Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Amazon AWS Security Hub

The JSA DSM for Amazon Security Hub collects events from the log group of the Amazon Cloud watch logs services.

To collect Amazon AWS Security Hub logs in JSA, you need to configure a log source on the JSA Console for Amazon Security Hub to communicate with JSA by using the Amazon Web Services protocol.

To integrate Amazon AWS Security Hub with JSA, complete the following steps:

  1. If automatic updates are not enabled, download and install the most recent version of the following RPM on your JSA console:

    • DSMCommon RPM

    • Protocol Common RPM

    • Amazon Web Services Protocol RPM

    • Amazon AWS Security Hub DSM RPM

  2. Create and configure an Amazon EventBridge rule to send events from AWS Security Hub to AWS CloudWatch log group.

  3. Create an Identity and Access (IAM) user in the Amazon AWS user interface when using the Amazon Web Services protocol.

  4. Add an Amazon AWS Security Hub log source on the JSA Console. The following table describes the Amazon Web Services protocol parameters that require specific values to collect Syslog events from Amazon AWS Security Hub:

    Table 1: Amazon AWS Security Hub Log Source parameters when using the Amazon Web Services Protocol

    Parameter

    Value

    Log Source Type

    Amazon AWS Security Hub

    Protocol Configuration

    Amazon Web Services

    Authentication Method

    • Access Key ID / Secret Key - Standard authentication that can be used from anywhere.

    • EC2 Instance IAM Role - If your JSA managed host is running in an AWS EC2 instance, choose this option to use the IAM role from the metadata that is assigned to the instance for authentication. No keys are required.

      Note:

      This method works only for managed hosts that are running within an AWS EC2 container.

    Access Key ID

    The Access Key ID was generated when you configured the security credentials for your AWS user account.

    If you selected Access Key ID / Secret Key, the Access Key ID parameter displays.

    Secret Access Key

    The Secret Key that was generated when you configured the security credentials for your AWS user account.

    If you selected Access Key ID / Secret Key, the Secret Access Key ID parameter displays.

    Regions

    Select the check box for each region that is associated with the Amazon Web Service that you want to collect logs from.

    Other Regions

    Type the names of any additional regions that are associated with the Amazon Web Service that you want to collect logs from. To collect from multiple regions use a comma-separated list, as shown in the following example: region1,region2

    AWS Service

    The name of the Amazon Web Service. From the AWS Service list, select CloudWatch Logs.

    Log Group

    The name of the log group in Amazon CloudWatch where you want to collect logs from.

    Note:

    A single log source collects CloudWatch logs from 1 log group at a time. If you want to collect logs from multiple log groups, create a separate log source for each log group.

    Log Stream (Optional)

    The name of the log stream within a log group. If you want to collect logs from all log streams within a log group, leave this field blank.

    Filter Pattern (Optional)

    Type a pattern for filtering the collected events. This pattern is not a regex filter. Only the events that contain the exact value that you specified are collected from CloudWatch Logs. If you enter ACCEPT as the Filter Pattern value, only the events that contain the word ACCEPT are collected. The following example shows the effect of the ACCEPT value:

    {LogStreamName: LogStreamTest,Timestamp: 0, Message: ACCEPT OK,IngestionTime: 0,EventId: 0}

    Extract Original Event

    To forward only the original event that was added to the CloudWatch logs to JSA, select this option.

    CloudWatch logs wrap the events that they receive with extra metadata.

    The original event is the value for the message key that is extracted from the CloudWatch log. The following CloudWatch logs event example shows the original event that is extracted from the CloudWatch log in bold text:

    {LogStreamName:
    SecurityHubLogStream,Timestamp:
    1519849569827,Message: {"version":...:,
    IngestionTime: 1505744407506,
    EventId: 0000}

    Use As A Gateway Log Source

    Do not select this check box.

    Use Proxy

    If JSA accesses the Amazon Web Service by using a proxy, enable Use Proxy.

    If the proxy requires authentication, configure the Proxy Server, Proxy Port, Proxy Username, and Proxy Password fields. If the proxy does not require authentication, configure the Proxy Server and Proxy Port fields.

    Automatically Acquire Server Certificate(s)

    Select Yes for JSA to automatically download the server certificate and begins trusting the target server.

    This function can be used to initialize a newly created log source and obtain certificates initially, or to replace expired certificates.

    EPS Throttle

    The maximum number of events per second (EPS) that this log source can't exceed.

    The default is 5000. This value is optional if the Use As A Gateway Log Source is checked. If EPS Throttle is left blank, no limit is imposed by JSA. option is selected, this value is optional.

    Enabled

    Indicates whether the log source should be enabled. The default is enabled.

    Credibility

    The higher the credibility, the more certain you are that this log source emits reliable events. The default is 5.

    Target Event Collector

    The appliance responsible for receiving and parsing the events from this log source.

    Coalescing Events

    When a log source emits multiple events that are similar to one another in a short time span, they are coalesced together.

    The event count of the single event reflects the number of events that are coalesced.

    Enable Coalescing Events to reduce storage cost of events. The default is enabled.

    Store Event Payload

    Enable to store original event payloads in addition to the normalized record. The default is enabled.