来自 SecurityHub 的调查结果的 EventBridge 规则
EventBridge Rule for findings from SecurityHub
我正在尝试为“事件”模式创建 EventBridge 规则,如下所示:
我的Json结构:
{
"Findings": [
{
"SchemaVersion": "2018-10-08",
"Id": "arn:aws:securityhub:us-west-2:220307202362:subscription/aws-foundational-security-best-practices/v/1.0.0/EC2.9/finding/eeecfc8d-cb70-4686-8615-52d488f87959",
"ProductArn": "arn:aws:securityhub:us-west-2::product/aws/securityhub",
"ProductName": "Security Hub",
"CompanyName": "AWS",
"Region": "us-west-2",
"GeneratorId": "aws-foundational-security-best-practices/v/1.0.0/EC2.9",
"AwsAccountId": "220311111111",
"Types": [
"Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices"
],
"FirstObservedAt": "2021-09-27T20:01:59.019Z",
"LastObservedAt": "2021-10-12T16:35:29.556Z",
"CreatedAt": "2021-09-27T20:01:59.019Z",
"UpdatedAt": "2021-10-12T16:35:29.556Z",
"Severity": {
"Product": 0,
"Label": "INFORMATIONAL",
"Normalized": 0,
"Original": "INFORMATIONAL"
},
"Title": "EC2.9 EC2 instances should not have a public IPv4 address"
}
]
}
我的 Json 结构看起来不像右上图所示的事件模式,所以我想修改事件模式,就像我 json 发布的 above.As一旦我编辑事件模式,左侧的选项就会更改为“自定义模式”,如下所示:
当我尝试测试上面的 json 时,出现如下错误:
我在这里缺少什么?我如何配置我的事件中心调查结果,以便它能够识别我的上述 json 并转到我的目标 (Kinesis firehose)?
在测试事件模式中,您需要编写完整的事件,包括版本、id、...
这个 tutorial 显示了简单的示例(虽然对于 EC2)。
对于 Security Hub 调查结果,事件测试模式将如 this doc 中所示。
更新:
这是我尝试使用您的 JSON 的屏幕截图。请注意,事件模式只是“源”。对于测试事件模式 headers 除了调查结果,我从自定义事件下拉列表的“使用 AWS 提供的示例事件”中获取了代码。
事件模式 JSON 是:
{
"version": "0",
"id": "8e5622f9-d81c-4d81-612a-9319e7ee2506",
"detail-type": "Security Hub Findings - Imported",
"source": "aws.securityhub",
"account": "123456789012",
"time": "2019-04-11T21:52:17Z",
"region": "us-west-2",
"resources": ["arn:aws:securityhub:us-west-2::product/aws/macie/arn:aws:macie:us-west-2:123456789012:integtest/trigger/6294d71b927c41cbab915159a8f326a3/alert/f2893b211841"],
"detail": {
"Findings": [{
"SchemaVersion": "2018-10-08",
"Id": "arn:aws:securityhub:us-west-2:111122223333:subscription/aws-foundational-security-best-practices/v/1.0.0/EC2.9/finding/eeecfc8d-cb70-4686-8615-52d488f87959",
"ProductArn": "arn:aws:securityhub:us-west-2::product/aws/securityhub",
"ProductName": "Security Hub",
"CompanyName": "AWS",
"Region": "us-west-2",
"GeneratorId": "aws-foundational-security-best-practices/v/1.0.0/EC2.9",
"AwsAccountId": "220311111111",
"Types": [
"Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices"
],
"FirstObservedAt": "2021-09-27T20:01:59.019Z",
"LastObservedAt": "2021-10-12T16:35:29.556Z",
"CreatedAt": "2021-09-27T20:01:59.019Z",
"UpdatedAt": "2021-10-12T16:35:29.556Z",
"Severity": {
"Product": 0,
"Label": "INFORMATIONAL",
"Normalized": 0,
"Original": "INFORMATIONAL"
},
"Title": "EC2.9 EC2 instances should not have a public IPv4 address"
}]
}
}
您现在可以使用测试事件了。
令人困惑的是事件模式和测试事件模式太过分了。源等属性在 EventBridge 中自动处理。
