Microsoft Sentinel へ転送する AWS Security Hub CSPM の Findings を特定サービスのみに限定してみた

Microsoft Sentinel へ転送する AWS Security Hub CSPM の Findings を特定サービスのみに限定してみた

Security Hub CSPM の Findings を Microsoft Sentinel に転送する際に、EventBridge のイベントパターンを調整して、転送するサービスと重要度を限定する方法を試してみました。
2026.07.04

以前のブログで、Microsoft Sentinel が提供するソリューションを使って AWS Security Hub CSPM の Findings を Microsoft Sentinel へ転送してみました。Microsoft Sentinel が提供する CloudFormation テンプレートをそのまま使った場合は Security Hub CSPM に集約されているすべてのサービスの Findings が転送されるため、本ブログでは転送するサービスを限定してみました。

https://dev.classmethod.jp/articles/aws-security-hub-cspm-findings-to-microsoft-sentinel/

Microsoft Sentinel に Findings を転送する AWS 側のリソースは下記のように構成されていたため、なるべく始めの処理で絞る方針で EventBridge のイベントパターンを調整することで制御可能でした。Security Hub CSPM に集約されたセキュリティイベントを EventBridge で通知する仕組みを作るシチュエーションは多いと思いますが、同じ要領で実現可能です。

転送する Findings を限定する前

Microsoft Sentinel のデータコネクタ「AWS Security Hub Findings (via Codeless Connector Framework)」が提供する CloudFormation テンプレート Template 2_ AWS Security Hub resources deployment.json で指定されている EventBridge ルールのイベントパターンは下記です。Security Hub CSPM に集約されているすべての Findings が対象となっています。

{
  "detail-type": ["Security Hub Findings - Imported"],
  "source": ["aws.securityhub"]
}

