In this article, we display you how exactly to configure AWS Chatbot to send findings from AWS Security Hub to Slack. Security Hub offers you a extensive view of one’s security high-priority alerts and security posture across your Amazon Web Services (AWS) accounts. AWS Chatbot can be an interactive agent that means it is an easy task to monitor and connect to your AWS sources in your Slack stations and Amazon Chime boards. This may enable your security groups to get alerts in acquainted Slack stations, facilitating collaboration and fast response to events.

We shall end up being describing the preset formatting integration with AWS Chatbot, if you need to enrich the locating data it is possible to follow the guide inside How make it possible for Custom Actions in AWS Security Hub. The methods listed in this article are perfect in order to utilize the preset formatting of AWS Chatbot. The next path is really a customized integration, that is useful if you want the finding data to be enriched or even transformed.

With AWS Chatbot it is possible to receive alerts and work commands to come back diagnostic information, invoke AWS Lambda functions, and create AWS assistance cases which means that your team can collaborate and react to events faster.

This post is really a follow to a previous post up, How make it possible for Custom Actions in AWS Security Hub, where custom actions inside Security Hub enabled notifications to be delivered to Slack. In this article, we simplify the workflow through the use of an AWS CloudFormation template to generate the info flow in Figure 1 below. This configures the custom made action in Protection Hub, an Amazon EventBridge guideline, and an Amazon Simple Notification Services (Amazon SNS) subject to tie all of them together.

Figure 1: Information movement showing a Slack channel and Amazon Chime as choices for AWS Chatbot integration

Configure AWS Safety and Chatbot Hub

To begin with you’ll need the next prerequisites:

We will stroll through configuring AWS Chatbot and Security Hub right now. You’ll want an AWS Account with Security and GuardDuty Hub enabled in addition to a Slack account. Keep a digital scratch pad handy to observe your Slack Workspace ID and Slack Channel ID make reference to as you configure the integration.

Security Hub works with two forms of integration with EventBridge, both which are usually supported by AWS Chatbot:

• Regular Amazon CloudWatch events. Protection Hub sends all results to EventBridge automatically. Use this solution to send all Safety Hub findings automatically, or perhaps a filtered subset of results, to an Amazon SNS subject to which AWS Chatbot subscribes.
• Protection Hub custom activities. Define custom activities in Safety Hub and configure CloudWatch activities rules to react to those actions. The function rule utilizes its Amazon SNS topic focus on to forwards notifications to the SNS topic AWS Chatbot will be subscribed to.

We will focus on Protection Hub custom activities. You will possibly not want all Security Hub results come in Slack initially, so we’re likely to develop a Security Hub custom made action to send just relevant results to Slack. This workflow gives your security team the opportunity to provide notifications to Slack channels through AWS Chatbot manually. At the ultimate end of the post, An EventBridge is shared by me Principle for those users who would like all Security Hub findings inside a Slack channel. I provide some filter illustrations which will help you decide on the findings you obtain in Slack.

Configure the Slack client

To permit AWS Chatbot to send notifications to your Slack channel, you need to configure AWS Chatbot to utilize Slack. Proprietors of Slack workspaces can approve the usage of the AWS Chatbot and any workspace consumer can configure the workspace to get notifications.

1. Log directly into your AWS system and demand AWS Chatbot console.
2. Select Slack from the dropdown menu and Configure client.
   Body 2: Configure a chat client
3. If you aren’t logged directly into Slack yet, add your workspace title and get on Slack.

   

   Shape 3: Slack workspace login

4. On the next display screen where AWS Chatbot is requesting permission to your Slack workspace, choose Allow.
5. Copy and conserve the Workspace ID. You shall require it for the CloudFormation Template.
   Figure 4: Gaming console with workplace ID
6. You is now able to leave the AWS Chatbot console and get on your Slack workspace where we are able to obtain the channel ID.
   1. If there is no need a Slack channel in your company for findings, or you intend to try this integration before deploying it to production, please follow the steps from Slack for developing a channel.
   2. If the Slack has been utilized by you desktop client, right-click on on the Slack channel title and select Duplicate Link.

