Microsoft Sentinel へ転送する AWS Security Hub CSPM の Findings を特定サービスのみに限定してみた
以前のブログで、Microsoft Sentinel が提供するソリューションを使って AWS Security Hub CSPM の Findings を Microsoft Sentinel へ転送してみました。Microsoft Sentinel が提供する CloudFormation テンプレートをそのまま使った場合は Security Hub CSPM に集約されているすべてのサービスの Findings が転送されるため、本ブログでは転送するサービスを限定してみました。
Microsoft Sentinel に Findings を転送する AWS 側のリソースは下記のように構成されていたため、なるべく始めの処理で絞る方針で EventBridge のイベントパターンを調整することで制御可能でした。Security Hub CSPM に集約されたセキュリティイベントを EventBridge で通知する仕組みを作るシチュエーションは多いと思いますが、同じ要領で実現可能です。
転送する Findings を限定する前
Microsoft Sentinel のデータコネクタ「AWS Security Hub Findings (via Codeless Connector Framework)」が提供する CloudFormation テンプレート Template 2_ AWS Security Hub resources deployment.json で指定されている EventBridge ルールのイベントパターンは下記です。Security Hub CSPM に集約されているすべての Findings が対象となっています。
{
"detail-type": ["Security Hub Findings - Imported"],
"source": ["aws.securityhub"]
}
CloudFormation テンプレートの全文です。長いので折りたたんでいます。
CloudFormation テンプレート
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "This Stack creates Amazon Data Firehose, Amazon EventBridge, S3 Bucket, Simple Queue Service (SQS), IAM roles and necessray permission policies to ingest Security Hub Findings to Microsoft Sentinel workspace.",
"Parameters": {
"AwsRoleName": {
"Type": "String",
"Description": "Enter the ARN name for the role. The name must start with 'OIDC_', otherwise the connector will not function properly.",
"AllowedPattern": "OIDC_[-_a-zA-Z0-9]+",
"Default": "OIDC_MicrosoftSentinelRoleSecurityHub"
},
"BucketName": {
"Type": "String",
"AllowedPattern": "^[a-z0-9][a-z0-9-.]{1,61}[a-z0-9]$",
"Description": "Enter the name of the S3 bucket. Bucket name must be unique within the global namespace and follow the bucket naming rules.",
"Default": "microsoft-sentinel-securityhub-s3-bucket"
},
"SentinelSQSQueueName": {
"Default": "MicrosoftSentinelSecurityHubSqs",
"Type": "String",
"Description": "Enter the name for the SQS Queue."
},
"SentinelWorkspaceId": {
"Type": "String",
"Description": "Enter the Microsoft Sentinel Workspace ID"
},
"CreateNewBucket": {
"AllowedValues": [
true,
false
],
"Default": true,
"Description": "Set to false to have Amazon S3 use an existing S3 Bucket.",
"Type": "String"
}
},
"Conditions": {
"CreateNewBucketCondition": {
"Fn::Equals": [
{
"Ref": "CreateNewBucket"
},
true
]
}
},
"Resources": {
"SentinelWebIdentityBasedRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"RoleName": {
"Ref": "AwsRoleName"
},
"Description": "Role to provide Microsoft Sentinel access to Security Hub Findings.",
"Path": "/",
"ManagedPolicyArns": [
"arn:aws:iam::aws:policy/AWSSecurityHubReadOnlyAccess"
],
"AssumeRolePolicyDocument": {
"Fn::Sub": "{\"Version\": \"2012-10-17\",\"Statement\": [{\"Effect\": \"Allow\",\"Principal\": {\"Federated\": \"arn:aws:iam::${AWS::AccountId}:oidc-provider/sts.windows.net/33e01921-4d64-4f8c-a055-5bdaffd5e33d/\"},\"Action\": \"sts:AssumeRoleWithWebIdentity\",\"Condition\": {\"StringEquals\": {\"sts.windows.net/33e01921-4d64-4f8c-a055-5bdaffd5e33d/:aud\": \"api://1462b192-27f7-4cb9-8523-0f4ecb54b47e\",\"sts:RoleSessionName\": \"MicrosoftSentinel_${SentinelWorkspaceId}\"}}}]}"