CloudFormation テンプレートの全文です。長いので折りたたんでいます。

CloudFormation テンプレート
{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "This Stack creates Amazon Data Firehose, Amazon EventBridge, S3 Bucket, Simple Queue Service (SQS), IAM roles and necessray permission policies to ingest Security Hub Findings to Microsoft Sentinel workspace.",
  "Parameters": {
    "AwsRoleName": {
      "Type": "String",
      "Description": "Enter the ARN name for the role. The name must start with 'OIDC_', otherwise the connector will not function properly.",
      "AllowedPattern": "OIDC_[-_a-zA-Z0-9]+",
      "Default": "OIDC_MicrosoftSentinelRoleSecurityHub"
    },
    "BucketName": {
      "Type": "String",
      "AllowedPattern": "^[a-z0-9][a-z0-9-.]{1,61}[a-z0-9]$",
      "Description": "Enter the name of the S3 bucket. Bucket name must be unique within the global namespace and follow the bucket naming rules.",
      "Default": "microsoft-sentinel-securityhub-s3-bucket"
    },
    "SentinelSQSQueueName": {
      "Default": "MicrosoftSentinelSecurityHubSqs",
      "Type": "String",
      "Description": "Enter the name for the SQS Queue."
    },
    "SentinelWorkspaceId": {
      "Type": "String",
      "Description": "Enter the Microsoft Sentinel Workspace ID"
    },
    "CreateNewBucket": {
      "AllowedValues": [
        true,
        false
      ],
      "Default": true,
      "Description": "Set to false to have Amazon S3 use an existing S3 Bucket.",
      "Type": "String"
    }
  },
  "Conditions": {
    "CreateNewBucketCondition": {
      "Fn::Equals": [
        {
          "Ref": "CreateNewBucket"
        },
        true
      ]
    }
  },
  "Resources": {
    "SentinelWebIdentityBasedRole": {
      "Type": "AWS::IAM::Role",
      "Properties": {
        "RoleName": {
          "Ref": "AwsRoleName"
        },
        "Description": "Role to provide Microsoft Sentinel access to Security Hub Findings.",
        "Path": "/",
        "ManagedPolicyArns": [
          "arn:aws:iam::aws:policy/AWSSecurityHubReadOnlyAccess"
        ],
        "AssumeRolePolicyDocument": {
          "Fn::Sub": "{\"Version\": \"2012-10-17\",\"Statement\": [{\"Effect\": \"Allow\",\"Principal\": {\"Federated\": \"arn:aws:iam::${AWS::AccountId}:oidc-provider/sts.windows.net/33e01921-4d64-4f8c-a055-5bdaffd5e33d/\"},\"Action\": \"sts:AssumeRoleWithWebIdentity\",\"Condition\": {\"StringEquals\": {\"sts.windows.net/33e01921-4d64-4f8c-a055-5bdaffd5e33d/:aud\": \"api://1462b192-27f7-4cb9-8523-0f4ecb54b47e\",\"sts:RoleSessionName\": \"MicrosoftSentinel_${SentinelWorkspaceId}\"}}}]}"
        },
        "Policies": [
          {
            "PolicyName": "AWSSecurityHubLoggingPolicy",
            "PolicyDocument": {
              "Version": "2012-10-17",
              "Statement": [
                {
                  "Sid": "AWSSecurityHubReadOnlyAccess",
                  "Effect": "Allow",
                  "Action": [
                    "securityhub:Get*",
                    "securityhub:List*",
                    "securityhub:BatchGet*",
                    "securityhub:Describe*"
                  ],
                  "Resource": "*"
                }
              ]
            }
          }
        ]
      }
    },
    "S3Bucket": {
      "Type": "AWS::S3::Bucket",
      "Condition": "CreateNewBucketCondition",
      "DeletionPolicy": "Delete",
      "Properties": {
        "BucketName": {
          "Ref": "BucketName"
        },
        "OwnershipControls": {
          "Rules": [
            {
              "ObjectOwnership": "BucketOwnerEnforced"
            }
          ]
        },
        "VersioningConfiguration": {
          "Status": "Enabled"
        },
        "NotificationConfiguration": {
          "QueueConfigurations": [
            {
              "Queue": {
                "Fn::GetAtt": [
                  "SentinelSQSQueue",
                  "Arn"
                ]
              },
              "Event": "s3:ObjectCreated:*",
              "Filter": {
                "S3Key": {
                  "Rules": [
                    {
                      "Name": "prefix",
                      "Value": {
                        "Fn::Sub": "AWSLogs/${AWS::AccountId}/SecurityHubFindings/"
                      }
                    },
                    {
                      "Name": "suffix",
                      "Value": ".gz"
                    }
                  ]
                }
              }
            }
          ]
        }
      }
    },
    "S3BucketPolicy": {
      "Type": "AWS::S3::BucketPolicy",
      "DeletionPolicy": "Delete",
      "Properties": {
        "Bucket": {
          "Ref": "BucketName"
        },
        "PolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Sid": "Allow Arn read access to S3 bucket.",
              "Effect": "Allow",
