Collect Findings for the Amazon Inspector App
- Last updated
- Save as PDF
Collection overview
Sumo Logic provides a serverless solution for creating a CloudWatch events rule and a Lambda function (SecurityHubCollector) to extract findings from AWS Security Hub.
Findings from AWS services (AWS Security Hub) are delivered to CloudWatch Events as events in near real time. The Lambda function parses those events and sends them to an S3 bucket. Sumo Logic then collects the findings data using an S3 bucket source on a Sumo Logic hosted collector. The Lambda function setup is defined using Serverless Application Model (SAM) specifications and is published in AWS Serverless Application Repository.
Step 1: Add a hosted collector and AWS S3 source
This section demonstrates how to add a hosted Sumo Logic collector and AWS source, to collect events for the AWS Security Hub App.
Prerequisites
An AWS Source must be associated with a Sumo Logic Hosted Collector. Before creating the S3 source, identify the Sumo Logic Hosted Collector you want to use, or create a new Hosted Collector as described in the following task.
To add a hosted collector and AWS S3 source
-
To create a new Sumo Logic Hosted Collector, perform the steps in Configure a Hosted Collector.
-
Add an AWS Source for the S3 Source to Sumo Logic, and in Advanced Options for Logs, under Timestamp Format, click Specify a format and enter the following:
-
Specify Format as
yyyy-MM-dd'T'HH:mm:ss.SSS'Z'
-
Specify Timestamp locator as
.*"UpdatedAt":"(.*)".*
-
Click Add.
-
Step 2: Deploy an AWS Security Hub App collector
The AWS Security Hub App collector transforms the received events and sends them to Sumo Logic. The AWS Security Hub App displays the results in pre-defined visual dashboards for you to analyze.
To deploy an AWS Security Hub App collector
-
Open a browser window and enter the following URL: https://serverlessrepo.aws.amazon.com/applications
-
In the Serverless Application Repository, search for sumologic.
-
Select Show apps that create custom IAM roles or resource policies check box.
- Click the sumologic-securityhub-collector link, and then click Deploy.
- In the AWS Lambda > Functions > Application Settings panel, enter the name of the S3SourceBucketName for the bucket you configured (when you defined the S3 source).
- Scroll to the bottom of the window and click Deploy.
Log example
The following is an example of an AWS Security Hub log.
{"SchemaVersion":"2018-10-08","ProductArn":"arn:aws:securityhub:us-west- 2:123456789012:provider:private/default", "AwsAccountId":"123456789012","Id":"test_finding_123456","GeneratorId": "TestDetector","Types": ["Software and Configuration Checks/Vulnerabilities/CVE"],"CreatedAt": "2018-11- 06T13:22:13.933Z", "UpdatedAt":"2018-11-07T14:22:13.933Z","Severity":{"Product":10.0,"Normalized":30},"Title": "Unprotected port 22 found on instance i-01234567890abcefb","Description":"Test finding was found on instance i- 01234567890afbcefa", "Resources":[{"Type":"AwsEc2::Instance","Id":"arn:aws:ec2:us-west-2: 123456789012:instance:i- 01234567890abcefa"}], "SourceUrl":"http://myfp.com/recommendations/dangerous_things_and_how_to_fix_them","Pr ocess": {"Name":"My Process","Path":"/Process/Path"}, "RecordState":"ACTIVE", "Note":{"Text":"User1 will address this finding", "UpdatedBy":"User1", "UpdatedAt":"2018-11-03T13:22:13.933Z"}}
Query example
Findings by resource type and severity query:
(_sourceCategory="securityhub_findings" OR _sourceCategory="Labs/AWS/SecurityHub") | json "AwsAccountId", "Id", "GeneratorId", "ProductArn", "CreatedAt", "UpdatedAt", "Resources", "Severity.Normalized", "SourceUrl", "Types", "Compliance.Status" as aws_account_id, finding_id, generator_id, product_arn, created_at, updated_at, resources, severity_normalized, sourceurl, finding_types, compliance_status nodrop | parse regex field=finding_types "\"(?<finding_type>.*?)\"" multi | parse regex field=resources "\"Type\":\"(?<resource_type>.*?)\"" multi | parse regex field=resources "\"Id\":\"(?<resource_id>.*?)\"" multi | parse regex field=product_arn "product/(?<finding_provider>.*?)$" | min(severity_normalized), pct(severity_normalized,25), pct(severity_normalized,50), pct(severity_normalized,75), max(severity_normalized) by resource_type