diff --git a/blog-service/2025-08-04-apps.md b/blog-service/2025-08-04-apps.md new file mode 100644 index 0000000000..0bc02e13c0 --- /dev/null +++ b/blog-service/2025-08-04-apps.md @@ -0,0 +1,12 @@ +--- +title: AWS Security Hub - OCSF (Apps) +image: https://help.sumologic.com/img/reuse/rss-image.jpg +keywords: + - apps + - aws-security-hub +hide_table_of_contents: true +--- + +import useBaseUrl from '@docusaurus/useBaseUrl'; + +We're excited to introduce the new AWS Security Hub - OCSF app for Sumo Logic, which enables you to gain real-time visibility into your security hub findings data. This app can help security teams identify threats, track compliance violations, and investigate affected resources with speed and clarity. [Learn more](/docs/integrations/cloud-security-monitoring-analytics/aws-security-hub-ocsf). diff --git a/cid-redirects.json b/cid-redirects.json index b39abf831b..a2812ea7f4 100644 --- a/cid-redirects.json +++ b/cid-redirects.json @@ -2920,6 +2920,7 @@ "/cid/21038": "/docs/integrations/containers-orchestration/vmware-tanzu-application-service", "/cid/10999": "/docs/send-data/collect-from-other-data-sources/azure-monitoring/ms-azure-event-hubs-source", "/cid/11000": "/docs/platform-services/automation-service/automation-service-playbooks", + "/cid/1105": "/docs/integrations/cloud-security-monitoring-analytics/aws-security-hub-ocsf", "/Cloud_SIEM_Enterprise": "/docs/cse", "/Cloud_SIEM_Enterprise/Administration": "/docs/cse/administration", "/Cloud_SIEM_Enterprise/Administration/Cloud_SIEM_Enterprise_Feature_Update_(2022)": "/docs/cse/administration", diff --git a/docs/integrations/cloud-security-monitoring-analytics/aws-security-hub-ocsf.md b/docs/integrations/cloud-security-monitoring-analytics/aws-security-hub-ocsf.md new file mode 100644 index 0000000000..3210ab9b8b --- /dev/null +++ b/docs/integrations/cloud-security-monitoring-analytics/aws-security-hub-ocsf.md @@ -0,0 +1,315 @@ +--- +id: aws-security-hub-ocsf +title: AWS Security Hub - OCSF +sidebar_label: AWS Security Hub - OCSF +keywords: [Open Cybersecurity Schema Framework, AWS Security Hub, Amazon OCSF, AWS integration service ] +description: This app offers a centralized, structured view into your AWS security findings using the Open Cybersecurity Schema Framework (OCSF). +--- + +import useBaseUrl from '@docusaurus/useBaseUrl'; + +Thumbnail icon + +The **AWS Security Hub – OCSF** app offers a centralized, structured view into your AWS security findings using the Open Cybersecurity Schema Framework (OCSF). This app is designed to help security teams identify threats, track compliance violations, and investigate affected resources with speed and clarity. + +With pre-configured dashboards and in-depth visualizations, this app helps you to monitor findings by severity, region, account, and classification. You can assess security trends over time, evaluate cloud resource exposure, and analyze the effectiveness of your cloud security posture across multiple AWS services. + +Whether you need to investigate recent security events, track compliance gaps against key industry standards like PCI or NIST, or prioritize remediation by impacted resources, this app provides actionable insights in one place. Designed for both strategic oversight and tactical response, the app streamlines cloud security operations and supports better decision-making across teams. + +:::info +This app includes [built-in monitors](#aws-security-hub---ocsf-alerts). For details on creating custom monitors, refer to [Create monitors for AWS Security Hub - OCSF app](#create-monitors-for-aws-security-hub---ocsf-app). +::: + +## Log types + +The AWS Security Hub - OCSF app uses the [Security Hub Findings](https://docs.aws.amazon.com/securityhub/latest/userguide/security-hub-adv-ocsf-findings.html) log types. + +### Sample log message + +```json title="Findings" +{ + "version": "0", + "id": "994b02ab-3ee4-9576-abcb-6a920op2c085", + "detail-type": "Findings Imported V2", + "source": "aws.securityhub", + "account": "869728294964", + "time": "2025-07-22T03:03:15Z", + "region": "us-east-1", + "resources": [ + "1d24e91799652d9e17025b61d94f436b20b515b6f3cd9bda788f48c1db9cf244" + ], + "detail": { + "findings": [ + { + "activity_id": 2, + "activity_name": "Update", + "category_name": "Findings", + "category_uid": 2, + "class_name": "Detection