              "Principal": {
                "AWS": {
                  "Fn::GetAtt": [
                    "SentinelWebIdentityBasedRole",
                    "Arn"
                  ]
                }
              },
              "Action": "s3:GetObject",
              "Resource": {
                "Fn::Join": [
                  "",
                  [
                    {
                      "Fn::GetAtt": [
                        "S3Bucket",
                        "Arn"
                      ]
                    },
                    "/*"
                  ]
                ]
              }
            }
          ]
        }
      }
    },
    "FirehoseDeliveryStreamRole": {
      "Type": "AWS::IAM::Role",
      "DeletionPolicy": "Delete",
      "Properties": {
        "RoleName": "MSSentinelFirehoseDeliveryStreamRole",
        "AssumeRolePolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Sid": "TrustDataFirehoseService",
              "Effect": "Allow",
              "Principal": {
                "Service": "firehose.amazonaws.com"
              },
              "Action": "sts:AssumeRole"
            }
          ]
        },
        "Policies": [
          {
            "PolicyName": "MSSentinelFirehoseDeliveryStreamPolicy",
            "PolicyDocument": {
              "Version": "2012-10-17",
              "Statement": [
                {
                  "Effect": "Allow",
                  "Action": [
                    "s3:AbortMultipartUpload",
                    "s3:GetBucketLocation",
                    "s3:GetObject",
                    "s3:ListBucket",
                    "s3:ListBucketMultipartUploads",
                    "s3:PutObject"
                  ],
                  "Resource": [
                    {
                      "Fn::GetAtt": [
                        "S3Bucket",
                        "Arn"
                      ]
                    },
                    {
                      "Fn::Join": [
                        "",
                        [
                          {
                            "Fn::GetAtt": [
                              "S3Bucket",
                              "Arn"
                            ]
                          },
                          "/*"
                        ]
                      ]
                    }
                  ]
                }
              ]
            }
          }
        ]
      }
    },
    "SecurityHubDeliveryStream": {
      "Type": "AWS::KinesisFirehose::DeliveryStream",
      "DeletionPolicy": "Delete",
      "Properties": {
        "DeliveryStreamName": "MSSentinel-SecurityHub-FirehoseDeliveryStream",
        "DeliveryStreamType": "DirectPut",
        "DeliveryStreamEncryptionConfigurationInput": {
          "KeyType": "AWS_OWNED_CMK"
        },
        "ExtendedS3DestinationConfiguration": {
          "BucketARN": {
            "Fn::GetAtt": [
              "S3Bucket",
              "Arn"
            ]
          },
          "BufferingHints": {
            "SizeInMBs": 128,
            "IntervalInSeconds": 300
          },
          "CompressionFormat": "GZIP",
          "FileExtension": ".gz",
          "Prefix": {
            "Fn::Sub": "AWSLogs/${AWS::AccountId}/SecurityHubFindings/"
          },
          "ProcessingConfiguration": {
            "Enabled": true,
            "Processors": [
              {
                "Type": "AppendDelimiterToRecord",
                "Parameters": [
                  {
                    "ParameterName": "Delimiter",
                    "ParameterValue": "\\n"
                  }
                ]
              }
            ]
          },
          "RoleARN": {
            "Fn::GetAtt": [
              "FirehoseDeliveryStreamRole",
              "Arn"
            ]
          }
        }
      }
    },
    "EventBridgeInvokeFirehoseRole": {
      "Type": "AWS::IAM::Role",
      "DeletionPolicy": "Delete",
      "Properties": {
        "RoleName": "MSSentinelSecurityHubEventBridgeRole",
        "AssumeRolePolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Sid": "TrustEventBridgeService",
              "Effect": "Allow",
              "Principal": {
                "Service": "events.amazonaws.com"
              },
              "Action": "sts:AssumeRole",
              "Condition": {
                "StringEquals": {
                  "aws:SourceAccount": {
                    "Fn::Sub": "${AWS::AccountId}"
                  }
                }
              }
            }
          ]
        },
        "Policies": [
          {
            "PolicyName": "MSSentinelSecurityHubEventBridgePolicy",
            "PolicyDocument": {
              "Version": "2012-10-17",
              "Statement": [
                {
                  "Sid": "ActionsForFirehose",
