AWS Security Hub Integration with Zero Trust Alarms

Home Top

• Overview
• Support Statement
• Limitations
• Solution Overview
• What is AWS Security Hub?
• Integration Architecture
• Solution Configuration in AWS Security Hub and Defender Zero Trust
• Prerequisites
• Configuration in AWS Security Hub
• Configuration Steps on Eyeglass Virtual Machine
• High Level steps
• Configuration Step by Step
• Configure Defender Zero Trust Webhooks
• How to test the Integration with AWS Security Hub
• AWS Security Hub SecOps Integration Experience

 

Overview

Customers using AWS Security Hub to aggregate Cloud alarms and on premise security events can now integrate Superna products with native AWS Security Hub API integration to translate Zero Trust API alerts sent by Webhooks into native Findings within the Security Console.  This guide will walk through how to set up a Zero Trust to AWS Security hub finding sync process that operates in real time.

Support Statement

1. NOTE:  This documentation is provided "as is" without support for 3rd party software.  The level of support for this integration guide is best effort without any SLA on response time.  No 3rd party product support can be provided by Superna directly.  3rd party components require support contracts

Limitations

1. The update finding API methods are not supported in this solution guide.  This means the last Zero trust alert sent to create the Finding will be used by Security Hub.

Solution Overview

Superna Defender Zero Trust API is the cornerstone technology used to integrate with SIEM, SOAR and XDR platforms.   Automation begins with data that summarizes the threat and places that information into a security tools to be acted on by Secops and run playbooks to protect corporate IT assets from vulnerabilities and insider or external attackers.   In order to allow a Security Hub to act on the data from an external tool it is vital to field map data from one alert to the schema used within the Security Hub.  This guide will cover basic field mapping used to push Zero Trust Defender alerts into AWS security Hub.

What is AWS Security Hub?

Suggested reading

1. Overview of Security Hub
2. Benefits of Security Hub
3. Accessing Security Hub

Integration Architecture

Solution Configuration in AWS Security Hub and Defender Zero Trust

Prerequisites

1. Installed Ransomware Defender and or Easy Auditor or Defender for AWS
2. Eyeglass OS appliance version 15.5
   1. cat /etc/os-release
3. License key for the Zero Trust API 
4. Activate the Security Hub service in your AWS account

Configuration in AWS Security Hub

Once the Security hub service is activated the home region needs to be decided.  This is the region where Zero trust API findings will be sent.  Security hub allows aggregation of findings across different regions but the main region is where 3rd parties should integrate the custom findings.  The Security Hub custom API and custom findings requires customers to use an account specific ARN.    This is created as follows:

1. The custom ARN used to identify the Findings created by Superna Defender require an ARN,  replace the yellow highlighted values as follows:
   1. The account ID of your AWS account where Security Hub is activated in the example below this is 123456
   2. The primary region for Security Hub findings in this example below it is us-east-2, replace with a value that makes sense in your environement.
   3. example arn:aws:securityhub:us-east-2:123456:product/123456/default
   4. This value will be used in the configuration below.
2. Create minimum permissions IAM user in the main region to be used by the integration application
   1. an IAM user can be created for the Integration.  AWS has a built in role AWSSecurityHubFullAccess.  This was used in this guide. 
      1.  
   2. To create a role with the minimum permissions here is an example below, additional permissions can be added for integrations as needed.

Configuration Steps on Eyeglass Virtual Machine

High Level steps

1. Create python location to run the application on the Eyeglass vm
2. Create python main application script
3. Create linux systemd service and set to auto start
4. Create Zero Trust configuration in Defender
5. update the main script to customize with AWS Security hub custom findings ARN
6. Test the script is running as a service
7. Create a test event in Defender to validate the alerts appear as Findings in AWS Security Hub

Configuration Step by Step

Configure the Service start and python integration files

1. Login to eyeglass vm using ssh as the admin user to create zero trust application
   1. sudo -s 
   2. mkdir -p /opt/superna/cgi-bin
   3. touch /opt/superna/cgi-bin/ztWebhook.py
   4. touch /opt/superna/cgi-bin/ztWebhook.sh
   5. sca:users /opt/superna/cgi-bin/ztWebhook.*
   6. chmod +x  /opt/superna/cgi-bin/ztWebhook.py 
   7. chmod +x  /opt/superna/cgi-bin/ztWebhook.sh 
2. Create systemd configuration
   1. nano  /etc/systemd/system/ztWebhook.service
   2. Copy the values below and Paste these contents into the file opened in nano editor in the step above
   3. Save the file 
      1. press control+x
      2. Answer yes to save and exit
3. Restart systemd
   1. systemctl daemon-reload
4. Set to enabled
   1. systemctl enable ztWebhook
5. Create splunk.sh service script
   1. Copy the values below
      1. nano /opt/superna/cgi-bin/ztWebhook.sh
   2. paste the script values below into the nano editor
   3. Save the file
      1. press control+x
      2. Answer yes to save and exit the editor

