We're excited to announce enhanced integration capabilities between Cribl and AWS Security Hub, designed to provide a more comprehensive and streamlined security operations experience. This new integration empowers security teams with greater visibility and flexibility in managing their security posture within the AWS ecosystem.

What is AWS Security Hub?

AWS Security Hub prioritizes your critical security issues and helps you respond at scale. It simplifies and unifies security operations through centralized management to protect your cloud environment. It detects critical issues by correlating and enriching signals, for example, from threat detection and vulnerability management. This enables you to surface and prioritize active risks in your cloud environment. Security Hub transforms security signals into actionable insights, through intuitive visualizations and near real-time risk analytics, enabling you to make more informed security decisions quickly. It provides automated response workflows to streamline remediation at scale. As a result, you can reduce security risks, improve your team's productivity, and minimize potential operational disruptions.

Seamless Visibility with Cribl Search

One of the key features of this integration is the ability to view your AWS Security Hub events directly within Cribl Search. This means you can leverage Cribl's powerful search and analytics capabilities to analyze Security Hub events alongside all your other security data. This centralized view will significantly reduce the time spent switching between different tools and improve your ability to correlate security incidents across your entire environment. This includes viewing the Security Hub findings using EventBridge. This enables the observation of Security Hub findings and the real-time outcomes of AWS logs such as CloudTrail events. Additionally, Cribl can receive the AWS Security Hub findings and store them in Cribl Lake or other destinations. Cribl Search enables you to query events for more effective security investigations.

OCSF v1.6 Ingestion and Standardization

This integration also includes the capability to ingest Security Hub Findings, formatted in OCSF (Open Cybersecurity Schema Framework) version 1.6. By standardizing on OCSF, we are ensuring that your security data is consistently structured, making it easier to analyze, enrich, and act upon. This will streamline your data pipelines and improve the efficiency of your security investigations.

Key Benefits of OCSF v1.6 Ingestion:

• Improved Interoperability: Consistent data format across different security tools.

• Faster Analysis: Easier parsing and correlation of security findings.

• Enhanced Enrichment: Simplified process for adding context to your security data.

Streaming AWS Security Hub Events into Cribl

To achieve near real-time ingestion of AWS Security Hub findings, you can leverage a standard event-driven architecture using AWS EventBridge and a Cribl Stream Webhook. This allows Security Hub to push findings directly to a dedicated HTTP Endpoint in Cribl Stream for immediate processing and routing.

Architecture and Data Flow

1. AWS Security Hub generates a finding.

2. AWS EventBridge (formerly CloudWatch Events) catches the Security Hub finding event.

3. An EventBridge Rule is configured to filter specific events and send them to a target.

4. The Target is an AWS SNS Topic or AWS Lambda Function that sends the data to the Cribl Stream HTTP Endpoint.

5. Cribl Stream receives the data via an HTTP Endpoint (Webhook) Source.

6. Cribl Stream processes, standardizes (e.g., to OCSF v1.6), and routes the data.

Setting Up Event Streaming in AWS (via EventBridge)

1. Create an Amazon SNS Topic (Recommended for EventBridge Target):

   • In the AWS Management Console, navigate to Simple Notification Service (SNS).

   • Create a new Topic (e.g., Cribl-SecurityHub-Findings). This topic will act as the intermediary to send the finding data to Cribl.

2. Configure the Cribl Stream HTTP Endpoint (Webhook) as an SNS Subscription:

   • In Cribl Stream, navigate to Sources and enable an HTTP Endpoint (Webhooks). Record the unique URL.

   • In AWS SNS, create a Subscription for the Topic created in Step 1.

   • Protocol: Select HTTPS.

   • Endpoint: Paste the unique URL of your Cribl Stream HTTP Endpoint.

3. Create an EventBridge Rule:

   • In the AWS Management Console, navigate to Amazon EventBridge.

   • Click Create rule.

   • Define Rule details: Give it a descriptive name (e.g., SecurityHub-to-Cribl).

   • Define Pattern: Select Event Pattern.

     • Event source: AWS services.

     • AWS service: Security Hub.

     • Event type: Security Hub Findings - Custom Action.

     • Alternatively, you can use the built-in Detail-type of Security Hub Findings - Imported.

1. Select Target:

   • Choose AWS Service as the target type.

   • Select SNS Topic and choose the topic created in Step 1 (e.g., Cribl-SecurityHub-Findings).

   • This setup ensures that every Security Hub finding matching the rule is published to the SNS topic, which then pushes the data to the Cribl Webhook.

Enabling the Webhook in Cribl Stream

To receive the data pushed from AWS, you must configure a corresponding HTTP Endpoint in Cribl Stream.

1. Add HTTP Endpoint Source:

   • In Cribl Stream, navigate to Data > Sources.

   • Click Add new and select HTTP Endpoint.

   • Input ID: Provide a unique ID (e.g., securityhub_webhook).

