Our next-gen architecture is built to help you make sense of your ever-growing data. Watch a 4-min demo video!

Quick Start Security for AWS Security Hub

AWS Security Hub
AWS Security Hub icon

Out-of-the-Box Security For AWS Security Hub Includes:

Alerts - 9

Stay on top of AWS Security Hub key performance metrics. Keep everyone in the know with integration with Slack, PagerDuty and more.

Security Hub has been disabled

This rule detects the disabling of AWS Security Hub. Impact Disabling AWS security hub is a malicious behaviour as there is no significant reason to disable security controls which are already in place. An adversary may disable security hub in order to hinder the ability to monitor for security events and to avoid detection. Mitigation Inspect the user who disabled security hub and verify if the action was legitimate, if not re-enabled security hub, investigate further to block and isolate as required.

A Standard Control has been updated

This rule detects the enabling or disabling of a standard control. Impact Shutting off controls hinders the visibility of an organization at the compliance level to the relevant standard. Attackers may evade detection of specific configured compliance checks. Inspect the change in control and in case it was disabled, investigate the user who performed the action and validate if it was authorized. If not, Revert changes and further investigate.

An action Target has been updated

This rule detects updating the name and description of a custom action target in Security Hub.

Security Hub Members has been disassociated

This rule detects the disassociation of member accounts from Security Hub. Impact Disassociating member accounts from Security Hub should be investigated as it could be performed by an attacker trying to evade from security hub monitoring. Mitigation Inspect the action target that was changed and investigate further if the change seems odd. Validate the change with the user who initiated the change.

Security Hub has been disassociated from Master Account

This rule detects disassociation of the current Security Hub member account from the associated master account. Impact Disassociating members from admin account should be investigated as it could be performed by an attacker trying to block or remove access to security hub. Mitigation Inspect the user who disassociated the member and the member that was disassociated and validate if the action was legitimate, if not revert changes and investigate the user who disassociated the member.

Security Hub Members has been deleted

This rule detects the deletion of the specified member accounts from Security Hub. Impact Deleting members from security hub should be investigated as it could be performed by an attacker trying to block or remove access to security hub. Mitigation Inspect the user who deleted the member and the member that was deleted and validate that the action was legitimate, if not revert changes and investigate the user who deleted the member.

Import Findings for Product has been disabled

This rule detects the disabling of the integration of the specified product within Security Hub. Impact Disabling of import findings stops Security Hub from receiving information from the specified product. This can hinder the visibility for security events and help hide malicious activity. Mitigation Check if the disabling of findings from the specific product was authorized. If not, revert changes and investigate further.

An action Target has been deleted

This rule detects deletion of a custom action target from Security Hub. Impact Deleting an action target will stop security hub from forwarding events to a chosen target. This can hinder the visibility for security events and help hide malicious activity. Mitigation Check if the deletion was authorized; If not, revert changes and investigate further.

Batch Standards has been disabled

This rule detects the disabling of the standards specified by the provided StandardsSubscriptionArns field. Impact Disabling a standard could be an adversary action to avoid detection and hinder the ability to track security events. Mitigation Check if the action was authorized; If not,revert changes and investigate further.

Documentation

Learn more about Coralogix's out-of-the-box integration with AWS Security Hub in our documentation.

Read More
Schedule Demo