对于检测特定属性,“事件类型->Security Hub Findings-Imported”可能会有用。
我正在尝试为“事件”模式创建 EventBridge 规则,如下所示:
我的Json结构:
{
"Findings": [
{
"SchemaVersion": "2018-10-08",
"Id": "arn:aws:securityhub:us-west-2:220307202362:subscription/aws-foundational-security-best-practices/v/1.0.0/EC2.9/finding/eeecfc8d-cb70-4686-8615-52d488f87959",
"ProductArn": "arn:aws:securityhub:us-west-2::product/aws/securityhub",
"ProductName": "Security Hub",
"CompanyName": "AWS",
"Region": "us-west-2",
"GeneratorId": "aws-foundational-security-best-practices/v/1.0.0/EC2.9",
"AwsAccountId": "220311111111",
"Types": [
"Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices"
],
"FirstObservedAt": "2021-09-27T20:01:59.019Z",
"LastObservedAt": "2021-10-12T16:35:29.556Z",
"CreatedAt": "2021-09-27T20:01:59.019Z",
"UpdatedAt": "2021-10-12T16:35:29.556Z",
"Severity": {
"Product": 0,
"Label": "INFORMATIONAL",
"Normalized": 0,
"Original": "INFORMATIONAL"
},
"Title": "EC2.9 EC2 instances should not have a public IPv4 address"
}
]
}
我的 Json 结构看起来不像右上图所示的事件模式,所以我想修改事件模式,就像我 json 发布的 above.As一旦我编辑事件模式,左侧的选项就会更改为“自定义模式”,如下所示:
当我尝试测试上面的 json 时,出现如下错误:
我在这里缺少什么?我如何配置我的事件中心调查结果,以便它能够识别我的上述 json 并转到我的目标 (Kinesis firehose)?
在测试事件模式中,您需要编写完整的事件,包括版本、id、...
这个 tutorial 显示了简单的示例(虽然对于 EC2)。
对于 Security Hub 调查结果,事件测试模式将如 this doc 中所示。
更新:
这是我尝试使用您的 JSON 的屏幕截图。请注意,事件模式只是“源”。对于测试事件模式 headers 除了调查结果,我从自定义事件下拉列表的“使用 AWS 提供的示例事件”中获取了代码。
事件模式 JSON 是:
{
"version": "0",
"id": "8e5622f9-d81c-4d81-612a-9319e7ee2506",
"detail-type": "Security Hub Findings - Imported",
"source": "aws.securityhub",
"account": "123456789012",
"time": "2019-04-11T21:52:17Z",
"region": "us-west-2",
"resources": ["arn:aws:securityhub:us-west-2::product/aws/macie/arn:aws:macie:us-west-2:123456789012:integtest/trigger/6294d71b927c41cbab915159a8f326a3/alert/f2893b211841"],
"detail": {
"Findings": [{
"SchemaVersion": "2018-10-08",
"Id": "arn:aws:securityhub:us-west-2:111122223333:subscription/aws-foundational-security-best-practices/v/1.0.0/EC2.9/finding/eeecfc8d-cb70-4686-8615-52d488f87959",
"ProductArn": "arn:aws:securityhub:us-west-2::product/aws/securityhub",
"ProductName": "Security Hub",
"CompanyName": "AWS",
"Region": "us-west-2",
"GeneratorId": "aws-foundational-security-best-practices/v/1.0.0/EC2.9",
"AwsAccountId": "220311111111",
"Types": [
"Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices"
],
"FirstObservedAt": "2021-09-27T20:01:59.019Z",
"LastObservedAt": "2021-10-12T16:35:29.556Z",
"CreatedAt": "2021-09-27T20:01:59.019Z",
"UpdatedAt": "2021-10-12T16:35:29.556Z",
"Severity": {
"Product": 0,
"Label": "INFORMATIONAL",
"Normalized": 0,
"Original": "INFORMATIONAL"
},
"Title": "EC2.9 EC2 instances should not have a public IPv4 address"
}]
}
}
您现在可以使用测试事件了。
令人困惑的是事件模式和测试事件模式太过分了。源等属性在 EventBridge 中自动处理。
对于检测特定属性,“事件类型->Security Hub Findings-Imported”可能会有用。