AWS Security Hub integration (QUX only)

Set up AWS Security Hub integration for Vectra QUX deployments.

Introduction

AWS Security Hub is a service that provides a comprehensive view of high-priority security alerts and compliance status across all AWS accounts. These alerts may be originated by other AWS services like Amazon GuardDuty, Amazon Macie or Amazon Inspector, or by partner solutions like Vectra NDR (formerly Detect for Network).

This document provides the steps necessary to enable this integration in your Vectra deployment that uses the Quadrant UX. AWS Security Hub integration is not available in the Respond UX. If you are unsure of your deployment type, please see Vectra Analyst User Experiences (Respond vs Quadrant).

Security Hub Publishing Details

Schema for Vectra-generated Security Hub findings

This is also attached to the bottom of this article.

{
  "SchemaVersion": "Vectra release-based",
  "Id": "Vectra Brain identifier",
  "ProductArn": "AWS ARN including AWS account ID",
  "GeneratorId": "host",
  "AwsAccountId": "AWS account ID",
  "Types": [
    "Unusual Behaviors/Network Flow"
  ],
  "CreatedAt": "First host alert timestamp",
  "UpdatedAt": "Latest host alert timestamp",
  "Severity": {
    "Product": Normalized Score divided by 10,
    "Normalized": Normalized score for Vectra host based on Threat and Certainty
  },
  "Confidence": Certainty score of Vectra Host
  "Criticality": Threat score of Vectra Host,
  "Title": "Vectra Cognito Detect: hostID - thresholds",
  "Description": "Cognito host alert for hostID",
  "SourceUrl": "URL to Vectra Host in the Cognito UI �" hostname or vectra.brain",
  "ProductFields": {
    "aws/securityhub/FindingId": " Security Hub finding ID",
    "aws/securityhub/SeverityLabel": "Mapping",
    "aws/securityhub/ProductName": "Detect",
    "aws/securityhub/CompanyName": "Vectra"
  },
  "Resources": [
    {
      "Type": "AwsEc2Instance",
      "Id": "AWS Resource Name",
      "Details": {
        "Other": {
          "Hostname": "Vectra hostID"
        }
      }
    }
  ],
  "WorkflowState": "New",
  "RecordState": "Active"
}

The score, along with other details are published in the AWS Security Finding Format (ASFF), a sample of which is above and attached to this article.
The Vectra Brain publishes Host scores to AWS Security Hub when a Host’s threat and certainty score exceed a customer-defined threshold.
- The scoring for a Host is automatically updated when there are changes.
The Vectra Brain posts findings to the AWS Security Hub only for AWS Hosts.
- On-premise Hosts that are monitored by your Vectra Brain do not have findings posted.

Severity Mapping

The severity mapping that Vectra reports to Security Hub is derived as a function of Vectra’s threat score and certainty score for the Host.

Vectra Threat Score

Vectra Certainty Score

AWS Security Hub Severity

Informational

< 50

Low

<= 50

> 50

Medium

> 50

<= 50

High

> 50

Critical

Prerequisites

AWS HostID Integration

Integration with Security Hub requires that AWS HostID integration is configured in your Brain appliance. This requires that IAM is configured in AWS to enable retrieval of Host information. IAM configuration is also required to publish findings to Security Hub. If you are using a Vectra Brain deployed in AWS, you may have already done the HostID integration with instructions in the following guides:

Customers can also monitor AWS Hosts with an on-premise Brain. If you are using an on-premise physical or virtual Brain appliance, please follow the steps in AWS HostID Integration to enable HostID integration before continuing on with Security Hub integration configuration.

AWS IAM Users, Roles, and Policies allow Vectra to make requests against the AWS management API on your behalf. Vectra supplies CloudFormation templates to allow easy creation of these users, or you can create them yourself and apply your own policy to them.