   • Authentication: For security, it is highly recommended to configure Shared Secret authentication. The secret must be included in the SNS HTTP/S request headers (often requires an intermediate Lambda function or API Gateway setup for full customization, but for basic SNS, this may be managed through the subscription confirmation process and trust).

   • Keep Alive: Set a reasonable timeout.

   • Output: Ensure the Source is connected to a specific Pipeline (e.g., securityhub_pipeline) where the OCSF conversion and routing will occur.

2. Process and Route Data in a Pipeline:

   • Within the assigned pipeline, use Cribl Stream functions to:

     • Pre-process: Handle the SNS envelope/wrapper if present.

     • Standardize: Use a function to convert the Security Hub JSON payload (which may already be close to OCSF) or other third-party findings into the desired OCSF v1.6 format, adding necessary AWS context/extensions.

     • Enrich: Add external data (e.g., CMDB lookups) or internal CloudTrail event data using the cloudtrail:LookupEvents permission.

Routing and Destination Management

Once the Security Hub findings are standardized and processed in Cribl Stream, they can be routed to multiple destinations simultaneously:

By using the HTTP Endpoint Source and EventBridge, security teams gain maximum flexibility, ensuring Security Hub findings are immediately available for analysis and archival across their entire security ecosystem.

Query AWS Security Hub in Real Time with Cribl Search

Cribl Search empowers security professionals to perform real-time, ad-hoc queries against AWS Security Hub findings directly, eliminating data movement delays. This federated search capability allows for immediate correlation of Security Hub events with data residing in other critical security tools like your SIEM, data lake, or external APIs.

To enable Cribl Search to access and query your data in an Amazon Web Services (AWS) account, you need to establish a cross-account trust relationship via an AWS Identity and Access Management (IAM) role. This role will be assumed by the Cribl Search infrastructure, granting it the necessary permissions to read your data (e.g., from S3 buckets).

You have two primary methods for setting up this trust: using the Cribl CloudFormation template for automation or setting up the IAM Role manually.

Automated Setup with Cribl's CloudFormation Template

Cribl provides a CloudFormation template on their GitHub repository to automate the creation of the IAM role, the trust relationship, and the required permissions. This is the recommended and fastest approach.

1. Locate the Template: Navigate to the official Cribl GitHub repository for AWS CloudFormation templates. Look for a template specifically designed for IAM Trust Role for Cribl Cloud or a similar cross-account access template. (A common one is often related to S3 Bucket Collection or a general Cloud Trust Role.)

2. Download the Template: Download the relevant CloudFormation JSON or YAML template file.

3. Launch the Stack in AWS:

   • Log in to the AWS Management Console for the account that holds your data (the account you want Cribl Search to access).

   • Navigate to the CloudFormation service.

   • Click Create stack and choose With new resources (standard).

   • Select Upload a template file and upload the Cribl template you downloaded.

   • Click Next and specify the stack details. You will be prompted to enter parameters like your Cribl Cloud Account ID and an External ID.

     • Cribl Cloud Account ID: You can typically find this in your Cribl.Cloud portal under Network Settings or Trust.

     • External ID: This is a security feature (a string you create) that must match what you configure later in the Cribl Search Dataset Provider.

   • Complete the rest of the wizard, review the settings, and acknowledge that the template will create IAM resources.

   • Click Create stack.

4. Retrieve the Role ARN: Once the stack status is CREATE_COMPLETE, navigate to the Outputs tab of the stack. Copy the ARN of the newly created IAM Role (often named something like CriblTrustCloudRoleARN). You will use this ARN when setting up the Dataset Provider in Cribl Search.

Manual IAM Role Setup

If you prefer to set up the role manually, you will create an IAM Role with a specific Trust Policy and Permissions Policy.

Create the IAM Role and Trust Policy

• In your AWS Management Console, navigate to IAM and choose Roles.

• Click Create role.

• For Trusted entity type, select Custom trust policy.

• Edit the trust policy JSON, replacing placeholders with your specific values:

Required IAM Role Permissions

To enable these robust integration features, some additional permissions will be required for the IAM role associated with your Cribl deployment. These permissions are crucial for allowing Cribl to access and interact with AWS Security Hub effectively. One such permission will be cloudtrail:LookupEvents, which will allow for the retrieval of CloudTrail events to enrich findings. Here is a list of IAM Permissions for the AWS API :

Documentation Link

We are committed to providing our users with the most secure and efficient solutions for managing their security operations. This enhanced integration with AWS Security Hub is a testament to that commitment, offering unparalleled visibility, standardization, and flexibility. Stay tuned for more updates and detailed configuration guides as we roll out these exciting new features!

Transforming Third-Party Findings with Cribl Stream

Cribl Stream takes this integration a step further by enabling you to convert third-party findings into OCSF version 1.6. This powerful capability includes the addition of specific AWS extensions within these findings. This means that even if your security data originates from sources outside of AWS, you can still standardize it to an OCSF format with AWS-specific context, ensuring a unified approach to security data management.

Example Conversion Process: