Enriching AWS Security Hub Findings

recently, @awscloud published a really interesting post on the @awsecurityinfo blog. the post details an extremely useful pattern for enriching AWS Security Hub findings

check it out at https://aws.amazon.com/blogs/security/how-to-enrich-aws-security-hub-findings-with-account-metadata/

some thoughts in the below

@marknca tweeted at 24-Jan-2022, 15:40

@awscloud all of AWS Security Hub findings follow the ASFF or AWS Security Finding Format, https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format.html

I’m a bit biased because I was involved in it’s early stages but it’s a sold key:value structure for reporting #security issues

@marknca tweeted at 24-Jan-2022, 15:40

@awscloud the information in the Finding is about the finding (duh) but there can be a number of @awscloud resources referenced. these resources have their own attributes that might be critical to the prioritization and investigation of the finding

@marknca tweeted at 24-Jan-2022, 15:41

@awscloud the backend won’t add all of these data points because you’re adding a number of API calls for every Finding issue and it might not be worth it performance or cost wise

the pattern in the blog post helps add that data to enrich the Finding

@marknca tweeted at 24-Jan-2022, 15:41

@awscloud I think the next step for this pattern would be to add filters for specific Finding types.

if I see Finding type X, query A, B, C, and add that data to the finding

this would help tune the pattern to your specific needs and trade offs

@marknca tweeted at 24-Jan-2022, 15:41

@awscloud overall, this is a great solution to implement in your environment. it’s low cost, highly scalable, and doesn’t add a lot of operational overhead

/

@marknca tweeted at 24-Jan-2022, 15:41

Start