                  "Effect": "Allow",
                  "Action": [
                    "firehose:PutRecord",
                    "firehose:PutRecordBatch"
                  ],
                  "Resource": [
                    {
                      "Fn::GetAtt": [
                        "SecurityHubDeliveryStream",
                        "Arn"
                      ]
                    }
                  ]
                }
              ]
            }
          }
        ]
      }
    },
    "EventBridgeInvokeFirehoseRule": {
      "Type": "AWS::Events::Rule",
      "DeletionPolicy": "Delete",
      "Properties": {
        "Name": "securityhub-findings-to-s3-bucket",
        "Description": "Rule to invoke Data Firehose delivery stream to send Security Hub findings to S3 bucket.",
        "EventBusName": "default",
        "EventPattern": {
          "source": [
            "aws.securityhub"
          ],
          "detail-type": [
            "Security Hub Findings - Imported"
          ]
        },
        "State": "ENABLED",
        "Targets": [
          {
            "Arn": {
              "Fn::GetAtt": [
                "SecurityHubDeliveryStream",
                "Arn"
              ]
            },
            "Id": "SecurityHubFindingsToFirehose",
            "RoleArn": {
              "Fn::GetAtt": [
                "EventBridgeInvokeFirehoseRole",
                "Arn"
              ]
            }
          }
        ]
      }
    },
    "SentinelSQSQueue": {
      "Type": "AWS::SQS::Queue",
      "DeletionPolicy": "Delete",
      "Properties": {
        "QueueName": {
          "Ref": "SentinelSQSQueueName"
        },
        "Tags": [
          {
            "Key": "Bucket",
            "Value": {
              "Ref": "BucketName"
            }
          }
        ]
      }
    },
    "SentinelSQSQueuePolicyForS3": {
      "Type": "AWS::SQS::QueuePolicy",
      "Properties": {
        "PolicyDocument": {
          "Statement": [
            {
              "Sid": "Allow S3 to send notification messages to SQS queue",
              "Action": [
                "SQS:SendMessage"
              ],
              "Effect": "Allow",
              "Resource": [
                {
                  "Fn::GetAtt": [
                    "SentinelSQSQueue",
                    "Arn"
                  ]
                }
              ],
              "Principal": {
                "Service": "s3.amazonaws.com"
              },
              "Condition": {
                "StringEquals": {
                  "aws:SourceAccount": {
                    "Fn::Sub": "${AWS::AccountId}"
                  }
                },
                "ArnLike": {
                  "aws:SourceArn": {
                    "Fn::Sub": "arn:${AWS::Partition}:s3:*:*:${BucketName}"
                  }
                }
              }
            },
            {
              "Sid": "Allow Assumed role to read/delete/change visibility of SQS messages and get queue url.",
              "Action": [
                "SQS:ChangeMessageVisibility",
                "SQS:DeleteMessage",
                "SQS:ReceiveMessage",
                "SQS:GetQueueUrl"
              ],
              "Effect": "Allow",
              "Resource": [
                {
                  "Fn::GetAtt": [
                    "SentinelSQSQueue",
                    "Arn"
                  ]
                }
              ],
              "Principal": {
                "AWS": [
                  {
                    "Fn::GetAtt": [
                      "SentinelWebIdentityBasedRole",
                      "Arn"
                    ]
                  }
                ]
              }
            }
          ]
        },
        "Queues": [
          {
            "Ref": "SentinelSQSQueue"
          }
        ]
      }
    }
  },
  "Outputs": {
    "SentinelRoleArn": {
      "Value": {
        "Fn::GetAtt": [
          "SentinelWebIdentityBasedRole",
          "Arn"
        ]
      },
      "Description": "Role ARN for Sentinel Role that is inserted into Amazon Web Service S3 Connector in the Sentinel Data Connectors portal."
    },
    "SentinelSQSQueueURL": {
      "Description": "AWS SQS Queue URL that is inserted into Amazon Web Service S3 Connector in the Sentinel Data Connectors portal.",
      "Value": {
        "Ref": "SentinelSQSQueue"
      }
    },
    "SentinelSQSQueueArn": {
      "Description": "Log destination ARN to be used when setting up other accounts to exports logs",
      "Value": {
        "Fn::GetAtt": [
          "SentinelSQSQueue",
          "Arn"
        ]
      }
    },
    "SentinelSQSQueueName": {
      "Description": "SQS Name",
      "Value": {
        "Fn::GetAtt": [
          "SentinelSQSQueue",
          "QueueName"
        ]
      }
    }
  }
}

