-
Notifications
You must be signed in to change notification settings - Fork 33
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature - Automate sending security hub findings to slack #1
Comments
yes, I've been looking for the same thing! Otherwise it's a little bit pointless, I can just stay in the AWS Console. |
Is there any progress on this? Effective as far as the stated purpose (it does send the alert to Slack), but yeah, if it's not automated, not sure how this helps with telemetry. AWS's lack of implicit support for SlackOps (vs official partners) is a little frustrating. I'm thinking I may be able to hack a cloudwatch alarm together, or SNS topic (but requires a specific key) which opens up Zapier as an option. |
You can create a rule in CloudWatch Events (or Amazon EventBridge) with these contents:
and set the "Target" to the Lambda function that was created in this repo's CloudFormation template. Or if you want to only receive Slack alerts for failed, high priority findings, the event rule looks like this:
References |
Thanks Phil. I tried your first example as an event pattern but I get "No sample event(s) found for the current event pattern" even though there are several findings in Security Hub. Perhaps the filter will only work on future events though. I'll wait to see if that's the case. The syntax looks right to me on your second example but I get the following error: |
I also got the error on @philm's second example when using CloudWatch Event Rules
After speaking with AWS support, they confirmed the error and suggested using AWS EventBridge instead. I was able to create the rule there and you can see all of your CloudWatch Event rules there as well. |
I also used EventBridge when I originally setup the event. Mostly been using EB these days, as I like the events schema registry and discovery tool. Glad you were able to get confirmation from AWS support on the CWE issue. |
Is there any way where we can make only the new High or critical findings be notified in slack. |
take a look at the cloudwatch rule at the end of
https://aws.amazon.com/blogs/security/enabling-aws-security-hub-integration-with-aws-chatbot/
…-- Ross Warren
On Tue, Jun 30, 2020 at 1:00 PM deepak-revinate ***@***.***> wrote:
@here <https://github.com/here> Is there any way where we can make only
the new High or critical findings be notified in slack.
We are using cloud watch - > slack integration - > Jira integration ( for
resolution) and creating a lot of duplicate tickets as the check runs every
12 hours.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#1 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ADC3EGU5E2WZVY7HZSTTZHDRZIKZZANCNFSM4HFRWWEQ>
.
|
@rossw7 Thank you for sharing that blog with me. |
Yes, I'm facing the same issue. Would it be possible to restrict alerts to only those which are "new"? |
I have same issue, When could it be possible to fix "restrict alerts to only those which are "new"? |
@philm thank you for your valuable answer. { |
I had the issue of duplicate alerts being sent, you need to filter for items where the Workflow status is NEW then set all of your existing events to NOTIFIED in the console, below is a working example for all issues that are CRITICAL, HIGH or MEDIUM
|
@d0cketts thank you for your help. Yesterday, i put a code mentioned below, i am still testing that one, if it fails i will check the one you provided. { |
Hi, I have tried to change the finding as Notified after it sends New findings to Slack channel, however next day it is changed to New by AWS and send them again to Slack. Based on AWS doc, it seems AWS changes Notified status to New in some cases: https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_Workflow.html I was wondering if this is still working for you or if you found another way to fix that? |
I have produced a solution for this problem here: https://github.com/oli-pr/AWS-SecurityHubNotifications |
This is a great repo but it would be great to have the ability to send Findings (say all high findings) to a slack channel automatically.
The text was updated successfully, but these errors were encountered: