Ingest AWS Security Hub security findings

Latest Dynatrace Preview

In the following, you'll learn how to ingest security findings from AWS Security Hub into Grail and analyze them on the Dynatrace platform.

Goal

  • Get insights from Dynatrace for AWS Security Hub security findings.
  • Visualize, analyze, and automate security findings uniformly on the Dynatrace platform.

How it works

how it works

Security finding events from AWS Security Hub are ingested into Dynatrace via a dedicated OpenPipeline security ingest endpoint, using an Amazon EventBridge event forwarding set up with an AWS CloudFormation template.

The OpenPipeline ingest endpoint processes and maps the security findings according to the Semantic Dictionary conventions.

These are stored in a bucket called default_security_custom_events (for details, see: Built-in Grail buckets).

Prerequisites

See below for the AWS Security Hub and Dynatrace requirements.

AWS Security Hub requirements

  • Install and configure the latest AWS CLI.

  • Select the AWS region where you want to create the AWS Security Hub event forwarder.

    1. In a terminal, run:

      aws configure
    2. Set your default region (for example, us-east-1).

Dynatrace requirements

  • Generate an access token for security events ingestion with the openpipeline.events_security scope and save it for later.

Get started

To set up AWS Security Hub ingestion, follow the steps below.

  1. Download the Dynatrace CloudFormation template from GitHub.

  2. Set up the secret with the OpenPipeline API token.

    Run the following command, making sure to replace <your_Api_Token> with your actual access token created in Prerequisites.

    optional You can customize the AwsSecretKeyName variable. If not set, it defaults to DYNATRACE_OPENPIPELINE_INGEST_API_TOKEN.

    aws secretsmanager create-secret \
    --name dynatrace-aws-security-hub-event-forwarder-open-pipeline-ingest-api-token \
    --description "Dynatrace Token, which allows data to be sent to the OpenPipeline endpoint." \
    --secret-string '{"DYNATRACE_OPENPIPELINE_INGEST_API_TOKEN": "<Token>"}'
  3. Deploy the CloudFormation template and AWS resources.

    Run the following command, making sure to replace

    • The AwsSecretArn variable with the ARN of the secret created previously
    • The DynatraceDomain variable with your actual domain name

    optional You can customize the DynatraceOpenPipelineEndpointPath variable. If not set, it defaults to /platform/ingest/v1/events.security.

    aws cloudformation deploy \
    --template-file ./dynatrace_aws_security_hub_event_forwarder_template.yaml \
    --stack-name dynatrace-aws-security-hub-event-forwarder \
    --parameter-overrides \
    "AwsSecretArn"="arn:aws:secretsmanager:us-east-1:12345678:secret:dynatrace-aws-security-hub-event-forwarder-open-pipeline-ingest-api-token-testxyz" \
    "DynatraceDomain"="https://{your-environment-id}.live.dynatrace.com" \
    --capabilities CAPABILITY_NAMED_IAM

Visualize and analyze findings

Once you ingest your Amazon Security Hub data into Grail, you can visualize and analyze findings by creating your own dashboards or using our sample dashboards:

For instructions, see Visualize and analyze findings.

Automate and orchestrate findings

You can create your own workflows or use our sample workflows to automate and orchestrate findings.

For instructions, see Automate and orchestrate findings.

Query ingested data

You can query ingested data in Notebooks Notebooks or Security Investigator SI Logo using the data format in Semantic Dictionary.

Support and mapping

For AWS, Dynatrace supports the following security event types:

