From 1800ba566718e72a5742453df274b8c347f40dd7 Mon Sep 17 00:00:00 2001 From: Amee Lepcha Date: Mon, 4 Aug 2025 10:49:12 +0530 Subject: [PATCH 1/4] update AWS security docs --- docs/integrations/amazon-aws/guardduty.md | 18 ++++++++++-------- docs/integrations/amazon-aws/inspector.md | 6 +++--- docs/integrations/amazon-aws/security-hub.md | 16 +++++++++------- 3 files changed, 22 insertions(+), 18 deletions(-) diff --git a/docs/integrations/amazon-aws/guardduty.md b/docs/integrations/amazon-aws/guardduty.md index 7fbc0bb0dd..dfed71b884 100644 --- a/docs/integrations/amazon-aws/guardduty.md +++ b/docs/integrations/amazon-aws/guardduty.md @@ -178,12 +178,14 @@ _sourceCategory=aws/guardduty ## Collecting logs for the Amazon GuardDuty app -You can collect the Amazon GuardDuty logs using two methods: +You can collect the Amazon GuardDuty logs using the following methods and send them to Sumo Logic via an HTTP endpoint: -- [Method 1: Collecting Amazon GuardDuty logs using EventBridge](#method-1-collecting-amazon-guardduty-logs-using-eventbridge) -- [Method 2: Collecting Amazon GuardDuty logs using Sumo Logic HTTP endpoint](#method-2-collecting-amazon-guardduty-logs-using-sumo-logic-http-endpoint) +- [Method 1: Using AWS EventBridge](#method-1-collecting-amazon-guardduty-logs-using-aws-eventbridge-preferred) +- [Method 2: Using AWS Lambda function](#method-2-collecting-amazon-guardduty-logs-using-aws-lambda-function) -### Method 1: Collecting Amazon GuardDuty logs using EventBridge +For efficiency and seamless integration, Method 1 using AWS EventBridge is preferred, as it leverages native AWS services to reduce resource overhead and simplify the process. + +### Method 1: Collecting Amazon GuardDuty logs using AWS EventBridge (Preferred) This method leverages AWS EventBridge to streamline the logging process by sending data directly to Sumo Logic via an HTTP endpoint. By eliminating intermediary services such as Lambda, it offers a more straightforward and cost-effective solution. @@ -194,7 +196,7 @@ To create an HTTP source in Sumo Logic, see [HTTP Logs and Metrics Source](/docs #### Step 2: Configure EventBridge API destination Follow the steps below to configure the EventBridge API destination: -1. Sign in to your [Amazon EventBridge Console](https://us-east-1.console.aws.amazon.com/events/home?region=us-east-1#/). +1. Sign in to your [Amazon EventBridge Console](https://aws.amazon.com/eventbridge/). 1. In the navigation bar, click **API destinations**. 1. Click **Create destination**. 1. Enter a name for the API Destination. @@ -208,7 +210,7 @@ Follow the steps below to configure the EventBridge API destination: #### Step 3: Create the EventBridge rule Follow the steps below to create the EventBridge rule: -1. Sign in to your [Amazon EventBridge Console](https://us-east-1.console.aws.amazon.com/events/home?region=us-east-1#/). +1. Sign in to your [Amazon EventBridge Console](https://aws.amazon.com/eventbridge/). 1. In the navigation bar, click **Rules**. 1. Set the event source to **AWS services** and then select **Security Hub** as the AWS service. 1. Select **All Events** in Event Type. @@ -217,9 +219,9 @@ Follow the steps below to create the EventBridge rule: 1. Select **Create a new role for this specific resource** in the **Execution role**. 1. Click **Create** to activate the rule. -### Method 2: Collecting Amazon GuardDuty logs using Sumo Logic HTTP endpoint +### Method 2: Collecting Amazon GuardDuty logs using AWS Lambda function -This method uses an AWS Lambda function to process, store, and forward logs to Sumo Logic. While it offers a robust solution, it introduces additional AWS resources, such as Lambda, which can increase both cost and complexity. +This method uses an AWS Lambda function to process, store, and forward logs to Sumo Logic via an HTTP endpoint. While it offers a robust solution, it introduces additional AWS resources, such as Lambda, which can increase both cost and complexity. - Amazon GuardDuty