Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feature - Automate sending security hub findings to slack #1

Open
GitHub85 opened this issue Apr 12, 2019 · 17 comments
Open

Feature - Automate sending security hub findings to slack #1

GitHub85 opened this issue Apr 12, 2019 · 17 comments

Comments

@GitHub85
Copy link

This is a great repo but it would be great to have the ability to send Findings (say all high findings) to a slack channel automatically.

@stuhirst
Copy link

yes, I've been looking for the same thing! Otherwise it's a little bit pointless, I can just stay in the AWS Console.

@jack-robs
Copy link

Is there any progress on this? Effective as far as the stated purpose (it does send the alert to Slack), but yeah, if it's not automated, not sure how this helps with telemetry. AWS's lack of implicit support for SlackOps (vs official partners) is a little frustrating.

I'm thinking I may be able to hack a cloudwatch alarm together, or SNS topic (but requires a specific key) which opens up Zapier as an option.

@philm
Copy link

philm commented Jan 20, 2020

You can create a rule in CloudWatch Events (or Amazon EventBridge) with these contents:

{
  "source": [
    "aws.securityhub"
  ],
  "detail-type": [
    "Security Hub Findings - Imported"
  ],
  "detail": {
    "findings": {
      "Compliance": {
        "Status": [
          "FAILED"
        ]
      }
    }
  }
}

and set the "Target" to the Lambda function that was created in this repo's CloudFormation template.

Or if you want to only receive Slack alerts for failed, high priority findings, the event rule looks like this:

{
  "source": [
    "aws.securityhub"
  ],
  "detail-type": [
    "Security Hub Findings - Imported"
  ],
  "detail": {
    "findings": {
      "Compliance": {
        "Status": [
          "FAILED"
        ]
      },
      "Severity": {
        "Normalized": [ { "numeric": [ ">=", 70 ] } ]
      } 
    }
  }
}

References

@cfehring
Copy link

Thanks Phil. I tried your first example as an event pattern but I get "No sample event(s) found for the current event pattern" even though there are several findings in Security Hub. Perhaps the filter will only work on future events though. I'll wait to see if that's the case.

The syntax looks right to me on your second example but I get the following error:
"Event pattern contains invalid element (can only be Strings enclosed in quotes, numbers, and the unquoted keywords true, false, and null)"

@cfehring
Copy link

Also refer to PR #3:
#3

@lebolo
Copy link

lebolo commented Jan 24, 2020

I also got the error on @philm's second example when using CloudWatch Event Rules

Event pattern contains invalid element (can only be Strings enclosed in quotes, numbers, and the unquoted keywords true, false, and null)

After speaking with AWS support, they confirmed the error and suggested using AWS EventBridge instead. I was able to create the rule there and you can see all of your CloudWatch Event rules there as well.

@philm
Copy link

philm commented Jan 24, 2020

I also used EventBridge when I originally setup the event. Mostly been using EB these days, as I like the events schema registry and discovery tool. Glad you were able to get confirmation from AWS support on the CWE issue.

@deepak-revinate
Copy link

deepak-revinate commented Jun 30, 2020

Is there any way where we can make only the new High or critical findings be notified in slack.
We are using cloud watch - > slack integration - > Jira integration ( for resolution) and creating a lot of duplicate tickets as the check runs every 12 hours.

@rossw7
Copy link

rossw7 commented Jun 30, 2020 via email

@deepak-revinate
Copy link

@rossw7 Thank you for sharing that blog with me.
I think I have done the same ( using event bridge ) to alert for High and Critical findings.
But the issue I am facing is, AWS Security Hub runs a check every 12 hours and lists the findings.
The finding that was sent to slack yesterday would be sent again today if it's not resolved.
Is there a way to filter the findings sent to slack for just the new critical and high alerts and not the ones that are already sent to slack before?

@AyhanSetirekli
Copy link

Yes, I'm facing the same issue. Would it be possible to restrict alerts to only those which are "new"?

@divya751
Copy link

I have same issue, When could it be possible to fix "restrict alerts to only those which are "new"?

@manishkumar33352
Copy link

@philm thank you for your valuable answer.
Can you please help me a bit more on this, i am looking to filter only for "new" alerts (not the "resolved") generated by the securityhub and then trigger the cloudwatch event
will this code which you suggested works (if i replace "FAILED" to "New")

{
"source": [
"aws.securityhub"
],
"detail-type": [
"Security Hub Findings - Imported"
],
"detail": {
"findings": {
"Compliance": {
"Status": [
"FAILED"
]
}
}
}
}

@d0cketts
Copy link

I had the issue of duplicate alerts being sent, you need to filter for items where the Workflow status is NEW then set all of your existing events to NOTIFIED in the console, below is a working example for all issues that are CRITICAL, HIGH or MEDIUM

{ "detail-type": ["Security Hub Findings - Imported"], "source": ["aws.securityhub"], "detail": { "findings": { "Severity": { "Label": [ "MEDIUM", "HIGH", "CRITICAL" ] }, "Workflow": { "Status": [ "NEW" ] } } } }

@manishkumar33352
Copy link

@d0cketts thank you for your help. Yesterday, i put a code mentioned below, i am still testing that one, if it fails i will check the one you provided.

{
"source": [
"aws.securityhub"
],
"detail": {
"findings": {
"Workflow": {
"Status": [
"NEW"
]
},
"Severity": {
"Normalized": [
40,
41,
42,
43,
44,
45,
46,
47,
48,
49,
50,
51,
52,
53,
54,
55,
56,
57,
58,
59,
60,
61,
62,
63,
64,
65,
66,
67,
68,
69,
70,
71,
72,
73,
74,
75,
76,
77,
78,
79,
80,
81,
82,
83,
84,
85,
86,
87,
88,
89,
90,
91,
92,
93,
94,
95,
96,
97,
98,
99,
100
]
}
}
}
}

@mfarrokhnia
Copy link

I had the issue of duplicate alerts being sent, you need to filter for items where the Workflow status is NEW then set all of your existing events to NOTIFIED in the console, below is a working example for all issues that are CRITICAL, HIGH or MEDIUM

{ "detail-type": ["Security Hub Findings - Imported"], "source": ["aws.securityhub"], "detail": { "findings": { "Severity": { "Label": [ "MEDIUM", "HIGH", "CRITICAL" ] }, "Workflow": { "Status": [ "NEW" ] } } } }

Hi, I have tried to change the finding as Notified after it sends New findings to Slack channel, however next day it is changed to New by AWS and send them again to Slack. Based on AWS doc, it seems AWS changes Notified status to New in some cases: https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_Workflow.html I was wondering if this is still working for you or if you found another way to fix that?

@oli-pr
Copy link

oli-pr commented Sep 24, 2021

I have produced a solution for this problem here: https://github.com/oli-pr/AWS-SecurityHubNotifications

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests