Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feature request - AWS SecurityHub integration #92

Open
gebailey opened this issue Jan 9, 2019 · 8 comments · May be fixed by #650
Open

feature request - AWS SecurityHub integration #92

gebailey opened this issue Jan 9, 2019 · 8 comments · May be fixed by #650

Comments

@gebailey
Copy link
Collaborator

@gebailey gebailey commented Jan 9, 2019

AWS recently announced SecurityHub at re:Invent, and it appears to be a dashboard that presents security findings originating from third-party security tools, or from manually imported findings.

It'd be great to see ScoutSuite optionally produce a JSON output file containing findings in the AWS SecurityHub findings format that could be directly imported into SecurityHub, or perhaps ScoutSuite could directly import the findings via the SecurityHub API, bypassing the intermediate JSON file.

I'm working on a script to manually generate SecurityHub findings for a subset of ScoutSuite findings, but I imagine this could prove useful to a greater audience, at least for AWS environments.

@j4v

This comment has been minimized.

Copy link
Collaborator

@j4v j4v commented Feb 7, 2019

I'm working on a script to manually generate SecurityHub findings for a subset of ScoutSuite findings, but I imagine this could prove useful to a greater audience, at least for AWS environments.

thanks @gebailey, if you do write such a script please do share and we can think of how to integrate in Scout? Or maybe have a folder with tools/integrations?

@j4v j4v added this to the Medium-Term Milestone milestone Jun 20, 2019
@klauern

This comment has been minimized.

Copy link
Collaborator

@klauern klauern commented Feb 13, 2020

Oh, this would be useful as well for us. Any chance you have a branch or fork that points to this integration? We might be able to help with it.

@j4v

This comment has been minimized.

Copy link
Collaborator

@j4v j4v commented Feb 14, 2020

@JJmako any details you can share?

@JJmako

This comment has been minimized.

Copy link
Collaborator

@JJmako JJmako commented Feb 14, 2020

Hi guys. I am doing this work right now. I can't continue developing this today (because some work tasks >.<) but I will continue next Monday.
I am doing an external tool (a .py) for parse the data. The amount of information is really huge, so all help is welcome.

I will upload my local branch today (I don't have much done yet).

Thank you for your interest @klauern , I expect to have this ready as soon as possible.

@j4v j4v linked a pull request that will close this issue Feb 14, 2020
@rracterr

This comment has been minimized.

Copy link
Collaborator

@rracterr rracterr commented Feb 15, 2020

possibly better design... why not simply call batch_import_findings and shove them straight into the security hub api of the account being scanned?

https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/securityhub.html#SecurityHub.Client.batch_import_findings

@j4v

This comment has been minimized.

Copy link
Collaborator

@j4v j4v commented Feb 16, 2020

@rracterr I believe that's what is being done.

i.e.:

  • take a JSON results file
  • convert findings to Security Hub format
    • these can be outputted or processed if there's additional requirements
  • upload them to Security Hub through the API
@rscottbailey

This comment has been minimized.

Copy link

@rscottbailey rscottbailey commented Feb 17, 2020

This is the approach used at GoDaddy. With respect to "...these can be outputted or processed if there's additional requirements", here are some of the transformations we make during this process. This is mentioned to get people thinking about how to enable them, not because I want to see it all implemented in the first iteration. ;-)

  • "upload" actually is "scan, update, overwrite [using batch_import_findings]" so that properties such as CreatedAt, FirstObservedAt, and additional stuff used to manage exception tracking are preserved;
  • finding ids are generated mechanically from path most of the time, but we override some where the result is nonsensical or duplicative or excessively long-winded;
  • we are investigating using name tags instead of object ids for some findings so that rolling an instance (for example) doesn't generate a "new" finding that really isn't;
  • we do a lot of severity twiddling... we adjust some findings because our policy diverges from the default severity; some are adjusted based on presence of specific tags on the related resource; findings with approved exceptions are reduced to 0 (Informational)
@j4v

This comment has been minimized.

Copy link
Collaborator

@j4v j4v commented Feb 19, 2020

@rscottbailey any code you can share?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

6 participants
You can’t perform that action at this time.