sends notifications based on CloudWatch events when new findings, or new occurrences of existing findings, are generated. - A CloudWatch events rule enables CloudWatch to send events for the GuardDuty findings to the Sumo `CloudWatchEventFunction` Lambda function. diff --git a/docs/integrations/amazon-aws/inspector.md b/docs/integrations/amazon-aws/inspector.md index efda4fdde0..ac5ac0daa4 100644 --- a/docs/integrations/amazon-aws/inspector.md +++ b/docs/integrations/amazon-aws/inspector.md @@ -20,7 +20,7 @@ You can collect Security Hub logs using three methods: - [Method 1: Collecting Security Hub logs using EventBridge](#method-1-collecting-security-hub-logs-using-eventbridge) - [Method 2: Collect Security Hub logs using Sumo Logic HTTP endpoint](#method-2-collect-security-hub-logs-using-sumo-logic-http-endpoint) --[Method 3: Collect Security Hub logs using Amazon S3 source](#method-3-collect-security-hub-logs-using-amazon-s3-source) +- [Method 3: Collect Security Hub logs using Amazon S3 source](#method-3-collect-security-hub-logs-using-amazon-s3-source) ### Method 1: Collecting Security Hub logs using EventBridge @@ -33,7 +33,7 @@ To create an HTTP source in Sumo Logic, see [HTTP Logs and Metrics Source](/docs #### Step 2: Configure EventBridge API destination Follow the steps below to configure the EventBridge API destination: -1. Sign in to your [Amazon EventBridge Console](https://us-east-1.console.aws.amazon.com/events/home?region=us-east-1#/). +1. Sign in to your [Amazon EventBridge Console](https://aws.amazon.com/eventbridge/). 1. In the navigation bar, click **API destinations**. 1. Click **Create destination**. 1. Enter a name for the API Destination. @@ -47,7 +47,7 @@ Follow the steps below to configure the EventBridge API destination: #### Step 3: Create the EventBridge rule Follow the steps below to create the EventBridge rule: -1. Sign in to your [Amazon EventBridge Console](https://us-east-1.console.aws.amazon.com/events/home?region=us-east-1#/). +1. Sign in to your [Amazon EventBridge Console](https://aws.amazon.com/eventbridge/). 1. In the navigation bar, click **Rules**. 1. Set the event source to **AWS services** and then select **Security Hub** as the AWS service. 1. Select **All Events** in Event Type. diff --git a/docs/integrations/amazon-aws/security-hub.md b/docs/integrations/amazon-aws/security-hub.md index a11a0fc4df..3db4afa603 100644 --- a/docs/integrations/amazon-aws/security-hub.md +++ b/docs/integrations/amazon-aws/security-hub.md @@ -165,14 +165,16 @@ In the case of a problem, perform the following tasks to discover the cause. ## Collecting findings for the AWS Security Hub CSPM app -You can collect the AWS Security Hub CSPM logs using two methods: +You can collect the AWS Security Hub CSPM logs using the following methods: -- [Method 1: Collecting AWS Security Hub CSPM Logs using EventBridge](#method-1-collecting-aws-security-hub-cspm-logs-using-eventbridge) -- [Method 2: Collecting Security Hub CSPM Logs using Sumo Logic HTTP endpoint](#method-2-collecting-security-hub-cspm-logs-using-sumo-logic-http-endpoint) +- [Method 1: Using AWS EventBridge and sending the logs to Sumo Logic via an HTTP endpoint](#method-1-collecting-aws-security-hub-cspm-logs-using-aws-eventbridge-preferred) +- [Method 2: Using AWS Lambda function and sending the logs to Sumo Logic via Amazon S3 Source](#method-2-collecting-aws-security-hub-cspm-logs-using-aws-lambda-function) + +For efficiency and seamless integration, Method 1 using AWS EventBridge is preferred, as it leverages native AWS services to reduce resource overhead and simplify the process. Before collecting logs, ensure that Security Hub is enabled on your AWS account. For more information, see the AWS Security Hub CSPM documentation for [Setting Up AWS Security Hub CSPM](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-settingup.html). -### Method 1: Collecting AWS Security Hub CSPM logs using EventBridge +### Method 1: Collecting AWS Security