転送する Findings を限定してみた

Microsoft Sentinel に転送する Findings のサービスを制限してみます。
EventBridge のイベントパターンで下記を指定することで製品名でフィルタできます。Security Hub CSPM セキュリティ基準の内容と Amazon GuardDuty の検出結果のみを対象とした例です。

{
  "source": ["aws.securityhub"],
  "detail-type": ["Security Hub Findings - Imported"],
  "detail": {
    "findings": {
      "ProductName": ["GuardDuty", "Security Hub"]
    }
  }
}

さらに、重要度も絞る場合の例です。Security Hub では、コンプライアンスステータスが PASSED のコントロールは INFORMATIONAL となるため、下記のパターンとすることで解決済みのコントロールを Microsoft Sentinel に転送しなくなります。本ブログではこのパターンで試してみます。

{
  "source": ["aws.securityhub"],
  "detail-type": ["Security Hub Findings - Imported"],
  "detail": {
    "findings": {
      "ProductName": ["GuardDuty", "Security Hub"],
      "Severity": {
        "Label": ["LOW", "MEDIUM", "HIGH", "CRITICAL"]
      }
    }
  }
}

Microsoft Sentinel が提供する CloudFormation テンプレートを YAML 形式に変更して EventBridge ルールの設定を変更したテンプレート例です。EventBridge 部分だけ抜粋しています。

  EventBridgeInvokeFirehoseRule:
    Type: AWS::Events::Rule
    DeletionPolicy: Delete
    Properties:
      Name: securityhub-findings-to-s3-bucket
      Description: >-
        Rule to invoke Data Firehose delivery stream to send Security Hub
        findings to S3 bucket.
      EventBusName: default
      EventPattern:
        source:
          - aws.securityhub
        detail-type:
          - Security Hub Findings - Imported
        detail:
          findings:
            ProductName:
              - GuardDuty
              - Security Hub
            Severity:
              Label:
                - LOW
                - MEDIUM
                - HIGH
                - CRITICAL
      State: ENABLED
      Targets:
        - Arn:
            Fn::GetAtt:
              - SecurityHubDeliveryStream
              - Arn
          Id: SecurityHubFindingsToFirehose
          RoleArn:
            Fn::GetAtt:
              - EventBridgeInvokeFirehoseRole
              - Arn

