AWS Security Hub Cloud Security Monitoring and Analytics
The Sumo Logic AWS Security Hub app is designed to extract key findings from the AWS Security Hub, which is designed to centrally view and manage security alerts and automate security checks. The additional level of analysis within these dashboards surfaces the most relevant findings and takes a focused approach to improve overall security posture. Finding types and severity levels act as leading indicators for security engineers to go into security incidents with the most relevant technical details to address active threats.
Collecting Findingsβ
To set up Collection, follow the instructions provided at Collect findings for the AWS Security Hub App.
Installing the AWS Security Hub Appβ
Now that you've set up ingested and collected findings for AWS Security Hub, you can install the Sumo Logic App for AWS Security Hub and use the preconfigured searches and Dashboards that provide insight into your data.
To install the app:
- From the Sumo Logic navigation, select App Catalog.
- In the Search Apps field, search for and then select your app.
- Optionally, you can scroll down to preview the dashboards included with the app. Then, click Install App (sometimes this button says Add Integration).
note
If your app has multiple versions, you'll need to select the version of the service you're using before installation.
- On the next configuration page, under Select Data Source for your App, complete the following fields:
- Data Source. Select one of the following options:
- Choose Source Category and select a source category from the list; or
- Choose Enter a Custom Data Filter, and enter a custom source category beginning with an underscore. For example,
_sourceCategory=MyCategory.
- Folder Name. You can retain the existing name or enter a custom name of your choice for the app.
- All Folders (optional). Default location is the Personal folder in your Library. If desired, you can choose a different location and/or click New Folder to add it to a new folder.
- Data Source. Select one of the following options:
- Click Next.
- Look for the dialog confirming that your app was installed successfully.
Once an app is installed, it will appear in your Personal folder or the folder that you specified. From here, you can share it with other users in your organization. Dashboard panels will automatically start to fill with data matching the time range query received since you created the panel. Results won't be available immediately, but within about 20 minutes, you'll see completed graphs and maps.
Viewing AWS Security Hub Dashboardsβ
Each dashboard has a set of filters that you can apply to the entire dashboard. Click the funnel icon in the top dashboard menu bar to display a scrollable list of filters that narrow search results across the entire dashboard.
AWS Security Hub - Security Monitoring - Overviewβ
See the overview of Security Hub findings broken down by severity. Filters are available to limit the dashboard panels to specific account IDs, finding IDs, finding types, normalized severity, and title.
Findings Summaryβ
All Security Findings. See the count of total findings of the last 24 hours by default or the dashboard time window setting.
Findings by Severity. Line chart showing the relative volumes of findings over the last 24 hours by default or the dashboard time window setting separated by severity.
Last 20 Findings. Provides a table detailing the 20 most recent findings.
Critical, High, Medium, Low Severity Findingsβ
All panels for Critical, High, Medium, and Low Severity findings are the same. The only difference is filtering based on the listed severity level.
Severity Findings. See the count of findings at this severity over the last 24 hours by default or the dashboard time window setting.
Severity Outliers. Review the trending volume of findings at this severity level over the last 24 hours by default or the dashboard time window setting. The gray thresholds show ranges within 3 standard deviations of the past 10 mean values. Pink triangles show values that exceed that threshold and are likely points of investigation considering the large change in volume of findings.
Last 20 Severity Findings. See the details of the last 20 findings at this severity level.
AWS Security Hub - Security Analytics - Complianceβ
See the overview of Security Hub findings broken down by compliance status. Filters are available to limit the dashboard panels to specific account IDs, finding IDs, finding types, normalized severity, title, and compliance status.
Findings Summaryβ
All Compliance Findings. See the count of total findings of the last 24 hours by default or the dashboard time window setting.
Compliance Breakdown. Line chart showing the relative volumes of findings over the last 24 hours by default or the dashboard time window setting separated by severity. One or more compliance statuses can be filtered by selecting the status from the legend at the bottom of the chart.
Last 20 Compliance Findings. Provides a table detailing the 20 most recent findings.
Failed, Warning, Not Available, Success, and Passed Findings.β
All panels for each section of findings are the same. The only difference is filtering based on the compliance status.
Compliance Findings. See the count of findings at this status over the last 24 hours by default or the dashboard time window setting.
Severity Outliers. Review the trending volume of findings at this severity level over the last 24 hours by default or the dashboard time window setting. The gray thresholds show ranges within 3 standard deviations of the past 10 mean values. Pink triangles show values that exceed that threshold and are likely points of investigation considering the large change in volume of findings.
Last 20 Severity Findings. See the details of the last 20 findings at this severity level.