Hub CSPM logs using AWS EventBridge (Preferred) This method leverages AWS EventBridge to streamline the logging process by sending data directly to Sumo Logic via an HTTP endpoint. By eliminating intermediary services such as Lambda, it offers a more straightforward and cost-effective solution. @@ -183,7 +185,7 @@ To create an HTTP source in Sumo Logic, see [HTTP Logs and Metrics Source](/docs #### Step 2: Configure EventBridge API destination Follow the steps below to configure the EventBridge API destination: -1. Sign in to your [Amazon EventBridge Console](https://us-east-1.console.aws.amazon.com/events/home?region=us-east-1#/). +1. Sign in to your [Amazon EventBridge Console](https://aws.amazon.com/eventbridge/). 1. In the navigation bar, click **API destinations**. 1. Click **Create destination**. 1. Enter a name for the API Destination. @@ -197,7 +199,7 @@ Follow the steps below to configure the EventBridge API destination: #### Step 3: Create the EventBridge rule Follow the steps below to configure the EventBridge rule: -1. Sign in to your [Amazon EventBridge Console](https://us-east-1.console.aws.amazon.com/events/home?region=us-east-1#/). +1. Sign in to your [Amazon EventBridge Console](https://aws.amazon.com/eventbridge/). 1. In the navigation bar, click **Rules**. 1. Set the event source to **AWS services** and then select **Security Hub** as the AWS service. 1. Select **All Events** in Event Type. @@ -206,7 +208,7 @@ Follow the steps below to configure the EventBridge rule: 1. Select **Create a new role for this specific resource** in the **Execution role**. 1. Click **Create** to activate the rule. -### Method 2: Collecting Security Hub CSPM Logs using Sumo Logic HTTP endpoint +### Method 2: Collecting AWS Security Hub CSPM Logs using AWS Lambda function This method uses an AWS Lambda function to process, store, and forward logs to Sumo Logic. While it offers a robust solution, it introduces additional AWS resources, such as Lambda, which can increase both cost and complexity. From 2bdcc4a063c5e737e4af162d608fca31b7356041 Mon Sep 17 00:00:00 2001 From: Amee Lepcha Date: Thu, 7 Aug 2025 23:08:17 +0530 Subject: [PATCH 2/4] Edit the headings and minor indentation fixes --- docs/integrations/amazon-aws/guardduty.md | 8 +- docs/integrations/amazon-aws/inspector.md | 132 ++++++++++--------- docs/integrations/amazon-aws/security-hub.md | 124 +++++++++-------- 3 files changed, 133 insertions(+), 131 deletions(-) diff --git a/docs/integrations/amazon-aws/guardduty.md b/docs/integrations/amazon-aws/guardduty.md index dfed71b884..91cc62bdcd 100644 --- a/docs/integrations/amazon-aws/guardduty.md +++ b/docs/integrations/amazon-aws/guardduty.md @@ -180,12 +180,12 @@ _sourceCategory=aws/guardduty You can collect the Amazon GuardDuty logs using the following methods and send them to Sumo Logic via an HTTP endpoint: -- [Method 1: Using AWS EventBridge](#method-1-collecting-amazon-guardduty-logs-using-aws-eventbridge-preferred) -- [Method 2: Using AWS Lambda function](#method-2-collecting-amazon-guardduty-logs-using-aws-lambda-function) +- [Method 1: GuardDuty > EventBridge > Sumo Logic via HTTP](#method-1-guardduty--eventbridge--sumo-logic-via-http-preferred) +- [Method 2: GuardDuty > Lambda Function > Sumo Logic via HTTP](#method-2-guardduty--lambda-function--sumo-logic-via-http-alternative) For efficiency and seamless integration, Method 1 using AWS EventBridge is preferred, as it leverages native AWS services to reduce resource overhead and simplify the process. -### Method 1: Collecting Amazon GuardDuty logs using AWS EventBridge (Preferred) +### Method 1: GuardDuty > EventBridge > Sumo Logic via HTTP (Preferred) This method leverages AWS EventBridge to streamline the logging process by sending data directly to Sumo Logic via an HTTP endpoint. By eliminating intermediary services such as Lambda, it offers a more straightforward and cost-effective solution. @@ -219,7 +219,7 @@ Follow the steps below to create the EventBridge rule: 1. Select **Create a new role for this specific resource** in the **Execution role**. 