1. Once the script is created below.  Do not start the service at this step.
2. Done

3. Now install required python packages for the SCA users that will run the service.  NOTE this is the same user that runs the main eyeglass application code.
   3. su - sca
   4. pip3 install flask
   5. pip3 install boto3
   6. pip3 install requests
   7. exit 
   8. NOTE: you must type exit to ensure you are the root user for the remaining steps.  Type whoami to make sure you are the root user.
4. Customize the application code by downloading the python code from this link to download
   3. Open the python template file in a text editor. NOTE: make sure to only replace the values and do not delete any of the commas
   4. Locate this section in the file
      3.  
      4. Replace the xxxx and yyyy and us-east-2 in both locations with the main region you have selected for Security Hub integration.  The xxxx and yyyy are the authentication keys created in the steps above within the IAM user configuration.
   5. Locate this section in the file and update the product ARN that was documented above
      3.  
      4. replace the 123456 with your account id and update the region to match your selected main region.
   6.  Save the file as ztWebhook.py. (NOTE:  The file name must match the exact case and name for the documented steps to work correctly)
   7. Paste the updated script into the production file
      3. nano /opt/superna/cgi-bin/ztWebhook.py
      4. Open the file locally in Windows OS notepad and use control-A or select all the text.
      5. Paste the clipboard into the ssh terminal session with the open nano editor file
      6. save the file
         3. press control+x
         4. Answer yes to save and exit nano editor
5. Start the service and verify it is running
   3. systemctl start ztWebhook
   4. systemctl status -l ztWebhook
   5. Verify the service is started successfully and returns "active and running".  If the service does not start do not proceed and double check the steps above are completed. 
      

Configure Defender Zero Trust Webhooks

1. The next step creates an Zero Trust Webhook URL.    
   
   1. Configure Zero Trust endpoint in Ransomware Defender Zero Trust tab.
      1. Recommended Configuration: Only Critical and Major events and only the webhooks that set lockout or delayed lockout.   Customers can customize based on specific requirements. The goal is to send findings versus a list of alarms that do not pinpoint a security incident.
      2.  
      3. The endpoint url above will use localhost and will send Webhooks to the application service listening on port 5000. URL to use in the configuration
         1. http://localhost:5000/awssechub
         2. Add the Content-Type header with value of application/json as shown above to complete the webhook configuration.
         3. Click save to commit the configuration.
         4. Click save on the main Webhook configuration page
2. Test the configuration is working following the next section

How to test the Integration with AWS Security Hub

1. To test the integration follow these steps
   1. download this curl command template and open with a text editor
   2. Copy all the text
   3. ssh to the eyeglass vm as the admin user
   4. paste the entire cli command to the ssh prompt to send sample data to the running Zero Trust application.  This will send test data directly to the application to be processed and sent to AWS Security Hub.
   5. The output of a successfully processed webhook test will return this text in the ssh terminal
      1. done sending AWS secops API call check for http 200 and success count in response
   6. How to review the process logs from the web application
      1. sudo -s 
      2. journalctl -f -u ztWebhook 
      3. This allows you to view the logs generated by the application.
      4. To log to a file and review with nano showing only the most recent 250 lines.
      5. journalctl -f -n 250 -u ztWebhook  > /tmp/ztwebhook.log
      6. nano /tmp/ztwebhook.log
      7. In the log below the response code from the AWS Security Hub api call should show http 200 status code and successCount 1 to indicate the Finding was successfully created.
      8.   
   7. Login to the AWS Security Hub Main Dashboard to view the new Finding
      1.   
2. Note in order to repeat the test again you need to mark the Finding as resolved in the AWS Security Hub application
3. Then edit the curl command to increase the Finding unique value in the curl command.   See below.
   1.  
   2. Edit the value and increase the number by 1 and run the curl command again to run a second test.  NOTE: Each finding requires a unique ID per finding.  The production ID is auto incremented by Defender, in a test scenario is it necessary to update this manually. 
4. Done

AWS Security Hub SecOps Integration Experience

1. Once the integration is completed and working the SecOps administrators can view new Findings generated by critical security incidents in Defender for AWS or Ransomware Defender.
   1.  
   2. Click on the "Superna Ransomware Defender Security Finding" to see additional Finding details that are mapped to Standard Finding field Schema
      1.  
      2. 
         
         
   3. Click on the Cyber Storage Event.  This section is fully customized leverage rich data available in Superna Zero Trust Webhook payloads.  There is additional data that can be integrated into the Findings.  This is a simple example integration with key data elements integrated to the Finding
      1.  
2. SecOps teams can use this data to effectively triage and action the Finding to dispatch teams to respond to the incident with specific information such as:
   1. AD user affected
   2. Protocol detected
   3. Number of files involved in the incident
   4. Source ip address of the affected host
   5. List of SMB shares that contain infected shares
   6. Status of the incident
   7. Detection time
   8. Device type and cluster name affected.
3. SecOps teams can now fully use AWS Security Hub features to integrate Cyberstorage protected storage on premise threats and cloud threats to the aggregation. 

© Superna Inc