AWS Security Hub integration (QUX only)

Introduction

AWS Security Hub is a service that provides a comprehensive view of high-priority security alerts and compliance status across all AWS accounts. These alerts may be originated by other AWS services like Amazon GuardDuty, Amazon Macie or Amazon Inspector, or by partner solutions like Vectra NDR (formerly Detect for Network).

This document provides the steps necessary to enable this integration in your Vectra deployment that uses the Quadrant UX. AWS Security Hub integration is not available in the Respond UX. If you are unsure of your deployment type, please see Vectra Analyst User Experiences (Respond vs Quadrant).

Security Hub Publishing Details

Schema for Vectra-generated Security Hub findings

This is also attached to the bottom of this article.

{
  "SchemaVersion": "Vectra release-based",
  "Id": "Vectra Brain identifier",
  "ProductArn": "AWS ARN including AWS account ID",
  "GeneratorId": "host",
  "AwsAccountId": "AWS account ID",
  "Types": [
    "Unusual Behaviors/Network Flow"
  ],
  "CreatedAt": "First host alert timestamp",
  "UpdatedAt": "Latest host alert timestamp",
  "Severity": {
    "Product": Normalized Score divided by 10,
    "Normalized": Normalized score for Vectra host based on Threat and Certainty
  },
  "Confidence": Certainty score of Vectra Host
  "Criticality": Threat score of Vectra Host,
  "Title": "Vectra Cognito Detect: hostID - thresholds",
  "Description": "Cognito host alert for hostID",
  "SourceUrl": "URL to Vectra Host in the Cognito UI �" hostname or vectra.brain",
  "ProductFields": {
    "aws/securityhub/FindingId": " Security Hub finding ID",
    "aws/securityhub/SeverityLabel": "Mapping",
    "aws/securityhub/ProductName": "Detect",
    "aws/securityhub/CompanyName": "Vectra"
  },
  "Resources": [
    {
      "Type": "AwsEc2Instance",
      "Id": "AWS Resource Name",
      "Details": {
        "Other": {
          "Hostname": "Vectra hostID"
        }
      }
    }
  ],
  "WorkflowState": "New",
  "RecordState": "Active"
}

• The score, along with other details are published in the AWS Security Finding Format (ASFF), a sample of which is above and attached to this article.

• The Vectra Brain publishes Host scores to AWS Security Hub when a Host’s threat and certainty score exceed a customer-defined threshold.

  • The scoring for a Host is automatically updated when there are changes.

• The Vectra Brain posts findings to the AWS Security Hub only for AWS Hosts.

  • On-premise Hosts that are monitored by your Vectra Brain do not have findings posted.

Severity Mapping

The severity mapping that Vectra reports to Security Hub is derived as a function of Vectra’s threat score and certainty score for the Host.

Prerequisites

AWS HostID Integration

Integration with Security Hub requires that AWS HostID integration is configured in your Brain appliance. This requires that IAM is configured in AWS to enable retrieval of Host information. IAM configuration is also required to publish findings to Security Hub. If you are using a Vectra Brain deployed in AWS, you may have already done the HostID integration with instructions in the following guides:

• AWS HostID Integration

• AWS Brain Deployment Guide

• AWS Sensor Deployment Guide

Customers can also monitor AWS Hosts with an on-premise Brain. If you are using an on-premise physical or virtual Brain appliance, please follow the steps in AWS HostID Integration to enable HostID integration before continuing on with Security Hub integration configuration.

AWS IAM Users, Roles, and Policies allow Vectra to make requests against the AWS management API on your behalf. Vectra supplies CloudFormation templates to allow easy creation of these users, or you can create them yourself and apply your own policy to them.

Security Hub IAM User

For Security Hub integration the user that should be created is called: VectraCognitoSecurityHubv1.

To automatically create this user, import the Vectra SecurityHubTemplate.yml CloudFormation template into CloudFormation and it will be created with a restrictive policy applied. The Access key can be created in IAM/User/Security. The access key will need to be added to the Vectra UI.

IAM users can also be manually added using the template as a source to understand the required permissions.

Create the following IAM user to allow the Brain to publish Host scores to Security Hub as Findings.

Configuration

• Browse to the Identity and Access Management service.

• Generate access key ID and secret access key for the VectraCognitoCloudwatchLogsv1 user created as part of the pre-requisite.

  • This is done similarly to how the keys for AWS HostID integration were created.

• Navigate on the Vectra UI to Configuration → RESPONSE → Notifications > AWS Security Hub.

• Click Edit.

• Enter the credentials and select the thresholds for which host score Findings should be sent to Security Hub.

• Click Save.

Example Finding

Locating Findings in AWS

Findings on AWS can be located using the Finding ID. Host alerts are sent using a prefix that includes the serial number of the Vectra Brain. This field is searchable as Id within the AWS console. Additionally, the finding will contain a SourceURL that includes the hostname, as configured in Configuration → COVERAGE → Data Sources → Network → Brain Setup > Brain. If no hostname is configured for notifications, SourceURL will use vectra.brain.

Attachments

SecurityHubTemplate.yml

• AWS CloudFormation Template used for integration with AWS Security Hub

• This file can also be downloaded from your Brain after deployment at the following location:

  • https://<brain_hostname_or_IP>/resources/SecurityHubTemplate.yaml/serve_file

Vectra AWS Security Hub Schema.json

• The schema that Vectra uses for publishing to AWS Security Hub is also attached to this article.

Worldwide Support Contact Information

• Support portal: https://support.vectra.ai

• Email: [email protected] (preferred contact method)

• Additional information: https://www.vectra.ai/support