1. Click **Create** to activate the rule. -### Method 2: Collecting Amazon GuardDuty logs using AWS Lambda function +### Method 2: GuardDuty > Lambda Function > Sumo Logic via HTTP (Alternative) This method uses an AWS Lambda function to process, store, and forward logs to Sumo Logic via an HTTP endpoint. While it offers a robust solution, it introduces additional AWS resources, such as Lambda, which can increase both cost and complexity. diff --git a/docs/integrations/amazon-aws/inspector.md b/docs/integrations/amazon-aws/inspector.md index ac5ac0daa4..6c4e5cafa3 100644 --- a/docs/integrations/amazon-aws/inspector.md +++ b/docs/integrations/amazon-aws/inspector.md @@ -14,15 +14,75 @@ Amazon Inspector is an automated vulnerability management service that continual For information about integrating Amazon Inspector with Security Hub, see [Integration with AWS Security Hub](https://docs.aws.amazon.com/inspector/latest/user/securityhub-integration.html) in Amazon help. ::: -## Collecting findings for the Amazon Inspector app +## Log types -You can collect Security Hub logs using three methods: +### Sample log messages + +```json title="AWS Security Hub log" +{ + "SchemaVersion": "2018-10-08", + "ProductArn": "arn:aws:securityhub:us-west- 2:123456789012:provider:private/default", + "AwsAccountId": "123456789012", + "Id": "test_finding_123456", + "GeneratorId": "TestDetector", + "Types": [ + "Software and Configuration Checks/Vulnerabilities/CVE" + ], + "CreatedAt": "2018-11- 06T13:22:13.933Z", + "UpdatedAt": "2018-11-07T14:22:13.933Z", + "Severity": { + "Product": 10, + "Normalized": 30 + }, + "Title": "Unprotected port 22 found on instance i-01234567890abcefb", + "Description": "Test finding was found on instance i- 01234567890afbcefa", + "Resources": [ + { + "Type": "AwsEc2::Instance", + "Id": "arn:aws:ec2:us-west-2: 123456789012:instance:i- 01234567890abcefa" + } + ], + "SourceUrl": "http://myfp.com/recommendations/dangerous_things_and_how_to_fix_them", + "Process": { + "Name": "My Process", + "Path": "/Process/Path" + }, + "RecordState": "ACTIVE", + "Note": { + "Text": "User1 will address this finding", + "UpdatedBy": "User1", + "UpdatedAt": "2018-11-03T13:22:13.933Z" + } +} +``` + +### Sample queries + +```sql title="Findings by resource type and severity query" +(_sourceCategory="securityhub_findings" OR _sourceCategory="Labs/AWS/SecurityHub") +| json "AwsAccountId", "Id", "GeneratorId", "ProductArn", "CreatedAt", "UpdatedAt", "Resources", + "Severity.Normalized", "SourceUrl", +"Types", "Compliance.Status" as aws_account_id, finding_id, generator_id, product_arn, created_at, + updated_at, resources, severity_normalized, sourceurl, finding_types, compliance_status nodrop +| parse regex field=finding_types "\"(?.*?)\"" multi +| parse regex field=resources "\"Type\":\"(?.*?)\"" multi +| parse regex field=resources "\"Id\":\"(?.*?)\"" multi +| parse regex field=product_arn "product/(?.*?)$" +| min(severity_normalized), pct(severity_normalized,25), pct(severity_normalized,50), pct(severity_normalized,75), + max(severity_normalized) by resource_type +``` + +## Collecting logs for the Amazon Inspector app + +You can collect the Amazon Inspector logs using the following methods: -- [Method 1: Collecting Security Hub logs using EventBridge](#method-1-collecting-security-hub-logs-using-eventbridge) -- [Method 2: Collect Security Hub logs using Sumo Logic HTTP endpoint](#method-2-collect-security-hub-logs-using-sumo-logic-http-endpoint) -- [Method 3: Collect Security Hub logs using Amazon S3 source](#method-3-collect-security-hub-logs-using-amazon-s3-source) +- [Method 1: Inspector > EventBridge > Sumo Logic via HTTP](#method-1-inspector--eventbridge--sumo-logic-via-http-preferred) +- [Method 2: Inspector > Lambda Function > Sumo Logic via HTTP](#method-2-inspector--eventbridge--sumo-logic-via-http-alternative) +- [Method 3: