Skip to main content
Sumo Logic

Collect findings for the AWS Security Hub App

This page shows you how to add a hosted collector and AWS S3 Source and deploy an AWS Security Hub collector.

This page provides instructions for adding a hosted collector and AWS S3 Source, then deploying a collector for the AWS Security Hub App. Click a link to jump to a section:

Collection overview 

Sumo Logic provides a serverless solution for creating a CloudWatch events rule and two Lambda functions to extract findings from AWS Security Hub: SecurityHubScheduler and SecurityHubCollector.

The CloudWatch events rule enables CloudWatch to trigger the SecurityHubScheduler every five minutes. The Lambda functions fetch findings from AWS Security Hub and send them to an S3 bucket. Sumo Logic then collects the findings data using an S3 bucket source on a Sumo Logic hosted collector. The Lambda functions setup is defined using Security Account Manager (SAM) specifications and is published in AWS Serverless Application Repository.

You don't have to manually create the AWS resources. Simply deploy the solution, as described in the Step 2: Deploy an AWS Security Hub collector.


Supported Finding Providers

The AWS Security Hub App currently supports the following Finding Providers:

To collect findings from other Finding Providers, update the Lambda function after you deploy the SAM application, as described in the following steps:

  1. Go the Findings tab in the Security Hub console and group by productArn.


  1. Copy the product Arn of the finding provider whose findings you want to import into Sumo Logic
  2. Go to the SecurityHubSchedulerFunction Lambda function created by the SAM application and add the product Arn (from step 2) to the list of productArn returned by the generate_fixed_product_arns function in

Step 1: Add a hosted collector and AWS S3 source

This section demonstrates how to add a hosted Sumo Logic collector and AWS source, to collect events for  the AWS Security Hub App.


An AWS Source must be associated with a Sumo Logic Hosted Collector. Before creating the S3 source, identify the Sumo Logic Hosted Collector you want to use, or create a new Hosted Collector as described in the following task.

To add a hosted collector and AWS S3 source, do the following:
  1. Grant Access to an AWS S3 Bucket.

  2. Enable logging using the AWS Management Console.

  3. To create a new Sumo Logic Hosted Collector, perform the steps in Configure a Hosted Collector.

  4. Add an AWS Source for the S3 Source to Sumo Logic, and in Advanced Options for Logs, under Timestamp Format, click Specify a format and enter the following:

  • Specify Format as yyyy-MM-dd'T'HH:mm:ss.SSS'Z'
  • Specify Timestamp locator as .*"UpdatedAt":"(.*)".*


  1. Click Add.

Step 2: Deploy an AWS Security Hub App collector

The AWS Security Hub App collector transforms the findings from AWS Security Hub and sends them to Sumo Logic. The AWS Security Hub App displays the results in pre-defined visual dashboards for you to analyze.

To deploy an AWS Security Hub App collector, do the following:
  1. Open a browser window and enter the following URL:
  2. In the Serverless Application Repository, search for sumologic.
  3. Select Show apps that create custom IAM roles or resource policies check box.
  4. Click the sumologic-securityhub-collector,link, and then click Deploy.
  5. In the AWS Lambda > Functions > Application Settings panel, enter the name of the S3SourceBucketName for the bucket you configured (when you defined the S3 source).

  6. Scroll to the bottom of the window and click Deploy.

Log example

The following is an example of an AWS Security Hub log.

{"SchemaVersion":"2018-10-08","ProductArn":"arn:aws:securityhub:us-west- 2:123456789012:provider:private/default",
"AwsAccountId":"123456789012","Id":"test_finding_123456","GeneratorId": "TestDetector","Types":
["Software and Configuration Checks/Vulnerabilities/CVE"],"CreatedAt": "2018-11- 06T13:22:13.933Z",
"Unprotected port 22 found on instance i-01234567890abcefb","Description":"Test finding was found on instance i- 01234567890afbcefa", 
"Resources":[{"Type":"AwsEc2::Instance","Id":"arn:aws:ec2:us-west-2: 123456789012:instance:i- 01234567890abcefa"}],
"SourceUrl":"","Pr ocess":
{"Name":"My Process","Path":"/Process/Path"}, "RecordState":"ACTIVE", "Note":{"Text":"User1 will address this finding", 
"UpdatedBy":"User1", "UpdatedAt":"2018-11-03T13:22:13.933Z"}}

Query example

Findings by resource type and severity query:

(_sourceCategory="securityhub_findings" OR _sourceCategory="Labs/AWS/SecurityHub")
| json  "AwsAccountId", "Id", "GeneratorId", "ProductArn", "CreatedAt", "UpdatedAt", "Resources",
 "Severity.Normalized", "SourceUrl",
"Types", "Compliance.Status" as aws_account_id, finding_id, generator_id, product_arn, created_at, 
 updated_at, resources, severity_normalized, sourceurl, finding_types, compliance_status nodrop
| parse regex field=finding_types "\"(?<finding_type>.*?)\"" multi
| parse regex field=resources "\"Type\":\"(?<resource_type>.*?)\"" multi
| parse regex field=resources "\"Id\":\"(?<resource_id>.*?)\"" multi
| parse regex field=product_arn "product/(?<finding_provider>.*?)$"
| min(severity_normalized), pct(severity_normalized,25), pct(severity_normalized,50), pct(severity_normalized,75), 
  max(severity_normalized) by resource_type


In Sumo Logic, open a Live Tail tab and run a search to verify that Sumo Logic is receiving findings. Search by the source category assigned to the S3 Source that receives the log data, for example:


For more information about using Live Tail, see Live Tail.