Amazon Security Hub is a centralized security service that enables AWS users to aggregate and prioritize their security findings and alerts from various AWS services and, in some cases, third-party products. It offers a comprehensive view of the security posture of the AWS environment and facilitates quick remediation actions.

Automate Security Hub Events with Torq

Data from other AWS services and, in some cases, third-party services pour into Security Hub.
Based on your configurations, findings (events) are sent from Security Hub to EventBridge.
Based on your rules for an SNS topic, EventBridge will send events to SNS.

An image showing how Amazing Security Hub, Event bridge, and other services work with Torq.

Create an SNS Integration in Torq

The SNS integration is a unique webhook (Torq URL) you'll add to the SNS topic. This way, SNS knows where to send topics. The topics are ingested into Torq as JSON events.

Go to Build > Integrations > Triggers > Amazon SNS, and click Add.
Enter a meaningful name for the integration.
1. (Optional) Add authentication headers to secure the webhook.
Click Add.

Create a New SNS Topic and Subscription

Check out the Amazon documentation for detailed information and instructions.

When you configure the topic, make sure to use these configurations.

In the Endpoint field, paste the webhook URL you generated earlier.
Select the Enable raw message delivery check box.

Screenshot showing where to enter the webhook URL and which check box to select for the topic.

Create an EventBridge Rule

An Amazon EventBridge rule specifies a pattern that matches events generated by AWS services or custom applications and routes them to one or more target destinations. An Amazon SNS (Simple Notification Service) topic is one of the target destinations that can be specified for an EventBridge rule.

When an EventBridge rule is configured to send events to an SNS topic, any events that match the specified pattern are delivered to the SNS topic. The SNS topic then sends notifications to all of its subscribed endpoints

By using EventBridge rules to route events to SNS topics, developers can create event-driven architectures that allow different components of their applications to communicate and respond to changes or updates in real-time. For example, an EventBridge rule could be configured to send notifications to an SNS topic whenever a new item is added to an Amazon S3 bucket. This could trigger a Torq workflow that interacts with the bucket owner and the user who added the item and remediates accordingly.

Go to your AWS console, for example, https://us-east-1.console.aws.amazon.com/events/home?region=us-east-1#/
In the Get started section, select EventBridge Rule and click Create Rule.
Replicate these settings, but make sure to change the name and other custom fields as required.
1. Define Rule Detail:
  1. Enable Rule on the selected event bus
  2. Choose the Rule with an event pattern type
2. Build Event Pattern:
  1. Event Source: AWS events or EventBridge partner events
  2. Sample Event: AWS events
  3. Creation Method: Use pattern form
  4. Event Pattern:
    Source: AWS Services
    Service: Security Hub
    Event Type: All Events
    Event Pattern:
    { "source": ["aws.securityhub"], "detail": { "findings": { "Severity": { "Label": ["LOW", "MEDIUM", "HIGH", "CRITICAL"] } } } }
3. Select Targets:
  1. Target Types: AWS service
  2. Select a target: SNS topic
  3. Topic: Set to the SNS topic created in the previous step

Screenshot showing how to configure where to send EventBridge findings to, such as an SNS topic.

Use in Torq

The Amazon SNS integration you created earlier and selected as the trigger for the test workflow should receive security findings from Amazon Security Hub.

Go to the workflow, click the Amazon SNS trigger, and go to Event Log.

Sample Event JSON

{
  "account": "0123456789012",
  "detail": {
    "findings": [
      {
        "AwsAccountId": "0123456789012",
        "CompanyName": "AWS",
        "Compliance": {
          "AssociatedStandards": [
            {
              "StandardsId": "standards/aws-foundational-security-best-practices/v/1.0.0"
            }
          ],
          "SecurityControlId": "S3.13",
          "Status": "FAILED"
        },
        "CreatedAt": "2023-03-22T18:09:55.469Z",
        "Description": "This control checks if a lifecycle policy is configured for an S3 bucket. This control fails if the lifecycle policy is not configured for an S3 bucket.",
        "FindingProviderFields": {
          "Severity": {
            "Label": "LOW",
            "Normalized": 1,
            "Original": "LOW"
          },
          "Types": [
            "Software and Configuration Checks/Industry and Regulatory Standards"
          ]
        },
        "FirstObservedAt": "2023-03-22T18:09:55.469Z",
        "GeneratorId": "security-control/S3.13",
        "Id": "arn:aws:securityhub:us-east-3:0123456789012:security-control/S3.13/finding/653eaaba-04fe-42cb-928a-3b6696c89e78",
        "LastObservedAt": "2023-03-22T18:10:11.114Z",
        "ProcessedAt": "2023-03-22T18:10:16.499Z",
        "ProductArn": "arn:aws:securityhub:us-east-3::product/aws/securityhub",
        "ProductFields": {
          "RelatedAWSResources:0/name": "securityhub-s3-lifecycle-policy-check-057dba00",
          "RelatedAWSResources:0/type": "AWS::Config::ConfigRule",
          "Resources:0/Id": "arn:aws:s3:::aws-cloudtrail-logs-xxxxxxxxx-xxxxxx",
          "aws/securityhub/CompanyName": "AWS",
          "aws/securityhub/FindingId": "arn:aws:securityhub:us-east-3::product/aws/securityhub/arn:aws:securityhub:us-east-3:0123456789012:security-control/S3.13/finding/653eaaba-04fe-42cb-928a-3b6696c89e78",
          "aws/securityhub/ProductName": "Security Hub",
          "aws/securityhub/annotation": "Found no bucket lifecycle configuration rules."
        },
        "ProductName": "Security Hub",
        "RecordState": "ACTIVE",
        "Region": "us-east-3",
        "Remediation": {
          "Recommendation": {
            "Text": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.",
            "Url": "https://docs.aws.amazon.com/console/securityhub/S3.13/remediation"
          }
        },
        "Resources": [
          {
            "Details": {
              "AwsS3Bucket": {
                "CreatedAt": "2023-03-22T18:06:13.000Z",
                "OwnerId": "123456789012345678901234567890"
              }
            },
            "Id": "arn:aws:s3:::aws-cloudtrail-logs-012345678901-559cd158",
            "Partition": "aws",
            "Region": "us-east-3",
            "Type": "AwsS3Bucket"
          }
        ],
        "SchemaVersion": "2018-10-08",
        "Severity": {
          "Label": "LOW",
          "Normalized": 1,
          "Original": "LOW"
        },
        "Title": "S3 buckets should have lifecycle policies configured",
        "Types": [
          "Software and Configuration Checks/Industry and Regulatory Standards"
        ],
        "UpdatedAt": "2023-03-22T18:09:55.469Z",
        "Workflow": {
          "Status": "NEW"
        },
        "WorkflowState": "NEW"
      }
    ]
  },
  "detail-type": "Security Hub Findings - Imported",
  "id": "123456-1223456-123456-123456",
  "region": "us-east-3",
  "resources": [
    "arn:aws:securityhub:us-east-3::product/aws/securityhub/arn:aws:securityhub:us-east-3:0123456789012:security-control/S3.13/finding/653eaaba-04fe-42cb-928a-3b6696c89e78"
  ],
  "source": "aws.securityhub",
  "time": "2023-03-22T18:10:20Z",
  "version": "0"
}

Amazon SNS

Orca Security

Deploy and Manage Self-Hosted Step Runners in Torq

Isolate an AWS EC2 Instance by using tags (AWS) - Workflow Template