Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Cant trigger EventBridge rule with Security Hub Findings - Imported

0

So I do setup:

  • Enable GuardDuty
  • Enable Security Hub
  • Create SNS Topic
  1. Create a Standard Topic and everything default
  2. Create a subscription associated with topic above => test receive mail ok

  • Create EventBridge rule:

    1. Define rule detail (leave default)
    2. Build event pattern:
    • In event pattern: Use pattern form
      • Event sources: AWS Services
      • AWS service: Security Hub
      • Event type: Security Hub Findings - Imported
      • Everything else at default
    1. Select target(s)
      • Choose SNS topic and choose sns created above
    2. Create rule

Demo I generated new sample findings with GuardDuty: aws guardduty create-sample-findings --detector-id 88c852ddea3c7bca03080796aa43f0d4 --finding-types Backdoor:EC2/DenialOfService.Tcp

So next Security Hub will get findings from GuardDuty and create new events ** Security Hub Findings - Imported** (according to this doc https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cwe-integration-types.html#:~:text=Security%20Hub%20automatically%20sends%20all%20new%20findings%20and%20all%20updates%20to%20existing%20findings%20to%20EventBridge%20as%20Security%20Hub%20Findings%20%2D%20Imported%20events.%20Each%20Security%20Hub%20Findings%20%2D%20Imported%20event%20contains%20a%20single%20finding.)

But EventBridge rule doesn't trigger => Cant send SNS email

I don't know why I can't send it. I set permissions for full access with all services I used.

Topics
Application IntegrationServerlessSecurity, Identity, & Compliance
Tags
Amazon Simple Notification Service (SNS)AWS Security HubAmazon GuardDutyAmazon EventBridge
Language
English
asked 2 years ago681 views
2 Answers
0

Is the Event Mapper correctly formatted such as in:

{
  "source": ["aws.securityhub"],
  "detail-type": ["Security Hub Findings - Imported"],
  "detail": {
    "findings": {
      "<attribute filter values>"
    }
  }
}

Check these docs as well.

https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cwe-all-findings.html https://repost.aws/questions/QUOflWp-STRvupcKEScX6yIg/securityhub-to-eventbridge

EXPERT
answered 2 years ago
0

Hi,

The issue you're facing could be due to several reasons. Here are a few things you have to check:

  1. **EventBridge Rule Configuration

    • Verify that the EventBridge rule is configured correctly by checking the event patern and target settings.
    • Double-check that you have selected the correct "Event Source" as "AWS Services" and the "AWS service" as "Security Hub".
    • Ensure that the "Event Type" is set to "Security Hub Findings - Imported".
    • Confirm that the SNS topic you selected as the target is the correct one.

  2. IAM Permissions

    • Make sure that the IAM role or user that you're using has the necessary permissions to create and manage EventBridge rules, SNS topics, and Security Hub findings.
    • You can refer to the AWS documentation for the required IAM permissions for EventBridge.

  3. Security Hub Findings Delivery

    • Ensur that Security Hub is configured to send findings to EventBridge. By default, Security Hub sends new findings and updates to EventBridge as "Security Hub Findings - Imported" events.
    • You can check the Security Hub settings by navigating to the Security Hub console, selecting "Settings," and then verifying that the "Send findings to EventBridge" option is enabled.

  4. EventBridge Rule Status

    • Check the status of the EventBridge rule in the EventBridge console. If the rule is in the "Enabled" state, it should be triggered when new "Security Hub Findings - Imported" events occur.

  5. CloudWatch Logs

    • Check the CloudWatch Logs for any relevant error messages or failures related to EventBridge or Security Hub. You can find the logs in the CloudWatch console under the "/aws/events" and "/aws/securityhub" log groups.

If you've verified all the above points and are still not receiving SNS notifications, you can try creating a new EventBridge rule and SNS topic to isolate the issue further.

Kindly find couple of Reference links to revalidate your configuration:

Hope this will help.

Thanks

AWS
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content