{ "name": "aws_securityhub", "title": "AWS Security Hub", "version": "0.3.0", "release": "beta", "source": { "license": "Elastic-2.0" }, "description": "Collect logs from AWS Security Hub with Elastic Agent.", "type": "integration", "download": "/epr/aws_securityhub/aws_securityhub-0.3.0.zip", "path": "/package/aws_securityhub/0.3.0", "icons": [ { "src": "/img/logo_securityhub.svg", "path": "/package/aws_securityhub/0.3.0/img/logo_securityhub.svg", "title": "AWS Security Hub logo", "size": "33x39", "type": "image/svg+xml" } ], "conditions": { "kibana": { "version": "^9.3.0" }, "elastic": { "subscription": "basic" } }, "owner": { "type": "elastic", "github": "elastic/security-service-integrations" }, "categories": [ "aws", "security", "cloudsecurity_cdr", "vulnerability_workflow" ], "signature_path": "/epr/aws_securityhub/aws_securityhub-0.3.0.zip.sig", "format_version": "3.5.0", "readme": "/package/aws_securityhub/0.3.0/docs/README.md", "license": "basic", "screenshots": [ { "src": "/img/aws_securityhub_findings_overview_dashboard.png", "path": "/package/aws_securityhub/0.3.0/img/aws_securityhub_findings_overview_dashboard.png", "title": "AWS Security Hub Findings Overview Dashboard", "size": "600x600", "type": "image/png" } ], "assets": [ "/package/aws_securityhub/0.3.0/LICENSE.txt", "/package/aws_securityhub/0.3.0/changelog.yml", "/package/aws_securityhub/0.3.0/manifest.yml", "/package/aws_securityhub/0.3.0/validation.yml", "/package/aws_securityhub/0.3.0/docs/README.md", "/package/aws_securityhub/0.3.0/img/aws_securityhub_findings_overview_dashboard.png", "/package/aws_securityhub/0.3.0/img/logo_securityhub.svg", "/package/aws_securityhub/0.3.0/data_stream/finding/manifest.yml", "/package/aws_securityhub/0.3.0/data_stream/finding/sample_event.json", "/package/aws_securityhub/0.3.0/kibana/dashboard/aws_securityhub-9379d123-3593-4bac-95b7-eeb559506e35.json", "/package/aws_securityhub/0.3.0/kibana/search/aws_securityhub-5e55e9cb-b673-4ffe-8b56-e80082beb85a.json", "/package/aws_securityhub/0.3.0/data_stream/finding/fields/base-fields.yml", "/package/aws_securityhub/0.3.0/data_stream/finding/fields/beats.yml", "/package/aws_securityhub/0.3.0/data_stream/finding/fields/ecs.yml", "/package/aws_securityhub/0.3.0/data_stream/finding/fields/fields.yml", "/package/aws_securityhub/0.3.0/data_stream/finding/fields/is-transform-source-true.yml", "/package/aws_securityhub/0.3.0/data_stream/finding/fields/package.yml", "/package/aws_securityhub/0.3.0/data_stream/finding/fields/resource.yml", "/package/aws_securityhub/0.3.0/data_stream/finding/fields/result.yml", "/package/aws_securityhub/0.3.0/data_stream/finding/fields/rule.yml", "/package/aws_securityhub/0.3.0/data_stream/finding/fields/vulnerability.yml", "/package/aws_securityhub/0.3.0/elasticsearch/transform/latest_cdr_vulnerabilities/manifest.yml", "/package/aws_securityhub/0.3.0/elasticsearch/transform/latest_cdr_vulnerabilities/transform.yml", "/package/aws_securityhub/0.3.0/elasticsearch/transform/latest_findings/manifest.yml", "/package/aws_securityhub/0.3.0/elasticsearch/transform/latest_findings/transform.yml", "/package/aws_securityhub/0.3.0/data_stream/finding/agent/stream/cel.yml.hbs", "/package/aws_securityhub/0.3.0/data_stream/finding/elasticsearch/ingest_pipeline/default.yml", "/package/aws_securityhub/0.3.0/data_stream/finding/elasticsearch/ingest_pipeline/pipeline_object_actor.yml", "/package/aws_securityhub/0.3.0/data_stream/finding/elasticsearch/ingest_pipeline/pipeline_object_attack.yml", "/package/aws_securityhub/0.3.0/data_stream/finding/elasticsearch/ingest_pipeline/pipeline_object_device.yml", "/package/aws_securityhub/0.3.0/data_stream/finding/elasticsearch/ingest_pipeline/pipeline_object_evidence.yml", "/package/aws_securityhub/0.3.0/data_stream/finding/elasticsearch/ingest_pipeline/pipeline_object_finding.yml", "/package/aws_securityhub/0.3.0/data_stream/finding/elasticsearch/ingest_pipeline/pipeline_object_malware.yml", "/package/aws_securityhub/0.3.0/data_stream/finding/elasticsearch/ingest_pipeline/pipeline_object_metadata.yml", "/package/aws_securityhub/0.3.0/data_stream/finding/elasticsearch/ingest_pipeline/pipeline_object_osint.yml", "/package/aws_securityhub/0.3.0/data_stream/finding/elasticsearch/ingest_pipeline/pipeline_object_resources.yml", "/package/aws_securityhub/0.3.0/data_stream/finding/elasticsearch/ingest_pipeline/pipeline_object_vulnerabilities.yml", "/package/aws_securityhub/0.3.0/elasticsearch/transform/latest_cdr_vulnerabilities/fields/base-fields.yml", "/package/aws_securityhub/0.3.0/elasticsearch/transform/latest_cdr_vulnerabilities/fields/beats.yml", "/package/aws_securityhub/0.3.0/elasticsearch/transform/latest_cdr_vulnerabilities/fields