AWS Security Hub

Overview

AWS Security Hub provides you with a comprehensive view of your security state in AWS and helps you check your environment against security industry standards and best practices.

This integration enables you to see all your AWS Security Hub logs in Datadog.

Note: You can also send your Datadog security signals to Security Hub for orchestration of additional events in your AWS environment. Follow the instructions on the securityhub-eventbridge-example repository to set this up.

Setup

Datadog uses Amazon EventBridge to forward Security Hub events as logs to Datadog. Datadog supports both Security Hub CSPM and Security Hub.

Datadog recommends creating two rules, one for each product. Avoid forwarding All events, because this can lead to receiving duplicate events and can result in mixed event formats: Security Hub CSPM events are in AWS Security Finding Format while Security Hub events are in Open Cybersecurity Schema Framework format.

  1. Go to Amazon EventBridge.
  2. In the Create a new rule pane, click Create rule.
  3. In the Name and description pane, type a name for your rule in the Name field and if you want, type a description for your rule in the Description field.
  4. In the Define pattern pane, select Event pattern, and then select Pre-defined pattern by service to build an event pattern.
  5. From the Service provider list, select AWS.
  6. From the Service name list, select SecurityHub.
  7. From the Event type list, select:
  • Security Hub Findings - Imported for Security Hub CSPM
  • Findings Imported V2 for Security Hub
  1. In the Select event bus pane, select AWS default event bus.
  2. In the Select targets pane, from the Target list, select Lambda function.
  3. Select the Datadog forwarder to send logs to Datadog.
  4. Click Create.

Troubleshooting

Need help? Contact Datadog support.