全文は下記となります。長いので折りたたんでいます。

CloudFormation テンプレート
AWSTemplateFormatVersion: '2010-09-09'
Description: >-
  This Stack creates Amazon Data Firehose, Amazon EventBridge, S3 Bucket, Simple
  Queue Service (SQS), IAM roles and necessray permission policies to ingest
  Security Hub Findings to Microsoft Sentinel workspace.
Parameters:
  AwsRoleName:
    Type: String
    Description: >-
      Enter the ARN name for the role. The name must start with 'OIDC_',
      otherwise the connector will not function properly.
    AllowedPattern: OIDC_[-_a-zA-Z0-9]+
    Default: OIDC_MicrosoftSentinelRoleSecurityHub
  BucketName:
    Type: String
    AllowedPattern: ^[a-z0-9][a-z0-9-.]{1,61}[a-z0-9]$
    Description: >-
      Enter the name of the S3 bucket. Bucket name must be unique within the
      global namespace and follow the bucket naming rules.
    Default: microsoft-sentinel-securityhub-s3-bucket
  SentinelSQSQueueName:
    Default: MicrosoftSentinelSecurityHubSqs
    Type: String
    Description: Enter the name for the SQS Queue.
  SentinelWorkspaceId:
    Type: String
    Description: Enter the Microsoft Sentinel Workspace ID
  CreateNewBucket:
    AllowedValues:
      - true
      - false
    Default: true
    Description: Set to false to have Amazon S3 use an existing S3 Bucket.
    Type: String
Conditions:
  CreateNewBucketCondition:
    Fn::Equals:
      - Ref: CreateNewBucket
      - true
Resources:
  SentinelWebIdentityBasedRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName:
        Ref: AwsRoleName
      Description: Role to provide Microsoft Sentinel access to Security Hub Findings.
      Path: /
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/AWSSecurityHubReadOnlyAccess
      AssumeRolePolicyDocument:
        Fn::Sub: >-
          {"Version": "2012-10-17","Statement": [{"Effect": "Allow","Principal":
          {"Federated":
          "arn:aws:iam::${AWS::AccountId}:oidc-provider/sts.windows.net/33e01921-4d64-4f8c-a055-5bdaffd5e33d/"},"Action":
          "sts:AssumeRoleWithWebIdentity","Condition": {"StringEquals":
          {"sts.windows.net/33e01921-4d64-4f8c-a055-5bdaffd5e33d/:aud":
          "api://1462b192-27f7-4cb9-8523-0f4ecb54b47e","sts:RoleSessionName":
          "MicrosoftSentinel_${SentinelWorkspaceId}"}}}]}
      Policies:
        - PolicyName: AWSSecurityHubLoggingPolicy
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Sid: AWSSecurityHubReadOnlyAccess
                Effect: Allow
                Action:
                  - securityhub:Get*
                  - securityhub:List*
                  - securityhub:BatchGet*
                  - securityhub:Describe*
                Resource: '*'
  S3Bucket:
    Type: AWS::S3::Bucket
    Condition: CreateNewBucketCondition
    DeletionPolicy: Delete
    Properties:
      BucketName:
        Ref: BucketName
      OwnershipControls:
        Rules:
          - ObjectOwnership: BucketOwnerEnforced
      VersioningConfiguration:
        Status: Enabled
      NotificationConfiguration:
        QueueConfigurations:
          - Queue:
              Fn::GetAtt:
                - SentinelSQSQueue
                - Arn
            Event: s3:ObjectCreated:*
            Filter:
              S3Key:
                Rules:
                  - Name: prefix
                    Value:
                      Fn::Sub: AWSLogs/${AWS::AccountId}/SecurityHubFindings/
                  - Name: suffix
                    Value: .gz
  S3BucketPolicy:
    Type: AWS::S3::BucketPolicy
    DeletionPolicy: Delete
    Properties:
      Bucket:
        Ref: BucketName
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Sid: Allow Arn read access to S3 bucket.
            Effect: Allow
            Principal:
              AWS:
                Fn::GetAtt:
                  - SentinelWebIdentityBasedRole
                  - Arn
            Action: s3:GetObject
            Resource:
              Fn::Join:
                - ''
                - - Fn::GetAtt:
                      - S3Bucket
                      - Arn
                  - /*
  FirehoseDeliveryStreamRole:
    Type: AWS::IAM::Role
    DeletionPolicy: Delete
    Properties:
      RoleName: MSSentinelFirehoseDeliveryStreamRole
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Sid: TrustDataFirehoseService
            Effect: Allow
            Principal:
              Service: firehose.amazonaws.com
            Action: sts:AssumeRole
      Policies:
        - PolicyName: MSSentinelFirehoseDeliveryStreamPolicy
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: Allow
                Action:
                  - s3:AbortMultipartUpload
                  - s3:GetBucketLocation
                  - s3:GetObject
                  - s3:ListBucket
                  - s3:ListBucketMultipartUploads
                  - s3:PutObject
                Resource:
                  - Fn::GetAtt:
                      - S3Bucket
                      - Arn
                  - Fn::Join:
                      - ''
                      - - Fn::GetAtt:
                            - S3Bucket
                            - Arn
                        - /*
  SecurityHubDeliveryStream:
