Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Amazon Security Hub is a bidirectional integration. Setting it up involves the following Adding it to Jira Service Management and configuring it to send alert updates back to Amazon Security Hub (when some actions are performed on the alerts created in Jira Service Management) involves a sequence of steps:

  • Add an Amazon Security Hub integration in Jira Service Management

  • Configure the integration in Amazon Security Hub

  • Configure the integration in Amazon SNS

  • Configure the integration in Amazon CloudWatch Events

  • Configure the integration Create subscriptions to send SNS messages to Jira Service Management

  • Create an Amazon CloudWatch Event rule

  • Select an SNS topic for the target in Amazon EventBridge Events

  • Send updates back to Amazon Security Hub

...

Info

If you're using the Free or Standard plan in Jira Service Management, you can only add this integration from your team’s operations page. To access the feature through Settings (gear icon) > Products (under JIRA SETTINGS) > OPERATIONS, you need to be on Premium or Enterprise plan.

Adding an integration from your team’s operations page makes your team the owner of the integration. This means Jira Service Management assigns the alerts received through this integration to your team only.

To add an integration:

  1. Go to your team’s operations page.

  2. On the left navigation panel, select Integrations and then Add integration.

Complete the rest of the steps in the procedureManagement assigns the alerts received through this integration to your team only.

To add an Amazon Security Hub integration in Jira Service Management:

...

  1. Create a custom Security Hub action.

  2. Create a rule in CloudWatch Events for Security Hub findings and an SNS topic for CloudWatch Event target by using the CloudFormation template.

  3. Paste the URL you copied while adding the integration in Jira Service Management into SNSSubEndpoint in the CloudFormation template.

  4. Copy-paste the following (after entering the custom Security Hub action ARN you created in Step 1) into EventPatternParameter in the CloudFormation template.

    Code Block
    {
      "source": [
        "aws.securityhub"
      ],
      "detail-type": [
        "Security Hub Findings - Custom Action"
      ],
      "resources": [
        "< CUSTOM ACTION ARN YOU CREATED IN SECURITY HUB >"
      ]
    }
  5. If the configuration is successful, a confirmation alert is created in Jira Service Management.

  6. Select Send alert updates back to Amazon Security Hub to enable turn on the outgoing functionality.

  7. Allow Jira Service Management to access the Security Hub resources through an IAM Role.
    Use CloudFormation template to create an IAM role.

  8. Copy-paste the IAM Role ARN into AmazonSecurityHub Role ARN.

  9. Select the AWS region where you’ve set up the Security Hub.

...

Create subscriptions to send SNS messages to Jira Service Management

Selecting an SNS topic for the target lets you publish the related event message for findings to SNS.

  1. Go to AWS SNS, select Topics > Create topic.

  2. When on the Subscription tab, select Create subscription.
    This is how you’ll send SNS messages to Jira Service Management.

  3. In the Protocol field, select HTTPS as an endpoint type.

  4. In the Endpoint field, enter the API endpoint URL you copied while adding the integration in Jira Service Management.

...

  1. Service Management.

Create an Amazon CloudWatch Event rule

Create an Amazon CloudWatch Event rule so Amazon Security Hub can send findings matching the rule to CloudWatch.

  1. In your Amazon CloudWatch account, select Events > Rules.

  2. Then select Select Create rule.

  3. In the Event Source section, select the Event Pattern option.

  4. Then selectSelect Build event pattern to match all events from the dropdown menu.

  5. Select Edit in the Event Pattern Preview and copy-paste the script given in this section.

  6. In the Targets section, select the SNS topic from the dropdown menu, then select the topic you’ve you created before.

  7. Select Configure details and enter a name, description, and other information.

  8. When done, select Select Create rule.

Event pattern preview script

Enter Copy the script below in following script and paste it into the Event pattern preview section of the Event Source.JSON

Expand
titleEvent pattern preview script (in JSON format)
Code Block
{
  "source": [
    "aws.securityhub"
  ],
  "detail-type": [
    "Security Hub Findings - Custom Action"
  ],
  "resources": [
    <custom action arn you created in security hub>
  ]
}

...

Select an SNS topic for the target in Amazon EventBridge Events

Selecting an SNS topic for the target lets you publish the related event message for findings to SNS which will send this message to Jira Service Management at the end.

  1. Go to Amazon EventBridge and select Rules.

  2. Select Create rule.

  3. In Step 1, enter a Name and Description for this rule.

  4. Select Rule with an event patternspattern as Rue Rule type and select Next.

  5. In Step 2, select AWS events and EventBrigde partner events as the Event source.

  6. Select AWS services as Event source.

  7. Select Security Hub as AWS Service.

  8. In the Event Type section, select the custom action you created in the security hub.

  9. Select Next.

  10. In Step 3, select SNS topic from the dropdown menu in Target types, then select the topic you created before earlier in the Topic field.

  11. Select Next.

  12. In Step 5, review and create the rule.

...

