Ingest AWS Security Hub security findings

Latest Dynatrace Preview

In the following, you'll learn how to ingest security findings from AWS Security Hub into Grail and analyze them on the Dynatrace platform.

Goal

  • Get insights from Dynatrace for AWS Security Hub security findings.
  • Visualize, analyze, and automate security findings uniformly on the Dynatrace platform.

How it works

how it works

Security finding events from AWS Security Hub are ingested into Dynatrace via a dedicated OpenPipeline security ingest endpoint, using an Amazon EventBridge event forwarding set up with an AWS CloudFormation template.

The OpenPipeline ingest endpoint processes and maps the security findings according to the Semantic Dictionary conventions.

These are stored in a bucket called default_security_custom_events (for details, see: Built-in Grail buckets).

Prerequisites

See below for the AWS Security Hub and Dynatrace requirements.

AWS Security Hub requirements

  • Enable Security Hub.

  • Install and configure the latest AWS CLI.

  • Select the AWS region where you want to create the AWS Security Hub event forwarder.

    1. In a terminal, run:

      aws configure

    2. Set your default region (for example, us-east-1).

Dynatrace requirements

  • Generate an access token for security events ingestion with the openpipeline.events_security scope and save it for later.

Get started

To set up AWS Security Hub ingestion, follow the steps below.

  1. Download the Dynatrace CloudFormation template from GitHub.

  2. Set up the secret with the OpenPipeline API token.

    Run the following command, making sure to replace <your_Api_Token> with your actual access token created in Prerequisites.

    optional You can customize the AwsSecretKeyName variable. If not set, it defaults to DYNATRACE_OPENPIPELINE_INGEST_API_TOKEN.

    aws secretsmanager create-secret \
    --name dynatrace-aws-security-hub-event-forwarder-open-pipeline-ingest-api-token \
    --description "Dynatrace Token, which allows data to be sent to the OpenPipeline endpoint." \
    --secret-string '{"DYNATRACE_OPENPIPELINE_INGEST_API_TOKEN": "<Token>"}'

  3. Deploy the CloudFormation template and AWS resources.

    Run the following command, making sure to replace

    • The AwsSecretArn variable with the ARN of the secret created previously
    • The DynatraceDomain variable with your actual domain name

    optional You can customize the DynatraceOpenPipelineEndpointPath variable. If not set, it defaults to /platform/ingest/v1/events.security.

    aws cloudformation deploy  \
    --template-file ./dynatrace_aws_security_hub_event_forwarder_template.yaml \
    --stack-name dynatrace-aws-security-hub-event-forwarder \
    --parameter-overrides \
    "AwsSecretArn"="arn:aws:secretsmanager:us-east-1:12345678:secret:dynatrace-aws-security-hub-event-forwarder-open-pipeline-ingest-api-token-testxyz" \
    "DynatraceDomain"="{your-environment-id}.live.dynatrace.com" \
    --capabilities CAPABILITY_NAMED_IAM

Visualize and analyze findings

Once you ingest your Amazon Security Hub data into Grail, you can create your own dashboards or use our sample dashboard to visualize and analyze findings.

For instructions, see Visualize and analyze findings.

Automate and orchestrate findings

You can create your own workflows or use our sample workflows to automate and orchestrate findings.

For instructions, see Automate and orchestrate findings.

Query ingested data

You can query ingested data in Notebooks Notebooks or Security Investigator SI Logo using the data format in Semantic Dictionary.

Stop sending events

To stop sending events to Dynatrace, run the following command, which removes the Dynatrace resources created for this integration.

aws cloudformation delete-stack --stack-name dynatrace-aws-security-hub-event-forwarder

Consumption

For billing information, see Events powered by Grail.

Related topics