    Type: AWS::KinesisFirehose::DeliveryStream
    DeletionPolicy: Delete
    Properties:
      DeliveryStreamName: MSSentinel-SecurityHub-FirehoseDeliveryStream
      DeliveryStreamType: DirectPut
      DeliveryStreamEncryptionConfigurationInput:
        KeyType: AWS_OWNED_CMK
      ExtendedS3DestinationConfiguration:
        BucketARN:
          Fn::GetAtt:
            - S3Bucket
            - Arn
        BufferingHints:
          SizeInMBs: 128
          IntervalInSeconds: 300
        CompressionFormat: GZIP
        FileExtension: .gz
        Prefix:
          Fn::Sub: AWSLogs/${AWS::AccountId}/SecurityHubFindings/
        ProcessingConfiguration:
          Enabled: true
          Processors:
            - Type: AppendDelimiterToRecord
              Parameters:
                - ParameterName: Delimiter
                  ParameterValue: \n
        RoleARN:
          Fn::GetAtt:
            - FirehoseDeliveryStreamRole
            - Arn
  EventBridgeInvokeFirehoseRole:
    Type: AWS::IAM::Role
    DeletionPolicy: Delete
    Properties:
      RoleName: MSSentinelSecurityHubEventBridgeRole
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Sid: TrustEventBridgeService
            Effect: Allow
            Principal:
              Service: events.amazonaws.com
            Action: sts:AssumeRole
            Condition:
              StringEquals:
                aws:SourceAccount:
                  Fn::Sub: ${AWS::AccountId}
      Policies:
        - PolicyName: MSSentinelSecurityHubEventBridgePolicy
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Sid: ActionsForFirehose
                Effect: Allow
                Action:
                  - firehose:PutRecord
                  - firehose:PutRecordBatch
                Resource:
                  - Fn::GetAtt:
                      - SecurityHubDeliveryStream
                      - Arn
  EventBridgeInvokeFirehoseRule:
    Type: AWS::Events::Rule
    DeletionPolicy: Delete
    Properties:
      Name: securityhub-findings-to-s3-bucket
      Description: >-
        Rule to invoke Data Firehose delivery stream to send Security Hub
        findings to S3 bucket.
      EventBusName: default
      EventPattern:
        source:
          - aws.securityhub
        detail-type:
          - Security Hub Findings - Imported
        detail:
          findings:
            ProductName:
              - GuardDuty
              - Security Hub
            Severity:
              Label:
                - LOW
                - MEDIUM
                - HIGH
                - CRITICAL
      State: ENABLED
      Targets:
        - Arn:
            Fn::GetAtt:
              - SecurityHubDeliveryStream
              - Arn
          Id: SecurityHubFindingsToFirehose
          RoleArn:
            Fn::GetAtt:
              - EventBridgeInvokeFirehoseRole
              - Arn
  SentinelSQSQueue:
    Type: AWS::SQS::Queue
    DeletionPolicy: Delete
    Properties:
      QueueName:
        Ref: SentinelSQSQueueName
      Tags:
        - Key: Bucket
          Value:
            Ref: BucketName
  SentinelSQSQueuePolicyForS3:
    Type: AWS::SQS::QueuePolicy
    Properties:
      PolicyDocument:
        Statement:
          - Sid: Allow S3 to send notification messages to SQS queue
            Action:
              - SQS:SendMessage
            Effect: Allow
            Resource:
              - Fn::GetAtt:
                  - SentinelSQSQueue
                  - Arn
            Principal:
              Service: s3.amazonaws.com
            Condition:
              StringEquals:
                aws:SourceAccount:
                  Fn::Sub: ${AWS::AccountId}
              ArnLike:
                aws:SourceArn:
                  Fn::Sub: arn:${AWS::Partition}:s3:*:*:${BucketName}
          - Sid: >-
              Allow Assumed role to read/delete/change visibility of SQS
              messages and get queue url.
            Action:
              - SQS:ChangeMessageVisibility
              - SQS:DeleteMessage
              - SQS:ReceiveMessage
              - SQS:GetQueueUrl
            Effect: Allow
            Resource:
              - Fn::GetAtt:
                  - SentinelSQSQueue
                  - Arn
            Principal:
              AWS:
                - Fn::GetAtt:
                    - SentinelWebIdentityBasedRole
                    - Arn
      Queues:
        - Ref: SentinelSQSQueue
Outputs:
  SentinelRoleArn:
    Value:
      Fn::GetAtt:
        - SentinelWebIdentityBasedRole
        - Arn
    Description: >-
      Role ARN for Sentinel Role that is inserted into Amazon Web Service S3
      Connector in the Sentinel Data Connectors portal.
  SentinelSQSQueueURL:
    Description: >-
      AWS SQS Queue URL that is inserted into Amazon Web Service S3 Connector in
      the Sentinel Data Connectors portal.
    Value:
      Ref: SentinelSQSQueue
  SentinelSQSQueueArn:
    Description: >-
      Log destination ARN to be used when setting up other accounts to exports
      logs
    Value:
      Fn::GetAtt:
        - SentinelSQSQueue
        - Arn
  SentinelSQSQueueName:
    Description: SQS Name
    Value:
      Fn::GetAtt:
        - SentinelSQSQueue
        - QueueName



