 100.
ComplianceStatus Results of a compliance check. This is an optional field and its value should be one of the following: PASSED/WARNING/FAILED/NOT_AVAILABLE.



Troubleshooting tips

In the case of a problem, perform the following tasks to discover the cause.

  1. Test the API using mock data, such as the following JSON example.

    "Types": "Software and Configuration Checks/Industry and Regulatory Standards/HIPAA Controls",
    "Description": "This search gives top 10 resources which are accessed in last 15 minutes",
    "GeneratorID": "InsertFindingsScheduledSearch",
    "Severity": 30,
    "ComplianceStatus": "FAILED",
    "Rows": "[{\"Timeslice\":1542719060000,\"finding_time\":\"1542719060000\",\"item_name\":\"A nice dashboard.png\",\"title\":\"Vulnerability: Apple iTunes m3u Playlist File Title Parsing Buffer Overflow Vulnerability(34886) found on\",\"resource_id\":\"\",\"resource_type\":\"Other\"},{\"Timeslice\":\"1542719060000\",\"finding_time\":\"1542719060000\",\"item_name\":\"Screen Shot 2014-07-30 at 11.39.29 PM.png\",\"title\":\"PCI Req 01: Traffic to Cardholder Environment: Direct external traffic to secure port on\",\"resource_id\":\"\",\"resource_type\":\"AwsEc2Instance\"},{\"Timeslice\":\"1542719060000\",\"finding_time\":\"1542719060000\",\"item_name\":\"10388049_589057504526630_2031213996_n.jpg\",\"title\":\"Test Check Success for\",\"resource_id\":\"\",\"resource_type\":\"Other\"}]"
  1. Check for status code 200 in the response body to verify whether the API Gateway and Lambda integration is working correctly. For more information on how to test API Gateway with console refer these docs.


  1. Monitor scheduled search logs using following query in Sumo Logic. This verifies whether the scheduled search was triggered or not.

_view=sumologic_audit "Scheduled search alert triggered" <webhook_name>
  1. Check the CloudWatch logs for the Lambda function. Sumo saves Lambda function logs to CloudWatch in a log group: /aws/lambda/<function_name>. Check this log for any errors during lambda execution.