/ecs-overridden.yml", "/package/aws_securityhub/0.3.0/elasticsearch/transform/latest_cdr_vulnerabilities/fields/fields.yml", "/package/aws_securityhub/0.3.0/elasticsearch/transform/latest_cdr_vulnerabilities/fields/package.yml", "/package/aws_securityhub/0.3.0/elasticsearch/transform/latest_cdr_vulnerabilities/fields/resource.yml", "/package/aws_securityhub/0.3.0/elasticsearch/transform/latest_cdr_vulnerabilities/fields/result.yml", "/package/aws_securityhub/0.3.0/elasticsearch/transform/latest_cdr_vulnerabilities/fields/rule.yml", "/package/aws_securityhub/0.3.0/elasticsearch/transform/latest_cdr_vulnerabilities/fields/vulnerability.yml", "/package/aws_securityhub/0.3.0/elasticsearch/transform/latest_findings/fields/base-fields.yml", "/package/aws_securityhub/0.3.0/elasticsearch/transform/latest_findings/fields/beats.yml", "/package/aws_securityhub/0.3.0/elasticsearch/transform/latest_findings/fields/ecs-overridden.yml", "/package/aws_securityhub/0.3.0/elasticsearch/transform/latest_findings/fields/fields.yml", "/package/aws_securityhub/0.3.0/elasticsearch/transform/latest_findings/fields/is-transform-source-false.yml", "/package/aws_securityhub/0.3.0/elasticsearch/transform/latest_findings/fields/package.yml", "/package/aws_securityhub/0.3.0/elasticsearch/transform/latest_findings/fields/resource.yml", "/package/aws_securityhub/0.3.0/elasticsearch/transform/latest_findings/fields/result.yml", "/package/aws_securityhub/0.3.0/elasticsearch/transform/latest_findings/fields/rule.yml", "/package/aws_securityhub/0.3.0/elasticsearch/transform/latest_findings/fields/vulnerability.yml" ], "policy_templates": [ { "name": "aws_securityhub", "title": "AWS Security Hub logs", "description": "Collect AWS Security Hub logs.", "inputs": [ { "type": "cel", "vars": [ { "name": "access_key_id", "type": "password", "title": "Access Key ID", "description": "First part of access key. This parameter along with the `Secret Access Key` parameter is required if we are not providing `Shared Credential File`.", "multi": false, "required": false, "show_user": true }, { "name": "secret_access_key", "type": "password", "title": "Secret Access Key", "description": "Second part of access key. This parameter along with the `Access Key ID` parameter is required if we are not providing `Shared Credential File`.", "multi": false, "required": false, "show_user": true }, { "name": "session_token", "type": "password", "title": "Session Token", "description": "Required when using temporary security credentials.", "multi": false, "required": false, "show_user": true }, { "name": "shared_credential_file", "type": "text", "title": "Shared Credential File", "description": "Directory of the shared credentials file. This parameter is required if we are not providing value for the parameters - `Secret Access Key` and `Access Key ID`.", "multi": false, "required": false, "show_user": false }, { "name": "credential_profile_name", "type": "text", "title": "Credential Profile Name", "description": "Profile name in shared credentials file.", "multi": false, "required": false, "show_user": false }, { "name": "role_arn", "type": "text", "title": "Role ARN", "description": "AWS IAM Role to assume.", "multi": false, "required": false, "show_user": false }, { "name": "external_id", "type": "text", "title": "External ID", "description": "External ID to use when assuming a role in another account, see [the AWS documentation for use of external IDs](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html)", "multi": false, "required": false, "show_user": false }, { "name": "assume_role_duration", "type": "duration", "title": "Assume Role Duration", "description": "Specifies the duration of the credentials retrieved by the IAM assume-role. It is optional and can be used when `Role ARN` is configured.", "multi": false, "required": false, "show_user": false }, { "name": "assume_role_expiry_window", "type": "duration", "title": "Assume Role Expiry Window", "description": "Specifies the credentials retrieved by the IAM assume-role to trigger refreshing prior to the credentials actually expiring. It is optional and can be used when `Role ARN` is configured.", "multi": false, "required": false, "show_user": false }, { "name": "proxy_url", "type": "text", "title": "Proxy URL", "description": "URL to proxy connections in the form of http[s]://:@:. Please ensure your username and password are in URL encoded format.", "multi": false, "required": false, "show_user": false }, { "name": "ssl", "type": "yaml", "title": "SSL Configuration", "description": "SSL configuration options. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html#ssl-common-config) for details.", "multi": false, "required": false, "show_user": false, "default": "#certificate_authorities:\n# - |\n# -----BEGIN CERTIFICATE-----\n# MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF\n# ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2\n# MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB\n# BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n\n# fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl\n# 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t\n# /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP\n# PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41\n# CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O\n# BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux\n# 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D\n# 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw\n# 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA\n# H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu\n# 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0\n# yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk\n# sxSmbIUfc2SGJGCJD4I=\n# -----END CERTIFICATE-----\n" } ], "title": "Collect AWS Security Hub logs via API", "description": "Collecting AWS Security Hub logs via API." } ], "multiple": true, "deployment_modes": { "default": { "enabled": true }, "agentless": { "enabled": true } } } ], "data_streams": [ { "type": "logs", "dataset": "aws_securityhub.finding", "title": "Finding", "release": "beta", "ingest_pipeline": "default", "streams": [ { "input": "cel", "vars": [ { "name": "aws_region", "type": "text", "title": "AWS Region", "description": "AWS Region.", "multi": false, "required": true, "show_user": true }, { "name": "tld", "type": "text", "title": "Top Level Domain", "multi": false, "required": true, "show_user": false, "default": "amazonaws.com" }, { "name": "initial_interval", "type": "duration", "title": "Initial Interval", "description": "How far back to pull the findings from AWS Security Hub API. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": true, "default": "24h" }, { "name": "interval", "type": "duration", "title": "Interval", "description": "Duration between requests to the AWS Security Hub API. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": true, "default": "1h" }, { "name": "batch_size", "type": "text", "title": "Batch Size", "description": "Batch size for the response of the AWS Security Hub API. The maximum batch size supported for finding is 100.", "multi": false, "required": true, "show_user": false, "default": 100 }, { "name": "http_client_timeout", "type": "text", "title": "HTTP Client Timeout", "description": "Duration before declaring that the HTTP client connection has timed out. Supported time units are ns, us, ms, s, m, h.", "multi": false, "required": true, "show_user": false, "default": "60s" }, { "name": "resource_rate_limit_limit", "type": "text", "title": "Resource Rate Limit", "description": "The value of the response that specifies the maximum overall resource request rate. This controls the polling frequency.", "multi": false, "required": false, "show_user": false }, { "name": "resource_rate_limit_burst", "type": "integer", "title": "Resource Rate Limit Burst", "description": "The maximum burst size. Burst is the maximum number of resource requests that can be made above the overall rate limit.", "multi": false, "required": false, "show_user": false }, { "name": "enable_request_tracer", "type": "bool", "title": "Enable request tracing", "description": "The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. Disabling the request tracer will delete any stored traces. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_enable) for details.", "multi": false, "required": false, "show_user": false, "default": false }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "aws_securityhub-finding" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`.", "multi": false, "required": false, "show_user": true, "default": false }, { "name": "preserve_duplicate_custom_fields", "type": "bool", "title": "Preserve duplicate custom fields", "description": "Preserve aws_securityhub.finding fields that were copied to Elastic Common Schema (ECS) fields.", "multi": false, "required": false, "show_user": false, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed.", "multi": false, "required": false, "show_user": false } ], "template_path": "cel.yml.hbs", "title": "Finding", "description": "Collecting findings via API.", "enabled": true, "ingestion_method": "API" } ], "package": "aws_securityhub", "elasticsearch": { "index_template.settings": { "index": { "mapping": { "total_fields": { "limit": 2000 } } } }, "ingest_pipeline.name": "default" }, "path": "finding" } ] }