      

      Body 5: Copy hyperlink from the desktop customer

   3. If the Slack has been utilized by you web UI, right select your Slack channel title, select Additional choices, and choose Copy link then.
      Figure 6: Duplicate link from the net UI
7. The last area of the resulting URL can be your channel ID. For instance, in the URL https://xxxxxxx.slack.com/archives/CSQRRLTHRT, CSQRRLTHRT may be the channel ID. Jot down your channel ID in order to later use.

Tie everything together

The CloudFormation template will create the next:

• A Safety Hub custom action called SendToSlack
• An Amazon SNS subject named AWS Chatbot SNS Subject
• An EventBridge principle to tie everything jointly

1. Open up the SecurityHub_to_AWSChatBot.yml CloudFormation template.
2. Right-click and make use of Save As to save lots of the template to your workstation.
   

   Note: The CloudFormation template will probably require your Slack workspace ID and channel ID from the prior step.

3. Open up the CloudFormation console.
4. Select Create stack.
   Figure 7: Develop a CloudFormation stack
   1. Select Upload a template document
      Amount 8: Upload CloudFormation template file
   2. Select Choose file and demand preserved CloudFormation template from step two 2.
   3. Select Next.
   4. Enter a stack title, such as for example “SecurityHubToAWSChatBot.”
   5. Enter your own Slack channel ID and Slack workSpace ID (take care not to transpose these IDs).
   6. Continue by deciding on Next.
   7. On the Configure stack choices display you can include tags if needed by your organization. All of those other default options shall function, click Next.
   8. Review stack information on the Evaluation display screen and scroll to underneath.
   9. You must click on the “We acknowledge that AWS CloudFormation might generate IAM assets.” Check container before clicking Create Stack.
      Figure 9: IAM features acknowledgment
5. After the CloudFormation template has finished you will notice &lsquo successfully;Create Complete’ in the CloudFormation gaming console.

To test the construction perform the next steps:

1. Open up the AWS Security Hub console, decide on a finding and pick the Actions drop down. Select Send_To_Slack — the custom action that you created.

   

   Determine 10: Security Hub custom action drop lower

2. Move to your Slack channel and workspace to verify receipt of the notification.
   Figure 11: Illustration Security Hub notification inside Slack

Reward: Send all critical results to Slack

You can also utilize this workflow to send all critical Security Hub findings to Slack.

To get this done, configure yet another CloudWatch rule which you can use with the custom activity that we’ve deployed. For instance, your security group requires that the critical severity results go to your group’s Slack channel, but with the opportunity to manually send some other interesting or relevant results to Slack also.

1. Move to the EventBridge system.
2. Underneath Events, select Rules.
3. Select Create Rule.
4. Give the Guideline a title ex: “All_SecurityHub_Results_to_Slack.”
5. In the Define Pattern area, select Event design and Custom made pattern.
   Figure 12: EventBridge occasion pattern dialogue
6. Paste the next code in to the Event design field and choose Save.
   

   Note: It is possible to edit this filtration system to suit your needs.

   
   
     "detail-type": ["Security Hub Results - Imported"],
     "source": ["aws.securityhub"],
     "detail": 
       "findings": 
         "ProductFields": 
           "aws/securityhub/SeverityLabel": [
             "CRITICAL"
           ]
         
       
     
   
   

7. Leave the function bus since “AWS default event bus.”
8. Under Select Targets, select SNS Subject from the fall down.
9. Choose the Topic with “SNSTopicAWSChatBot” in the true name.
10. Configure any required tags.
11. Select Create.

When Protection Hub creates findings, it’ll send any kind of findings with a severity label of Critical to your Slack channel.

Note: According to the level of critical findings inside your Security Hub gaming console, the signal to noise ratio may be much in Slack so that you can provide actionable results too. You should think about automating the reaction and remediation of essential findings following best exercise guidance in the Safety Hub console.

Summary

In this article we showed how exactly to send results from Protection Hub to Slack using AWS Chatbot. This assists your group collaborate, and respond quicker to operational events. Furthermore, AWS Chatbot enables a good way to connect to your AWS resources. Running AWS CLI commands from Slack channels carries a set of the commands it is possible to run.

For those who have feedback concerning this post, submit remarks in the Comments section below.

Want a lot more AWS Security how-to articles, news, and show announcements? Stick to us on Twitter.