Sample payload from Amazon Security Hub

Expand
titleSample payload (in JSON format)
Code Block
{
  "Type": "Notification",
  "MessageId": "96d4c7c2-999e-57ab-aade",
  "TopicArn": "arn:aws:sns:us-west-2:test",
  "Message": "{\"version\":\"0\",\"id\":\"3ee38987-e0ce--91a1\",\"detail-type\":\"EC2 Instance State-change Notification\",\"source\":\"aws.ec2\",\"account\":\"abc\",\"time\":\"2017-09-11T10:49:41Z\",\"region\":\"us-west-2\",\"resources\":[\"arn:aws:ec2:us-west-2:asdf:instance/i-abc\"],\"detail\":{\"actionName\":\"custom-action-name\",\"actionDescription\":\"description of the action\",\"findings\":[{\"AwsAccountId\": \"abc\",\"Compliance\": {\"Status\": \"PASSED\"},\"Confidence\": 42,\"CreatedAt\": \"2017-03-22T13:22:13.933Z\",\"Criticality\": 99,\"Description\": \"The version of openssl found on instance i-abcd1234 is known to contain a vulnerability.\",\"FirstObservedAt\": \"2017-03-22T13:22:13.933Z\",\"GeneratorId\": \"acme-vuln-9ab348\",\"Id\": \"us-west-2/111111111111/98aebb2207407c87f51e89943f12b1ef\",\"LastObservedAt\": \"2017-03-23T13:22:13.933Z\",\"Malware\": [{\"Name\": \"Stringler\",\"Type\": \"COIN_MINER\",\"Path\": \"/usr/sbin/stringler\",\"State\": \"OBSERVED\"}],\"Network\": {\"Direction\": \"IN\",\"Protocol\": \"TCP\",\"SourceIpV4\": \"1.2.3.4\",\"SourceIpV6\": \"FE80:CD00:0000:0CDE:1257:0000:211E:729C\",\"SourcePort\": \"42\",\"SourceDomain\": \"here.com\",\"SourceMac\": \"00:0d:83:b1:c0:8e\",\"DestinationIpV4\": \"2.3.4.5\",\"DestinationIpV6\": \"FE80:CD00:0000:0CDE:1257:0000:211E:729C\",\"DestinationPort\": \"80\",\"DestinationDomain\": \"there.com\"},\"Note\": {\"Text\": \"Don't forget to check under the mat.\",\"UpdatedBy\": \"jsmith\",\"UpdatedAt\": \"2018-08-31T00:15:09Z\"},\"Process\": {\"Name\": \"syslogd\",\"Path\": \"/usr/sbin/syslogd\",\"Pid\": 12345,\"ParentPid\": 56789,\"LaunchedAt\": \"2018-09-27T22:37:31Z\",\"TerminatedAt\": \"2018-09-27T23:37:31Z\"},\"ProductArn\": \"arn:aws:securityhub:us-east-1:111111111111:product/111111111111/default\",\"ProductFields\": {\"generico/secure-pro/Count\": \"6\",\"Service_Name\": \"cloudtrail.amazonaws.com\",\"aws/inspector/AssessmentTemplateName\": \"My daily CVE assessment\",\"aws/inspector/AssessmentTargetName\": \"My prod env\",\"aws/inspector/RulesPackageName\": \"Common Vulnerabilities and Exposures\"},\"RecordState\": \"ACTIVE\",\"RelatedFindings\": [{ \"ProductArn\": \"arn:aws:securityhub:us-west-2::product/aws/guardduty\",\"Id\": \"123e4567-e89b-12d3-a456-426655440000\" },{ \"ProductArn\": \"arn:aws:securityhub:us-west-2::product/aws/guardduty\",\"Id\": \"AcmeNerfHerder--x189dx7824\" }],\"Remediation\": {\"Recommendation\": {\"Text\": \"Run sudo yum update and cross your fingers and toes.\",\"Url\": \"http://myfp.com/recommendations/dangerous_things_and_how_to_fix_them.html\"}},\"Resources\": [{\"Type\": \"AwsEc2Instance\",\"Id\": \"i-cafebabe\",\"Partition\": \"aws\",\"Region\": \"us-west-2\",\"Tags\": {\"billingCode\": \"Lotus-1-2-3\",\"needsPatching\": \"true\"},\"Details\": {\"AwsEc2Instance\": {\"Type\": \"i3.xlarge\",\"ImageId\": \"ami-abcd1234\",\"IpV4Addresses\": [ \"54.194.252.215\", \"192.168.1.88\" ],\"IpV6Addresses\": [ \"2001:db8:1234:1a2b::123\" ],\"KeyName\": \"my_keypair\",\"IamInstanceProfileArn\": \"arn:aws:iam:::instance-profile/AdminRole\",\"VpcId\": \"vpc-11112222\",\"SubnetId\": \"subnet-56f5f633\",\"LaunchedAt\": \"2018-05-08T16:46:19.000Z\"}}}],\"SchemaVersion\": \"2018-10-08\",\"Severity\": {\"Product\": 8.3,\"Normalized\": 25},\"SourceUrl\": \"string\",\"ThreatIntelIndicators\": [{\"Type\": \"IPV4_ADDRESS\",\"Value\": \"8.8.8.8\",\"Category\": \"BACKDOOR\",\"LastObservedAt\": \"2018-09-27T23:37:31Z\",\"Source\": \"Threat Intel Weekly\",\"SourceUrl\": \"http://threatintelweekly.org/backdoors/8888\"}],\"Title\": \"title\",\"Types\": [\"Software and Configuration Checks/Vulnerabilities/CVE\"],\"UpdatedAt\": \"123578964332\",\"UserDefinedFields\": {\"reviewedByCio\": \"true\",\"comeBackToLater\": \"Check this again on Monday\"},\"VerificationState\": \"string\",\"WorkflowState\": \"NEW\"}]}}",
  "Timestamp": "2017-09-11T10:49:42.630Z",
  "SignatureVersion": "1",
  "Signature": "sign",
  "SigningCertURL": "https://sns.us-west-2.amazonaws.com/SimpleNotification.pem",
  "UnsubscribeURL": "https://sns.us-west-2.amazonaws.com/?Action=Unsubscribe&SubscriptionArn=arn:aws:sns:us-west-2:"
}

...

See also

Explore integration types

...