Inspector > Lambda Function > Amazon S3 > Sumo Logic via S3 Source](#method-3-inspector--lambda-function--amazon-s3--sumo-logic-via-s3-source-alternative) -### Method 1: Collecting Security Hub logs using EventBridge +For efficiency and seamless integration, Method 1 using AWS EventBridge is preferred, as it leverages native AWS services to reduce resource overhead and simplify the process. + +### Method 1: Inspector > EventBridge > Sumo Logic via HTTP (Preferred) This method leverages AWS EventBridge to streamline the logging process by sending data directly to Sumo Logic via an HTTP endpoint. By eliminating intermediary services such as Lambda, it offers a more straightforward and cost-effective solution. @@ -56,7 +116,7 @@ Follow the steps below to create the EventBridge rule: 1. Select **Create a new role for this specific resource** in the **Execution role**. 1. Click **Create** to activate the rule. -### Method 2: Collect Security Hub logs using Sumo Logic HTTP endpoint +### Method 2: Inspector > EventBridge > Sumo Logic via HTTP (Alternative) This method uses an AWS Lambda function to process, store, and forward logs to Sumo Logic. While it offers a robust solution, it introduces additional AWS resources, such as Lambda, which can increase both cost and complexity. @@ -94,7 +154,7 @@ To deploy an AWS Security Hub app collector: 5. In the **AWS Lambda > Functions > Application Settings** panel, enter the endpoint **HTTP endpoint** of the source that you configured. 6. Scroll to the bottom of the window and click **Deploy**. -### Method 3: Collect Security Hub logs using Amazon S3 source +### Method 3: Inspector > Lambda Function > Amazon S3 > Sumo Logic via S3 Source (Alternative) This method uses a Lambda function to process findings, store them in an S3 bucket, and retrieve them through Sumo Logic's S3 Source. It is ideal for scenarios that require data archiving. @@ -127,62 +187,6 @@ To deploy an AWS Security Hub app collector: 5. In the **AWS Lambda > Functions > Application Settings** panel, enter the name of the **S3SourceBucketName** for the bucket you configured (when you defined the S3 source). 6. Scroll to the bottom of the window and click **Deploy**. -### Sample log messages - -```json title="AWS Security Hub log" -{ - "SchemaVersion": "2018-10-08", - "ProductArn": "arn:aws:securityhub:us-west- 2:123456789012:provider:private/default", - "AwsAccountId": "123456789012", - "Id": "test_finding_123456", - "GeneratorId": "TestDetector", - "Types": [ - "Software and Configuration Checks/Vulnerabilities/CVE" - ], - "CreatedAt": "2018-11- 06T13:22:13.933Z", - "UpdatedAt": "2018-11-07T14:22:13.933Z", - "Severity": { - "Product": 10, - "Normalized": 30 - }, - "Title": "Unprotected port 22 found on instance i-01234567890abcefb", - "Description": "Test finding was found on instance i- 01234567890afbcefa", - "Resources": [ - { - "Type": "AwsEc2::Instance", - "Id": "arn:aws:ec2:us-west-2: 123456789012:instance:i- 01234567890abcefa" - } - ], - "SourceUrl": "http://myfp.com/recommendations/dangerous_things_and_how_to_fix_them", - "Process": { - "Name": "My Process", - "Path": "/Process/Path" - }, - "RecordState": "ACTIVE", - "Note": { - "Text": "User1 will address this finding", - "UpdatedBy": "User1", - "UpdatedAt": "2018-11-03T13:22:13.933Z" - } -} -``` - -### Sample queries - -```sql title="Findings by resource type and severity query" -(_sourceCategory="securityhub_findings" OR _sourceCategory="Labs/AWS/SecurityHub") -| json "AwsAccountId", "Id", "GeneratorId", "ProductArn", "CreatedAt", "UpdatedAt", "Resources", - "Severity.Normalized", "SourceUrl", -"Types", "Compliance.Status" as aws_account_id, finding_id, generator_id, product_arn, created_at, - updated_at, resources, severity_normalized, sourceurl, finding_types, compliance_status nodrop -| parse regex field=finding_types "\"(?.*?)\"" multi -| parse regex field=resources "\"Type\":\"(?.*?)\"" multi -| parse regex field=resources "\"Id\":\"(?.*?)