AWS 側で CloudFormation テンプレートをデプロイした後の EventBridge ルールの設定画面です。

filter-aws-security-hub-cspm-findings-for-microsoft-sentinel-1

次の設定をして、Microsoft Sentinel 側に転送されるデータを確認してみます。

  • AWS Security Hub CSPM の「AWS Security Hub CSPM の基本的なセキュリティのベストプラクティス標準」を有効化
  • Amazon GuardDuty のサンプルイベントを発行(下記のコマンド)
  • Amazon Inspector や外部アクセスの IAM Access Analyzer を有効化(Microsoft Sentinel 側に転送されないことを確認するため)
aws guardduty create-sample-findings \
  --detector-id $(aws guardduty list-detectors --query 'DetectorIds[0]' --output text) \
  --finding-types "Backdoor:EC2/DenialOfService.Dns"

1日程度待ち、Microsoft Sentinel 側で Findings で確認してみます。
まず、製品名毎の Findings のカウントを確認します。

AWSSecurityHubFindings
| summarize FindingsCount = count() by AwsSecurityFindingProductName
| order by FindingsCount desc

filter-aws-security-hub-cspm-findings-for-microsoft-sentinel-2

意図したとおり、Microsoft Sentinel に転送されている Findings は Security HubGuardDuty のみとなっていることを確認できました。

次に Security Hub における重要度別の Findings のカウントを確認してみます。

AWSSecurityHubFindings
| where AwsSecurityFindingProductName == "Security Hub"
| extend SeverityLabel = tostring(AwsSecurityFindingSeverity.Label)
| summarize FindingsCount = count() by SeverityLabel
| order by FindingsCount desc

filter-aws-security-hub-cspm-findings-for-microsoft-sentinel-3

こちらも意図どおり、 INFORMATIONAL の Findings がないことを確認できました。

さいごに

AWS Security Hub CSPM の Findings を Microsoft Sentinel へ転送する構成で、EventBridge ルールのイベントパターンを変更することで Microsoft Sentinel に送信する Findings を限定する設定を試してみました。Microsoft Sentinel 側に不要な Findings を送信しないことでコスト削減したいときに有用です。
以上、このブログがどなたかのご参考になれば幸いです。

Microsoft Azure の利用費割引・活用サポート提供中!

クラスメソッドは、Microsoft Azureのうち特に生成AI領域に強みがあります。AWSの総合支援をメインに5,000社以上支援してきた実績をベースに、特にマルチクラウドでビジネスを最大化したいお客様に引き合いを頂いております。

Microsoft Azure 請求代行・技術支援サービスを詳しく見る

この記事をシェアする

AWSのお困り事はクラスメソッドへ

関連記事