Finding", + "class_uid": 2004, + "cloud": { + "account": { + "type": "AWS Account", + "type_id": 10, + "uid": "869728294964" + }, + "cloud_partition": "aws", + "provider": "AWS", + "region": "us-east-1" + }, + "comment": "John's testing", + "count": 264, + "evidences": [ + { + "api": { + "operation": "DeleteTrail", + "service": { + "name": "cloudtrail.amazonaws.com" + } + }, + "data": { + "affected_resource": { + "AWS::CloudTrail::Trail": "Aws-Observability-e2esumoqeui" + }, + "resource_role": "TARGET" + } + } + ], + "finding_info": { + "analytic": { + "type": "Rule", + "type_id": 1, + "uid": "b4c71b47fb852d3fc0e99a82fa2841aa" + }, + "created_time": 1729766226938, + "created_time_dt": "2024-10-24T10:37:06.938Z", + "desc": "AWS CloudTrail trail Aws-Observability-e2esumoqeui was disabled by cis_automation calling DeleteTrail under unusual circumstances. This can be attackers attempt to cover their tracks by eliminating any trace of activity performed while they accessed your account.", + "first_seen_time": 1729765286000, + "first_seen_time_dt": "2024-10-24T10:21:26.000Z", + "last_seen_time": 1753152734000, + "last_seen_time_dt": "2025-07-22T02:52:14.000Z", + "modified_time": 1753153354272, + "modified_time_dt": "2025-07-22T03:02:34.272Z", + "product": { + "uid": "b4c71b47fb852d3fc0e99a82fa2841aa" + }, + "title": "An AWS CloudTrail trail Aws-Observability-e2esumoqeui was disabled.", + "types": [ + "Stealth:IAMUser/CloudTrailLoggingDisabled" + ], + "uid": "arn:aws:guardduty:us-east-1:869728294630:detector/b4c71b47fb852d3fc0e99a82fa2841aa/finding/06c95f0cfdfd3b579b977e20e9da1aa4", + "uid_alt": "06c95f0cfdfd3b579b977e20e9da1aa4" + }, + "metadata": { + "product": { + "name": "GuardDuty", + "uid": "arn:aws:securityhub:us-east-1::productv2/aws/guardduty", + "vendor_name": "AWS" + }, + "profiles": [ + "cloud", + "datetime" + ], + "uid": "1d24e91799652d9e17025b61d94f436b20b515b6f3cd9bda788f48c1db9cf244", + "version": "1.5.0" + }, + "remediation": { + "desc": "Please review the remediation guidance provided in the referenced documentation", + "references": [ + "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#stealth-iam-cloudtrailloggingdisabled" + ] + }, + "resources": [ + { + "cloud_partition": "aws", + "data": { + "access_key_id": "ASIA4U76YS3TB3MEOA3O", + "principal_id": "AROA4U76YS3THXXBAIOOA:aws-go-sdk-1753152318418995274", + "user_name": "cis_automation", + "user_type": "AssumedRole" + }, + "name": "cis_automation", + "owner": { + "account": { + "type": "AWS Account", + "type_id": 10, + "uid": "869728294964" + } + }, + "region": "us-east-1", + "type": "AWS::IAM::AccessKey", + "uid": "ASIA4U76YS3TEOA3O" + } + ], + "severity": "Low", + "severity_id": 2, + "status": "Suppressed", + "status_id": 3, + "time": 1753153354272, + "time_dt": "2025-07-22T03:02:34.272Z", + "type_name": "Detection Finding: Update", + "type_uid": 200402, + "vendor_attributes": { + "severity": "Low", + "severity_id": 2 + } + } + ] + } +} +``` + +### Sample query + +```sql total="Total Findings" +_sourcecategory="yl/webhook" category_name activity_name +| json "detail.findings[0]" as finding nodrop +| json field=finding "finding_info.uid","finding_info.first_seen_time","finding_info.last_seen_time","finding_info.modified_time", "finding_info.modified_time_dt", "severity","cloud.account.uid","status","compliance.status","finding_info.types","cloud.region","class_name","finding_info.analytic.category","activity_name","metadata.product.name","metadata.product.vendor_name","resources[*]","finding_info.title","remediation.desc","remediation.references[0]","evidences[*].data.resource_role" as finding_id,finding_first_seen_time,finding_last_seen_time,finding_modified_time,finding_info_modified_time_dt,severity,aws_account_id,finding_status,compliance_status,finding_types,cloud_region,class_name,category_name,activity_name,product_name,vendor_name,resources,title,remediation_description,remediation_references,evidences_data_resource_roles nodrop +| topk(1, finding_modified_time) by finding_id +| parse regex field=resources "(?