Firewall Requirements

For AWS Security Hub integration only, the Vectra Brain needs outbound HTTPS/TCP 443 to these AWS API endpoints:

Purpose

AWS endpoints to allow

Caller identity / account validation

sts.<region>.amazonaws.com

IAM permission simulation

iam.amazonaws.com

Security Hub findings import / update / read

securityhub.<region>.amazonaws.com

Summary:

Allow outbound TCP/443 from Vectra Brain to AWS STS, IAM, and Security Hub API endpoints for the AWS regions being monitored.

The Security Hub template references these AWS actions: sts:GetCallerIdentity, iam:SimulatePrincipalPolicy, and Security Hub BatchImportFindings, BatchUpdateFindings, and GetFindings.

Security Hub IAM User

For Security Hub integration the user that should be created is called: VectraCognitoSecurityHubv1.

To automatically create this user, import the Vectra SecurityHubTemplate.yml CloudFormation template into CloudFormation and it will be created with a restrictive policy applied. The Access key can be created in IAM/User/Security. The access key will need to be added to the Vectra UI.

IAM users can also be manually added using the template as a source to understand the required permissions.

Create the following IAM user to allow the Brain to publish Host scores to Security Hub as Findings.

AWSTemplateFormatVersion: '2010-09-09'
Description: Vectra Security Hub User version 1.2
Resources:
  user:
    Properties:
      Policies:
        - PolicyDocument:
            Statement:
              - Action:
                  - securityhub:BatchImportFindings
                  - securityhub:GetFindings
                  - securityhub:UpdateFindings
                Effect: Allow
                Resource:
                  - '*'
                Sid: CreateDeleteAndRetrieveSecurityHubFindings
              - Action:
                  - sts:GetCallerIdentity
                  - iam:SimulatePrincipalPolicy
                  - securityhub:DescribeProducts
                  - securityhub:ListEnabledProductsForImport
                Effect: Allow
                Resource:
                  - '*'
                Sid: GetCallerIdentity
              - Action:
                  - securityhub:EnableImportFindingsForProduct
                  - securityhub:DisableImportFindingsForProduct
                Effect: Allow
                Resource:
                  - !Join
                    - ''
                    - - 'arn:'
                      - !Ref 'AWS::Partition'
                      - ':securityhub:*:'
                      - !Ref 'AWS::AccountId'
                      - :hub/default
                Sid: EnableVectraProduct
            Version: '2012-10-17'
          PolicyName: vectra_security_hub_permissions
      UserName: VectraCognitoSecurityHubv1
    Type: AWS::IAM::User

Configuration

Browse to the Identity and Access Management service.
Generate access key ID and secret access key for the VectraCognitoCloudwatchLogsv1 user created as part of the pre-requisite.
- This is done similarly to how the keys for AWS HostID integration were created.
Navigate on the Vectra UI to Configuration → RESPONSE → Notifications > AWS Security Hub.
Click Edit.

Enter the credentials and select the thresholds for which host score Findings should be sent to Security Hub.
Click Save.

Example Finding

Locating Findings in AWS

Findings on AWS can be located using the Finding ID. Host alerts are sent using a prefix that includes the serial number of the Vectra Brain. This field is searchable as Id within the AWS console. Additionally, the finding will contain a SourceURL that includes the hostname, as configured in Configuration → COVERAGE → Data Sources → Network → Brain Setup > Brain. If no hostname is configured for notifications, SourceURL will use vectra.brain.

Attachments

SecurityHubTemplate.yml

AWS CloudFormation Template used for integration with AWS Security Hub
This file can also be downloaded from your Brain after deployment at the following location:
- https://<brain_hostname_or_IP>/resources/SecurityHubTemplate.yaml/serve_file

1KB

SecurityHubTemplate.yml

Open

Vectra AWS Security Hub Schema.json

The schema that Vectra uses for publishing to AWS Security Hub is also attached to this article.

1KB

Vectra AWS Security Hub Schema.json

Open

Support portal: https://support.vectra.ai
Email: support@vectra.ai (preferred contact method)
Additional information: https://www.vectra.ai/support

PreviousAWS vSensor FAQs NextAWS best practices

Last updated 9 days ago

Was this helpful?