\"" multi -| parse regex field=product_arn "product/(?.*?)$" -| min(severity_normalized), pct(severity_normalized,25), pct(severity_normalized,50), pct(severity_normalized,75), - max(severity_normalized) by resource_type -``` - ## Installing the Amazon Inspector app Once you've set up ingestion of findings from AWS Security Hub, you can install the Sumo Logic app for Amazon Inspector and use the pre-configured searches and dashboards. diff --git a/docs/integrations/amazon-aws/security-hub.md b/docs/integrations/amazon-aws/security-hub.md index 3db4afa603..1bb82a4909 100644 --- a/docs/integrations/amazon-aws/security-hub.md +++ b/docs/integrations/amazon-aws/security-hub.md @@ -29,6 +29,62 @@ For more information on AWS Security Hub CSPM, refer to the [Amazon AWS Security The AWS Security Hub CSPM utilizes the [Amazon findings](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html) log types. +### Sample log messages + +```json title="AWS Security Hub CSPM log" +{ + "SchemaVersion": "2018-10-08", + "ProductArn": "arn:aws:securityhub:us-west- 2:123456789012:provider:private/default", + "AwsAccountId": "123456789012", + "Id": "test_finding_123456", + "GeneratorId": "TestDetector", + "Types": [ + "Software and Configuration Checks/Vulnerabilities/CVE" + ], + "CreatedAt": "2018-11- 06T13:22:13.933Z", + "UpdatedAt": "2018-11-07T14:22:13.933Z", + "Severity": { + "Product": 10, + "Normalized": 30 + }, + "Title": "Unprotected port 22 found on instance i-01234567890abcefb", + "Description": "Test finding was found on instance i- 01234567890afbcefa", + "Resources": [ + { + "Type": "AwsEc2::Instance", + "Id": "arn:aws:ec2:us-west-2: 123456789012:instance:i- 01234567890abcefa" + } + ], + "SourceUrl": "http://myfp.com/recommendations/dangerous_things_and_how_to_fix_them", + "Process": { + "Name": "My Process", + "Path": "/Process/Path" + }, + "RecordState": "ACTIVE", + "Note": { + "Text": "User1 will address this finding", + "UpdatedBy": "User1", + "UpdatedAt": "2018-11-03T13:22:13.933Z" + } +} +``` + +### Sample queries + +```sql title="Findings by resource type and severity query" +(_sourceCategory="securityhub_findings" OR _sourceCategory="Labs/AWS/SecurityHub") +| json "AwsAccountId", "Id", "GeneratorId", "ProductArn", "CreatedAt", "UpdatedAt", "Resources", + "Severity.Normalized", "SourceUrl", +"Types", "Compliance.Status" as aws_account_id, finding_id, generator_id, product_arn, created_at, + updated_at, resources, severity_normalized, sourceurl, finding_types, compliance_status nodrop +| parse regex field=finding_types "\"(?.*?)\"" multi +| parse regex field=resources "\"Type\":\"(?.*?)\"" multi +| parse regex field=resources "\"Id\":\"(?.*?)\"" multi +| parse regex field=product_arn "product/(?.*?)$" +| min(severity_normalized), pct(severity_normalized,25), pct(severity_normalized,50), pct(severity_normalized,75), + max(severity_normalized) by resource_type +``` + ## Sending findings to the AWS Security Hub CSPM forwarder This section shows you how to enable Sumo Logic as a Finding Provider, deploy the AWS Security Hub CSPM forwarder, create a Webhook connection, and create a scheduled search. @@ -163,18 +219,18 @@ In the case of a problem, perform the following tasks to discover the cause. ``` 4. Check the CloudWatch logs for the Lambda function. Sumo Logic saves Lambda function logs to CloudWatch in a log group: `/aws/lambda/`. Check this log for any errors during lambda execution. -## Collecting findings for the AWS Security Hub CSPM app +## Collecting logs for the AWS Security Hub CSPM app You can collect the AWS Security Hub CSPM logs using the following methods: -- [Method 1: Using AWS EventBridge and sending the logs to Sumo Logic via an HTTP endpoint](#method-1-collecting-aws-security-hub-cspm-logs-using-aws-eventbridge-preferred) -- [Method 2: Using AWS Lambda function and sending the logs to Sumo Logic via Amazon S3 Source](#method-2-collecting-aws-security-hub-cspm-logs-using-aws-lambda-function) +- [Method 1: AWS Security