\{(?:[^\{\}]|\{(?:[^\{\}]|\{[^\{\}]*\})*\})*\})" multi +| json field=resource "type","uid","name","owner.account.uid","region" as resource_type,resource_name,resource_title,resource_account_id,resource_region nodrop + +// global filters +| where if ("{{aws_account_id}}" = "*", true, aws_account_id matches "{{aws_account_id}}") +| where if ("{{severity}}" = "*", true, severity matches "{{severity}}") +| where if ("{{finding_status}}" = "*", true, finding_status matches "{{finding_status}}") +| where if ("{{compliance_status}}" = "*", true, compliance_status matches "{{compliance_status}}") +| where if ("{{aws_region}}" = "*", true, cloud_region matches "{{aws_region}}") +| where if ("{{class_name}}" = "*", true, class_name matches "{{class_name}}") +| where if ("{{finding_activity}}" = "*", true, activity_name matches "{{finding_activity}}") +| where if ("{{finding_category}}" = "*", true, category_name matches "{{finding_category}}") +| where if ("{{resource_type}}" = "*", true, resource_type matches "{{resource_type}}") +| where if ("{{resource_name}}" = "*", true, resource_name matches "{{resource_name}}") + +// panel specific +| count by finding_id +| count +``` + +## Set up collection + +This integration enables the ingestion of AWS Security Hub findings into Sumo Logic using Amazon EventBridge and a Sumo Logic HTTP Source. It provides a scalable and real-time pipeline: **Security Hub** > **EventBridge** > **Sumo Logic HTTP Source** + +### Step 1: Create an HTTP Source in Sumo Logic + +1. To create an HTTP source in Sumo Logic, refer to [Configure an HTTP Logs and Metrics Source](/docs/send-data/hosted-collectors/http-source/logs-metrics/#configure-an-httplogs-and-metrics-source). +1. After creation, copy and save the **HTTP Source URL** and **Source Category** for further steps. + +### Step 2: Configure EventBridge API destination + +Follow the below steps to configure the EventBridge API destination: + +1. Sign in to your [AWS Eventbridge Console](https://aws.amazon.com/eventbridge/). +1. In the navigation bar, click **API destinations**. +1. Click **Create destination**. +1. Enter a name for the API Destination. +1. Provide the HTTP Source URL collected from [Step 1](#step-1-create-an-http-source-in-sumo-logic). +1. Click **Create a new connection** to create a connection for the API destination. + 1. Provide a connection name. + 1. Keep the **API Type** as **Public**. + 1. In the **Authorization type** select **Basic (Username/Password)** and add any value of your choice for Username and Password. + +### Step 3: Create the EventBridge rule + +Follow the below steps to create the EventBridge rule: + +1. Sign in to your [AWS Eventbridge Console](https://aws.amazon.com/eventbridge/).. +1. In the navigation bar, click **Rules**. +1. Set the event source to **AWS services** and then select **Security Hub** as the AWS service. +1. Select **All Events** in the **Event Type**. +1. Under **Select targets**, choose **EventBridge API destination**. +1. Select the API Destination created in [Step 2](#step-2-configure-eventbridge-api-destination). +1. Select **Create a new role for this specific resource** in the **Execution role**. +1. Click **Create** to activate the rule. + +Once the rule is active, **Security Hub findings** will automatically be sent to the configured Sumo Logic HTTP source. + +## Installing the AWS Security Hub - OCSF app + +import AppInstall2 from '../../reuse/apps/app-install-v2.md'; + + + +## Viewing AWS Security Hub - OCSF dashboards + +import ViewDashboards from '../../reuse/apps/view-dashboards.md'; + + + +### Overview + +The **AWS Security Hub - OCSF - Overview** dashboard delivers a broad, real-time snapshot of your AWS Security Hub findings. It provides high-level insight into alert volume, severity distribution, account-level risk, and compliance status across your AWS environment. + +These dashboard panels help you to track findings over time, analyze spikes in critical issues, and assess which accounts or regions are experiencing the most significant activity. You can also drill into findings by classification, category, type, or vendor to understand threat sources and affected services. + +Additionally, this dashboard highlights recently discovered findings and affected resources, helping teams quickly spot emerging risks. Use this dashboard to stay informed of your overall security posture and to surface high-priority issues that demand immediate attention. + +AWS Security Hub - OCSF - Overview Dashboard + +### Compliance Summary + +The **AWS Security Hub - OCSF - Compliance Summary** dashboard