Demonstrates sending AWS Security Hub findings to your Slack WorkSpace
This is the companion GitHub repository for the AWS blog post https://aws.amazon.com/blogs/apn/how-to-enable-custom-actions-in-aws-security-hub/
This repo will introduce you to the process of creating AWS Security Hub a custom action by sending findings to Slack. After reading this blog you will understand the process to create your own custom actions for utilization in your Security Operations play books.
Send to Slack Custom Action
- AWS Security Hub is enabled
- Membership in a Slack workspace (https://get.slack.help/hc/en-us/articles/212675257-Join-a-Slack-workspace)
Create an incoming Webhook in Slack API
- Go to your Slack API web page to create the Webhook (https://api.slack.com/incoming-webhooks#create_a_webhook)
- Click on Create Your Slack App button
- Click on Create New App button
App Name: "SecurityHubToSlack" Development Slack Workspace: "Slack workspace that will receive the Security Hub Findings"
- Click on the Create App Button
- Select Incoming Webhooks
- At the “Activate Incoming Webhooks” Screen
- Move the slider from OFF to ON
- Scroll down and Add New Webhook to Workspace
- Select the Slack Channel in your Slack Workspace that the Security Hub findings will be posted to and select Authorize (suggestion “#alerts”)
- On the next screen, scroll down to the Webhook URL section and click the Copy button, so we can use it as input in our CloudFormation template
Launch Cloud Formation Template . This CloudFormation template will create a Lambda Function that utilizes Slack’s Webhook API feature, as well as a CloudWatch Event Rule to send findings from Security Hub’s custom actions to Slack.
- Download CloudFormation template by right clicking on “SecurityHubFindingsToSlack.json” and “Save Link As..” on your local machine
- Navigate to https://console.aws.amazon.com/cloudformation/
- Select Create stack
- Select Upload a template file
- Select Choose file and locate “SecurityHubFindingsToSlack.json” on your local machine
- Select Next
- Use the following values to fill out Create Stack parameters
StackName: EnableSecurityHubFindingsToSlack IncomingWebHookURL: Paste URL that you just copied from Slack API pages SlackChannel: Enter the same Slack Channel name that you chose above (#alerts) MinSeverityLevel: Choose the minimum Severity Level you want to be notified in Slack, example HIGH would only send high severity findings, LOW sends all findings
- Select Next, fill out any Tags and select Next again
- Accept IAM Resource creation
- Select Create Stack, CloudFormation will then begin creating the stack
- Wait for the CloudFormation console to report stack creation complete
Create Security Hub Custom Actions .
- In the Security Hub navigation pane (https://console.aws.amazon.com/securityhub/) select Settings then choose the Custom Actions tab.
- Select Create custom action.
- Then in the Create custom action pop up, specify the action name, description and ID then choose OK to create the action.
Name: Send to Slack Description: This custom action sends selected findings as channel in a Slack Workspace Custom action ID: SendToSlack
Testing the Send to Slack Custom Action
- Navigate to AWS Security Hub Console (https://console.aws.amazon.com/securityhub/)
- Navigate to Findings
- Select the check box next to one or more findings
- Click the drop-down Actions menu and choose the Send To Slack Custom Action
The Security Hub Console will then send the finding to your Slack channel, you should then receive a notification in your Slack channel