  • Vulnerability
  • Detection
  • Compliance experimental

mapping

AWS event type
Dynatrace mapping
Software and Configuration Checks/Vulnerabilities/CVE
Vulnerability findings
TTPs/Initial Access
Detection findings
TTPs/Execution
Detection findings
TTPs/Persistence
Detection findings
TTPs/Privilege Escalation
Detection findings
TTPs/Defense Evasion
Detection findings
TTPs/Credential Access
Detection findings
TTPs/Discovery
Detection findings
TTPs/Lateral Movement
Detection findings
TTPs/Collection
Detection findings
TTPs/Command and Control
Detection findings
Effects/Data Exposure
Detection findings
Effects/Data Exfiltration
Detection findings
Effects/Data Destruction
Detection findings
Effects/Denial of Service
Detection findings
Effects/Resource Consumption
Detection findings
Unusual Behaviors/Application
Detection findings
Unusual Behaviors/Network Flow
Detection findings
Unusual Behaviors/IP address
Detection findings
Unusual Behaviors/User
Detection findings
Unusual Behaviors/VM
Detection findings
Unusual Behaviors/Container
Detection findings
Unusual Behaviors/Serverless
Detection findings
Unusual Behaviors/Process
Detection findings
Unusual Behaviors/Database
Detection findings
Unusual Behaviors/Data
Detection findings
Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices
Compliance findings
Software and Configuration Checks/Industry and Regulatory Standards/CIS Host Hardening Benchmarks
Compliance findings
Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark
Compliance findings
Software and Configuration Checks/Industry and Regulatory Standards/PCI-DSS
Compliance findings
Software and Configuration Checks/Industry and Regulatory Standards/Cloud Security Alliance Controls
Compliance findings
Software and Configuration Checks/Industry and Regulatory Standards/ISO 90001 Controls
Compliance findings
Software and Configuration Checks/Industry and Regulatory Standards/ISO 27001 Controls
Compliance findings
Software and Configuration Checks/Industry and Regulatory Standards/ISO 27017 Controls
Compliance findings
Software and Configuration Checks/Industry and Regulatory Standards/ISO 27018 Controls
Compliance findings
Software and Configuration Checks/Industry and Regulatory Standards/SOC 1
Compliance findings
Software and Configuration Checks/Industry and Regulatory Standards/SOC 2
Compliance findings
Software and Configuration Checks/Industry and Regulatory Standards/HIPAA Controls (USA)
Compliance findings
Software and Configuration Checks/Industry and Regulatory Standards/NIST 800-53 Controls (USA)
Compliance findings
Software and Configuration Checks/Industry and Regulatory Standards/NIST CSF Controls (USA)
Compliance findings
Software and Configuration Checks/Industry and Regulatory Standards/IRAP Controls (Australia)
Compliance findings
Software and Configuration Checks/Industry and Regulatory Standards/K-ISMS Controls (Korea)
Compliance findings
Software and Configuration Checks/Industry and Regulatory Standards/MTCS Controls (Singapore)
Compliance findings
Software and Configuration Checks/Industry and Regulatory Standards/FISC Controls (Japan)
Compliance findings
Software and Configuration Checks/Industry and Regulatory Standards/My Number Act Controls (Japan)
Compliance findings
Software and Configuration Checks/Industry and Regulatory Standards/ENS Controls (Spain)
Compliance findings
Software and Configuration Checks/Industry and Regulatory Standards/Cyber Essentials Plus Controls (UK)
Compliance findings
Software and Configuration Checks/Industry and Regulatory Standards/G-Cloud Controls (UK)
Compliance findings
Software and Configuration Checks/Industry and Regulatory Standards/C5 Controls (Germany)
Compliance findings
Software and Configuration Checks/Industry and Regulatory Standards/IT-Grundschutz Controls (Germany)
Compliance findings
Software and Configuration Checks/Industry and Regulatory Standards/GDPR Controls (Europe)
Compliance findings
Software and Configuration Checks/Industry and Regulatory Standards/TISAX Controls (Europe)
Compliance findings

Limit ingestion

By default, once you set up the Dynatrace integration, all AWS event types are ingested into Dynatrace.

To limit ingestion to a specific event type, you need to set up filters for your Dynatrace AWS Security Hub event forwarder Lambda function in EventBridge.

  1. In your AWS console, go to Lambda > Functions and select the Dynatrace AWS Security Hub event forwarder function.
  2. In Configuration, edit the event pattern for the trigger.

Example filters:

{
"source": ["aws.securityhub"],
"detail-type": ["Security Hub Findings - Imported"],
"detail": {
"findings": {
"Types": ["Software and Configuration Checks/Vulnerabilities/CVE"]
}
}
}

Stop sending events

To stop sending events to Dynatrace, run the following command, which removes the Dynatrace resources created for this integration.

aws cloudformation delete-stack --stack-name dynatrace-aws-security-hub-event-forwarder

Consumption

For billing information, see Events powered by Grail.