provides a focused analysis of your AWS compliance posture, aggregating finding data across key compliance standards. The dashboard highlights the failures that occurs across accounts, resources, and time, providing teams the visibility needed to assess audit readiness and take corrective action. + +It surfaces trends in compliance violations, enabling you to monitor status changes, detect regressions, and evaluate severity distribution. You can also identify the top misconfigured resources and non-compliant AWS accounts, helping prioritize efforts to improve adherence to security frameworks. + +This dashboard is ideal for security and compliance teams who need to ensure ongoing alignment with internal policies and external regulatory standards. + +AWS Security Hub - OCSF - Compliance Summary Dashboard + +### Regulatory Compliance + +The **AWS Security Hub - OCSF - Regulatory Compliance** dashboard presents an in-depth view of your organization's alignment with major cloud security benchmarks and compliance standards, such as AWS Foundational Security Best Practices, CIS Benchmarks, NIST publications, and PCI DSS. + +The dashboard shows pass percentages and summary details for each standard, allowing teams to compare compliance levels across frameworks. With this level of granularity, security and governance teams can pinpoint specific areas of misalignment, measure improvement over time, and tailor remediation efforts by standard. + +Use this dashboard to assess policy adherence in detail, validate control coverage, and support audit processes with clearly segmented compliance insights. + +AWS Security Hub - OCSF - Regulatory Compliance Dashboard + +### Resources Affected + +The **AWS Security Hub - OCSF - Resources Affected** dashboard helps security teams understand which AWS resources are impacted by security findings and where those resources are distributed across cloud accounts and regions. + +By organizing data by resource type, severity, and geography, this dashboard helps prioritize remediation based on criticality and business impact. You can identify top affected resource names, evaluate role-based exposure, and explore findings across various infrastructure layers. + +With this information, teams can quickly assess the blast radius of an incident, uncover systemic misconfigurations, and take action to protect their most sensitive and critical cloud assets. + +AWS Security Hub - OCSF - Resources Affected Dashboard + +### Action Plan + +The **AWS Security Hub - OCSF - Action Plan** dashboard provides a tactical view into common misconfigurations and high-risk behaviors across your AWS environment. It surfaces key remediation opportunities such as exposed credentials, weak password policies, non-compliant security group rules, public access violations, and critical S3 and EC2 misconfigurations. + +This dashboard helps operationalize findings by translating alerts into prioritized action items. Security teams can easily pinpoint unused credentials, monitor MFA adoption, and address overly permissive network settings or encryption gaps. + +Use this dashboard to drive remediation workflows, reduce the attack surface, and continuously improve your cloud security hygiene through targeted action. + +AWS Security Hub - OCSF - Action Plan Dashboard + +## Create monitors for AWS Security Hub - OCSF app + +import CreateMonitors from '../../reuse/apps/create-monitors.md'; + + + +### AWS Security Hub - OCSF alerts + +| Name | Description | Trigger Type (Critical / Warning / MissingData) | Alert Condition | +|:--|:--|:--|:--| +| `Critical Severity Findings` | This alert is triggered when a finding with critical severity is detected, indicating a high-impact threat that requires immediate attention and remediation. | Critical | Count > 0 | +| `High Severity Findings` | This alert is triggered when a high-severity finding is generated, signaling a significant security issue that should be investigated promptly. | Critical | Count > 0| +| `S3 Bucket Access Violation` | This alert is triggered when a finding indicates that an S3 bucket lacks proper access controls or configurations that may expose data to unauthorized access. Alert is activated when the finding matches any of the following:
  • S3 general purpose buckets should have block public access settings enabled.
