Git Product home page Git Product logo

aws-securityhub-to-slack's Introduction

aws-securityhub-to-slack

Demonstrates sending AWS Security Hub findings to your Slack WorkSpace

This is the companion GitHub repository for the AWS blog post https://aws.amazon.com/blogs/apn/how-to-enable-custom-actions-in-aws-security-hub/

This repo will introduce you to the process of creating AWS Security Hub a custom action by sending findings to Slack. After reading this blog you will understand the process to create your own custom actions for utilization in your Security Operations play books.

Send to Slack Custom Action

  1. Prerequisites

  2. Create an incoming Webhook in Slack API

      App Name: "SecurityHubToSlack"  
      Development Slack Workspace: "Slack workspace that will receive the Security Hub Findings"          
    
    • Click on the Create App Button
    • Select Incoming Webhooks
    • At the “Activate Incoming Webhooks” Screen
    • Move the slider from OFF to ON
    • Scroll down and Add New Webhook to Workspace
    • Select the Slack Channel in your Slack Workspace that the Security Hub findings will be posted to and select Authorize (suggestion “#alerts”)
    • On the next screen, scroll down to the Webhook URL section and click the Copy button, so we can use it as input in our CloudFormation template
  3. Launch Cloud Formation Template . This CloudFormation template will create a Lambda Function that utilizes Slack’s Webhook API feature, as well as a CloudWatch Event Rule to send findings from Security Hub’s custom actions to Slack.

    • Download CloudFormation template by right clicking on “SecurityHubFindingsToSlack.json” and “Save Link As..” on your local machine
    • Navigate to https://console.aws.amazon.com/cloudformation/
    • Select Create stack
    • Select Upload a template file
    • Select Choose file and locate “SecurityHubFindingsToSlack.json” on your local machine
    • Select Next
    • Use the following values to fill out Create Stack parameters
        StackName: EnableSecurityHubFindingsToSlack  
        IncomingWebHookURL: Paste URL that you just copied from Slack API pages  
        SlackChannel: Enter the same Slack Channel name that you chose above (#alerts)  
        MinSeverityLevel: Choose the minimum Severity Level you want to be notified in Slack, example HIGH would only send high severity findings, LOW sends all findings  
    
    • Select Next, fill out any Tags and select Next again
    • Accept IAM Resource creation
    • Select Create Stack, CloudFormation will then begin creating the stack
    • Wait for the CloudFormation console to report stack creation complete
  4. Create Security Hub Custom Actions .

    • In the Security Hub navigation pane (https://console.aws.amazon.com/securityhub/) select Settings then choose the Custom Actions tab.
    • Select Create custom action.
    • Then in the Create custom action pop up, specify the action name, description and ID then choose OK to create the action.
         Name: Send to Slack  
         Description: This custom action sends selected findings as channel in a Slack Workspace  
         Custom action ID: SendToSlack  
    
  5. Testing the Send to Slack Custom Action

    • Navigate to AWS Security Hub Console (https://console.aws.amazon.com/securityhub/)
    • Navigate to Findings
    • Select the check box next to one or more findings
    • Click the drop-down Actions menu and choose the Send To Slack Custom Action

The Security Hub Console will then send the finding to your Slack channel, you should then receive a notification in your Slack channel

aws-securityhub-to-slack's People

Contributors

awsrossw avatar hyandell avatar sobanoba avatar

Stargazers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

Watchers

 avatar  avatar  avatar  avatar

aws-securityhub-to-slack's Issues

JSON file has an error

Saving the SecurityHubFindingsToSlack.json as a Link (right click -> save as link)

Getting this error after loading the template to CloudFormation

Template format error: YAML not well-formed. (line 150, column 65)

Screen Shot 2021-12-19 at 17 52 30

nodejs8.10 is no longer supported

When running the SecurityHubFindingsToSlack.json template in us-west-2, it fails and rolls back with the error:

The runtime parameter of nodejs8.10 is no longer supported for creating or updating AWS Lambda functions. We recommend you use the new runtime (nodejs12.x) while creating or updating functions. (Service: AWSLambdaInternal; Status Code: 400; Error Code: InvalidParameterValueException...

I don't see a version number but the latest commit on that file was:
c858302
on Aug 9, 2019

Line 208 of SecurityHubFindingsToSlack.json says:
"Runtime": "nodejs8.10"

Per https://aws.amazon.com/blogs/compute/node-js-12-x-runtime-now-available-in-aws-lambda/
"After January 6, 2020, you can no longer create a Node.js 8.10 Lambda function"

Prevent sending duplicated Securityhub findings to Slack

I am sending SecurityHub New findings to an Slack channel, however the problem is that it is sending the same findings over and over again and it would be very noisy in the channel.
I have tried a way that is mentioned in another post, setting the finding as "Notified" after it is send the New finding to Slack, however next day I saw that the same findings have been send to Slack again.
After checking on AWS doc, it seems AWS changes the Notified workflow-status to New:
https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_Workflow.html

Has anyone found a way to prevent sending duplicate findings?

JSON key error in Lambda function

Line 43 of the Lambda function has a casing issue.

Line 43: "const findingTime = message.detail.findings[0].updatedAt;\n",
should be
Line 43: "const findingTime = message.detail.findings[0].UpdatedAt;\n",

Creating New Stack Fails

Uploading the json file into Cloudfront gives an error at the Upload a template file screen:

The following resource types are not supported for resource import: AWS::Lambda::Permission

Latest version does not send updates to slack automatically

Expected behavior is that new alerts are sent to the slack channel automatically.

Using the latest cloudformation template and following the setup guide automatic alert notification does not get sent to the slack channel.

Updates to the slack channel must be initiated from the page https://console.aws.amazon.com/securityhub/home?region=us-east-1#/insights/arn:aws:securityhub:::insight/securityhub/default/ and after all messages are selected the Action drop down menu selected and the slack bot name clicked on.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.