Hub CSPM > EventBridge > Sumo Logic via HTTP](#method-1-security-hub-cspm-eventbridge--sumo-logic-via-http-preferred) +- [Method 2: AWS Security Hub CSPM > Lambda Function > Amazon S3 > Sumo Logic via S3 Source](#method-2-aws-security-hub-cspm--lambda-function--amazon-s3--sumo-logic-via-s3-source-alternative) For efficiency and seamless integration, Method 1 using AWS EventBridge is preferred, as it leverages native AWS services to reduce resource overhead and simplify the process. Before collecting logs, ensure that Security Hub is enabled on your AWS account. For more information, see the AWS Security Hub CSPM documentation for [Setting Up AWS Security Hub CSPM](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-settingup.html). -### Method 1: Collecting AWS Security Hub CSPM logs using AWS EventBridge (Preferred) +### Method 1: Security Hub CSPM> EventBridge > Sumo Logic via HTTP (Preferred) This method leverages AWS EventBridge to streamline the logging process by sending data directly to Sumo Logic via an HTTP endpoint. By eliminating intermediary services such as Lambda, it offers a more straightforward and cost-effective solution. @@ -208,7 +264,7 @@ Follow the steps below to configure the EventBridge rule: 1. Select **Create a new role for this specific resource** in the **Execution role**. 1. Click **Create** to activate the rule. -### Method 2: Collecting AWS Security Hub CSPM Logs using AWS Lambda function +### Method 2: AWS Security Hub CSPM > Lambda Function > Amazon S3 > Sumo Logic via S3 Source (Alternative) This method uses an AWS Lambda function to process, store, and forward logs to Sumo Logic. While it offers a robust solution, it introduces additional AWS resources, such as Lambda, which can increase both cost and complexity. @@ -246,64 +302,6 @@ To deploy an AWS Security Hub CSPM App collector: 5. In the **AWS Lambda > Functions > Application Settings** panel, enter the name of the **S3SourceBucketName** for the bucket you configured (when you defined the S3 source). 6. Scroll to the bottom of the window and click **Deploy**. - -### Sample log messages - -```json title="AWS Security Hub CSPM log" -{ - "SchemaVersion": "2018-10-08", - "ProductArn": "arn:aws:securityhub:us-west- 2:123456789012:provider:private/default", - "AwsAccountId": "123456789012", - "Id": "test_finding_123456", - "GeneratorId": "TestDetector", - "Types": [ - "Software and Configuration Checks/Vulnerabilities/CVE" - ], - "CreatedAt": "2018-11- 06T13:22:13.933Z", - "UpdatedAt": "2018-11-07T14:22:13.933Z", - "Severity": { - "Product": 10, - "Normalized": 30 - }, - "Title": "Unprotected port 22 found on instance i-01234567890abcefb", - "Description": "Test finding was found on instance i- 01234567890afbcefa", - "Resources": [ - { - "Type": "AwsEc2::Instance", - "Id": "arn:aws:ec2:us-west-2: 123456789012:instance:i- 01234567890abcefa" - } - ], - "SourceUrl": "http://myfp.com/recommendations/dangerous_things_and_how_to_fix_them", - "Process": { - "Name": "My Process", - "Path": "/Process/Path" - }, - "RecordState": "ACTIVE", - "Note": { - "Text": "User1 will address this finding", - "UpdatedBy": "User1", - "UpdatedAt": "2018-11-03T13:22:13.933Z" - } -} -``` - - -### Sample queries - -```sql title="Findings by resource type and severity query" -(_sourceCategory="securityhub_findings" OR _sourceCategory="Labs/AWS/SecurityHub") -| json "AwsAccountId", "Id", "GeneratorId", "ProductArn", "CreatedAt", "UpdatedAt", "Resources", - "Severity.Normalized", "SourceUrl", -"Types", "Compliance.Status" as aws_account_id, finding_id, generator_id, product_arn, created_at, - updated_at, resources, severity_normalized, sourceurl, finding_types, compliance_status nodrop -| parse regex field=finding_types "\"(?.*?)\"" multi -| parse regex field=resources "\"Type\":\"(?.*?)\"" multi -| parse regex field=resources "\"Id\":\"(?.*?)\"" multi -| parse regex field=product_arn "product/(?.*?)