  • S3 general purpose buckets should block public read access
  • S3 general purpose buckets should block public write access.
  • S3 general purpose bucket policies should restrict access to other AWS accounts.
  • S3 general purpose buckets should block public access
  • S3 general purpose buckets should have server access logging enabled.
  • S3 general purpose buckets with versioning enabled should have Lifecycle configurations.
  • ACLs should not be used to manage user access to S3 general purpose buckets.
  • S3 access points should have block public access settings enabled.
  • S3 Multi-Region Access Points should have block public access settings enabled.

These misconfigurations significantly increase the risk of data exposure or unauthorized access to sensitive resources. | Critical | Count > 0 | +| `Security Groups Allowing Unrestricted Access` | This alert is triggered when a finding identifies overly permissive security group rules that could expose cloud resources to unauthorized access. Alert is activated when the finding matches any of the following:
  • Security groups should not allow unrestricted access to ports with high risk.
  • Security groups should not allow ingress from `0.0.0.0/0` or `::/0` to port `3389` or `22`.
  • EC2 security groups should not allow ingress from `0.0.0.0/0` or `::/0` to the remote server administration ports.

These configurations can create open attack surfaces and significantly increase the likelihood of brute-force attacks, lateral movement, or unauthorized remote access.| Critical | Count > 0 | +| `Public Access Violations` | This alert is triggered when publicly accessible cloud resources, such as S3 buckets, CloudTrail log storage, or KMS keys are detected. These cloud resources pose a significant risk of data leakage or unauthorized access. Alert is activated when the finding matches any of the following:
  • S3 general purpose buckets should have block public access settings enabled.
  • S3 general purpose buckets should block public read access.
  • S3 general purpose buckets should block public write access.
  • S3 general purpose buckets should block public access.
  • S3 access points should have block public access settings enabled.
  • Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible.
  • KMS keys should not be publicly accessible

These above findings highlight the misconfigurations that can expose sensitive data or services to the public internet and should be remediated promptly. | Critical | Count > 0 | + +## Upgrade/Downgrade the AWS Security Hub - OCSF app (Optional) + +import AppUpdate from '../../reuse/apps/app-update.md'; + + + +## Uninstalling the AWS Security Hub - OCSF app (Optional) + +import AppUninstall from '../../reuse/apps/app-uninstall.md'; + + diff --git a/docs/integrations/cloud-security-monitoring-analytics/index.md b/docs/integrations/cloud-security-monitoring-analytics/index.md index 3af7325014..8a2b0ac8e1 100644 --- a/docs/integrations/cloud-security-monitoring-analytics/index.md +++ b/docs/integrations/cloud-security-monitoring-analytics/index.md @@ -34,6 +34,13 @@ import CisNote from '../../reuse/cis-note.md';

A guide to the Sumo Logic app for Amazon CloudTrail - Cloud Security Monitoring and Analytics

+
+
+ Thumbnail icon +

AWS Security Hub< - OCSF

+

A guide to the Sumo Logic app for AWS Security Hub - OCSF.

