Ingest AWS Security Hub security findings

Latest Dynatrace Preview

In the following, you'll learn how to ingest security findings from AWS Security Hub into Grail and analyze them on the Dynatrace platform.

Goal

  • Get insights from Dynatrace for AWS Security Hub security findings.
  • Visualize, analyze, and automate security findings uniformly on the Dynatrace platform.

How it works

how it works

Security finding events from AWS Security Hub are ingested into Dynatrace via a dedicated OpenPipeline security ingest endpoint, using an Amazon EventBridge event forwarding set up with an AWS CloudFormation template.

The OpenPipeline ingest endpoint processes and maps the security findings according to the Semantic Dictionary conventions.

These are stored in a bucket called default_security_custom_events (for details, see: Built-in Grail buckets).

Prerequisites

See below for the AWS Security Hub and Dynatrace requirements.

AWS Security Hub requirements

  • Install and configure the latest AWS CLI.

  • Select the AWS region where you want to create the AWS Security Hub event forwarder.

    1. In a terminal, run:

      aws configure

    2. Set your default region (for example, us-east-1).

Dynatrace requirements

  • Generate an access token for security events ingestion with the openpipeline.events_security scope and save it for later.

Permissions

You need an Admin user to define a custom policy with the app-engine:apps:install permission to install the app. For details, see Dynatrace access.

Get started

  1. In Dynatrace, open Dynatrace Hub.
  2. Look for AWS Security Hub and select Install.
  3. Select Open, then select Configure new connection.
  4. Follow the on-screen instructions to set up the ingestion.

Monitor data

Once you ingest your AWS Security Hub data into Grail, you can monitor your data in the app (in Dynatrace, open AWS Security Hub).

security hub

You can view

  • A chart of ingested data from all existing connections over time

  • A table with information about your connections

Visualize and analyze findings

You can create your own dashboards or use our templates to visualize and analyze container vulnerability findings.

To use a dashboard template

  1. In Dynatrace, open AWS Security Hub.
  2. In the Try our templates section, select the desired dashboard template.

Automate and orchestrate findings

You can create your own workflows or use our templates to automate and orchestrate container vulnerability findings.

To use a workflow template

  1. In Dynatrace, open AWS Security Hub.
  2. In the Try our templates section, select the desired workflow template.

Query ingested data

You can query ingested data in Notebooks Notebooks or Security Investigator Security Investigator, using the data format in Semantic Dictionary.

To query ingested data

  1. In Dynatrace, open AWS Security Hub.
  2. Select Open with .
  3. Select Notebooks or Security Investigator.

Support and mapping

For AWS, Dynatrace supports the following security event types:

  • Vulnerability
  • Detection
  • Compliance experimental

List of AWS events mapped to Dynatrace:

AWS event type
Dynatrace mapping
Software and Configuration Checks/Vulnerabilities/*
Vulnerability findings
TTPs/*
Detection findings
Effects/*
Detection findings
Unusual Behaviors/*
Detection findings
Software and Configuration Checks/Industry and Regulatory Standards/*
Compliance findings

All other events are ingested, but not mapped.

Limit ingestion

By default, once you set up the Dynatrace integration, all AWS event types are ingested into Dynatrace.

To limit ingestion to a specific event type, you need to set up filters for your Dynatrace AWS Security Hub event forwarder Lambda function in EventBridge.

  1. In your AWS console, go to Lambda > Functions and select the Dynatrace AWS Security Hub event forwarder function.
  2. In Configuration, edit the event pattern for the trigger.

Example filters:

{
  "source": ["aws.securityhub"],
  "detail-type": ["Security Hub Findings - Imported"],
  "detail": {
    "findings": {
      "Types": ["Software and Configuration Checks/Vulnerabilities/CVE"]
    }
  }
}

Remove connections

To stop sending events to Dynatrace

  1. In Dynatrace, open AWS Security Hub.
  2. For the connection you want to delete, select Remove.
  3. Follow the on-screen instructions to delete the resources. If you used values different from those specified in the setup dialog, adjust them accordingly.

This removes the Dynatrace resources created for this integration.

  1. In Dynatrace, open Settings (new).
  2. Select Connections > AWS Security Hub.
  3. For the connection you want to delete, select Remove.
  4. Follow the on-screen instructions to delete the resources. If you used values different from those specified in the setup dialog, adjust them accordingly.

This removes the Dynatrace resources created for this integration.

Consumption

For billing information, see Events powered by Grail.

Further references

Related topics