$" -| min(severity_normalized), pct(severity_normalized,25), pct(severity_normalized,50), pct(severity_normalized,75), - max(severity_normalized) by resource_type -``` - ## Installing the AWS Security Hub CSPM app Now that you have set up ingestion and collected findings for AWS Security Hub CSPM, you can install the Sumo Logic app for AWS Security Hub CSPM and use the preconfigured searches and dashboards that provide insight into your data. From ad078d45b575e7c8aafda58ce5209d7460783bef Mon Sep 17 00:00:00 2001 From: Amee Lepcha Date: Fri, 8 Aug 2025 12:45:32 +0530 Subject: [PATCH 3/4] Update security-hub.md --- docs/integrations/amazon-aws/security-hub.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/integrations/amazon-aws/security-hub.md b/docs/integrations/amazon-aws/security-hub.md index 1bb82a4909..caf605debd 100644 --- a/docs/integrations/amazon-aws/security-hub.md +++ b/docs/integrations/amazon-aws/security-hub.md @@ -19,7 +19,7 @@ The Sumo Logic app for AWS Security Hub CSPM leverages findings data from Securi Sumo Logic provides a seamless bi-directional integration with AWS Security Hub CSPM with the following: * **[AWS Security Hub CSPM forwarder](#sending-findings-to-the-aws-security-hub-cspm-forwarder)** - This solution forwards (sends) scheduled search results and alerts (as findings) to AWS Security Hub CSPM. -* **[AWS Security Hub CSPM collector](#collecting-findings-for-the-aws-security-hub-cspm-app)** - This solution collects findings from AWS Security Hub CSPM to Sumo Logic where they are displayed in visual pre-defined dashboards. +* **[AWS Security Hub CSPM collector](#collecting-logs-for-the-aws-security-hub-cspm-app)** - This solution collects findings from AWS Security Hub CSPM to Sumo Logic where they are displayed in visual pre-defined dashboards. The Sumo Logic integration with AWS Security Hub CSPM extends compliance checks to other key regulatory frameworks such as PCI, GDPR, HIPAA, and others. @@ -230,7 +230,7 @@ For efficiency and seamless integration, Method 1 using AWS EventBridge is prefe Before collecting logs, ensure that Security Hub is enabled on your AWS account. For more information, see the AWS Security Hub CSPM documentation for [Setting Up AWS Security Hub CSPM](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-settingup.html). -### Method 1: Security Hub CSPM> EventBridge > Sumo Logic via HTTP (Preferred) +### Method 1: Security Hub CSPM > EventBridge > Sumo Logic via HTTP (Preferred) This method leverages AWS EventBridge to streamline the logging process by sending data directly to Sumo Logic via an HTTP endpoint. By eliminating intermediary services such as Lambda, it offers a more straightforward and cost-effective solution. From 220b37307ade9667563f9080411ff0f26a47c5ba Mon Sep 17 00:00:00 2001 From: Amee Lepcha Date: Fri, 8 Aug 2025 13:01:35 +0530 Subject: [PATCH 4/4] Update security-hub.md --- docs/integrations/amazon-aws/security-hub.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/integrations/amazon-aws/security-hub.md b/docs/integrations/amazon-aws/security-hub.md index caf605debd..7611451042 100644 --- a/docs/integrations/amazon-aws/security-hub.md +++ b/docs/integrations/amazon-aws/security-hub.md @@ -223,7 +223,7 @@ In the case of a problem, perform the following tasks to discover the cause. You can collect the AWS Security Hub CSPM logs using the following methods: -- [Method 1: AWS Security Hub CSPM > EventBridge > Sumo Logic via HTTP](#method-1-security-hub-cspm-eventbridge--sumo-logic-via-http-preferred) +- [Method 1: AWS Security Hub CSPM > EventBridge > Sumo Logic via HTTP](#method-1-security-hub-cspm--eventbridge--sumo-logic-via-http-preferred) - [Method 2: AWS Security Hub CSPM > Lambda Function > Amazon S3 > Sumo Logic via S3 Source](#method-2-aws-security-hub-cspm--lambda-function--amazon-s3--sumo-logic-via-s3-source-alternative) For efficiency and seamless integration, Method 1 using AWS EventBridge is preferred, as it leverages native AWS services to reduce resource overhead and simplify the process.