+
+
Thumbnail icon diff --git a/docs/integrations/product-list/product-list-a-l.md b/docs/integrations/product-list/product-list-a-l.md index fc1540f083..42054a8512 100644 --- a/docs/integrations/product-list/product-list-a-l.md +++ b/docs/integrations/product-list/product-list-a-l.md @@ -115,7 +115,7 @@ For descriptions of the different types of integrations Sumo Logic offers, see [ | Thumbnail icon | [AWS Network Load Balancer](https://aws.amazon.com/elasticloadbalancing/network-load-balancer/) | App: [AWS Network Load Balancer](/docs/integrations/amazon-aws/network-load-balancer/) | | Thumbnail icon | [AWS OpsWorks](https://aws.amazon.com/opsworks/) | Collector: [Deploy Sumo Logic Collectors on AWS OpsWorks](/docs/send-data/collect-from-other-data-sources/deploy-collectors-aws-opsworks/) | | Thumbnail icon | [AWS Private Certificate Authority](https://aws.amazon.com/private-ca/) | App: [AWS Private Certificate Authority](/docs/integrations/amazon-aws/aws-private-certificate-authority/)
Automation integration: [AWS Private Certificate Authority](/docs/platform-services/automation-service/app-central/integrations/aws-private-certificate-authority/) | -| Thumbnail icon | [AWS Security Hub](https://aws.amazon.com/security-hub/) | Apps:
- [AWS Security Hub CSPM](/docs/integrations/amazon-aws/security-hub/)
- [AWS Security Hub Cloud Security Monitoring and Analytics](/docs/integrations/cloud-security-monitoring-analytics/aws-security-hub/)
- [AWS Security Quick Start](/docs/integrations/amazon-aws/security-quickstart/)
Automation integration: [AWS Security Hub](/docs/platform-services/automation-service/app-central/integrations/aws-security-hub/)
Cloud SIEM integration: [Amazon AWS - Security Hub](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/products/d0aebc1c-db4d-440f-b69f-70dae24befff.md) | +| Thumbnail icon | [AWS Security Hub](https://aws.amazon.com/security-hub/) | Apps:
- [AWS Security Hub CSPM](/docs/integrations/amazon-aws/security-hub/)
- [AWS Security Hub Cloud Security Monitoring and Analytics](/docs/integrations/cloud-security-monitoring-analytics/aws-security-hub/)
- [AWS Security Hub - OCSF](/docs/integrations/cloud-security-monitoring-analytics/aws-security-hub-ocsf/)
- [AWS Security Quick Start](/docs/integrations/amazon-aws/security-quickstart/)
Automation integration: [AWS Security Hub](/docs/platform-services/automation-service/app-central/integrations/aws-security-hub/)
Cloud SIEM integration: [Amazon AWS - Security Hub](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/products/d0aebc1c-db4d-440f-b69f-70dae24befff.md) | | Thumbnail icon | [AWS Simple Notification Service](https://aws.amazon.com/sns/) | Automation integration: [AWS Simple Notification Service](/docs/platform-services/automation-service/app-central/integrations/aws-simple-notification-service/) | | Thumbnail icon | [AWS WAF](https://aws.amazon.com/waf/) | Apps:
- [AWS WAF](/docs/integrations/amazon-aws/waf/)
- [AWS WAF Cloud Security Monitoring and Analytics](/docs/integrations/cloud-security-monitoring-analytics/aws-waf/)
Automation integration: [AWS WAF](/docs/platform-services/automation-service/app-central/integrations/aws-waf/)
Cloud SIEM integration: [Amazon AWS - Web Application Firewall (WAF)](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/products/072b85a2-1765-45c2-911d-b0509880326e.md) | | Thumbnail icon | [Axonius](https://www.axonius.com/) | Automation integration: [Axonius](/docs/platform-services/automation-service/app-central/integrations/axonius/) | diff --git a/sidebars.ts b/sidebars.ts index 4dcb4b6e08..730a9a2d89 100644 --- a/sidebars.ts +++ b/sidebars.ts @@ -2158,6 +2158,7 @@ integrations: [ 'integrations/amazon-aws/network-firewall', 'integrations/amazon-aws/network-load-balancer', 'integrations/amazon-aws/security-hub', + 'integrations/cloud-security-monitoring-analytics/aws-security-hub-ocsf', 'integrations/amazon-aws/threat-intel', 'integrations/amazon-aws/waf', 'integrations/amazon-aws/cis-aws-foundations-benchmark', @@ -2409,6 +2410,7 @@ integrations: [ 'integrations/cloud-security-monitoring-analytics/amazon-guardduty', 'integrations/cloud-security-monitoring-analytics/amazon-vpc-flow', 'integrations/cloud-security-monitoring-analytics/aws-cloudtrail', + 'integrations/cloud-security-monitoring-analytics/aws-security-hub-ocsf', 'integrations/cloud-security-monitoring-analytics/aws-security-hub', 'integrations/cloud-security-monitoring-analytics/aws-waf', 'integrations/cloud-security-monitoring-analytics/linux',