},
"Policies": [
{
"PolicyName": "AWSSecurityHubLoggingPolicy",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSSecurityHubReadOnlyAccess",
"Effect": "Allow",
"Action": [
"securityhub:Get*",
"securityhub:List*",
"securityhub:BatchGet*",
"securityhub:Describe*"
],
"Resource": "*"
}
]
}
}
]
}
},
"S3Bucket": {
"Type": "AWS::S3::Bucket",
"Condition": "CreateNewBucketCondition",
"DeletionPolicy": "Delete",
"Properties": {
"BucketName": {
"Ref": "BucketName"
},
"OwnershipControls": {
"Rules": [
{
"ObjectOwnership": "BucketOwnerEnforced"
}
]
},
"VersioningConfiguration": {
"Status": "Enabled"
},
"NotificationConfiguration": {
"QueueConfigurations": [
{
"Queue": {
"Fn::GetAtt": [
"SentinelSQSQueue",
"Arn"
]
},
"Event": "s3:ObjectCreated:*",
"Filter": {
"S3Key": {
"Rules": [
{
"Name": "prefix",
"Value": {
"Fn::Sub": "AWSLogs/${AWS::AccountId}/SecurityHubFindings/"
}
},
{
"Name": "suffix",
"Value": ".gz"
}
]
}
}
}
]
}
}
},
"S3BucketPolicy": {
"Type": "AWS::S3::BucketPolicy",
"DeletionPolicy": "Delete",
"Properties": {
"Bucket": {
"Ref": "BucketName"
},
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Allow Arn read access to S3 bucket.",
"Effect": "Allow",
"Principal": {
"AWS": {
"Fn::GetAtt": [
"SentinelWebIdentityBasedRole",
"Arn"
]
}
},
"Action": "s3:GetObject",
"Resource": {
"Fn::Join": [
"",
[
{
"Fn::GetAtt": [
"S3Bucket",
"Arn"
]
},
"/*"
]
]
}
}
]
}
}
},
"FirehoseDeliveryStreamRole": {
"Type": "AWS::IAM::Role",
"DeletionPolicy": "Delete",
"Properties": {
"RoleName": "MSSentinelFirehoseDeliveryStreamRole",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "TrustDataFirehoseService",
"Effect": "Allow",
"Principal": {
"Service": "firehose.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
},
"Policies": [
{
"PolicyName": "MSSentinelFirehoseDeliveryStreamPolicy",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:AbortMultipartUpload",
"s3:GetBucketLocation",
"s3:GetObject",
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:PutObject"
],
"Resource": [
{
"Fn::GetAtt": [
"S3Bucket",
"Arn"
]
},
{
"Fn::Join": [
"",
[
{
"Fn::GetAtt": [
"S3Bucket",
"Arn"
]
},
"/*"
]
]
}
]
}
]
}
}
]
}
},
"SecurityHubDeliveryStream": {
"Type": "AWS::KinesisFirehose::DeliveryStream",
"DeletionPolicy": "Delete",
"Properties": {
"DeliveryStreamName": "MSSentinel-SecurityHub-FirehoseDeliveryStream",
"DeliveryStreamType": "DirectPut",
"DeliveryStreamEncryptionConfigurationInput": {
"KeyType": "AWS_OWNED_CMK"
},
"ExtendedS3DestinationConfiguration": {
"BucketARN": {
"Fn::GetAtt": [
"S3Bucket",
"Arn"
]
},
"BufferingHints": {
"SizeInMBs": 128,
"IntervalInSeconds": 300
},
"CompressionFormat": "GZIP",
"FileExtension": ".gz",
"Prefix": {
"Fn::Sub": "AWSLogs/${AWS::AccountId}/SecurityHubFindings/"
},
"ProcessingConfiguration": {
"Enabled": true,
"Processors": [
{
"Type": "AppendDelimiterToRecord",
"Parameters": [
{
"ParameterName": "Delimiter",
"ParameterValue": "\\n"
}
]
}
]
},
"RoleARN": {
"Fn::GetAtt": [
"FirehoseDeliveryStreamRole",
"Arn"
]
}
}
}
},
"EventBridgeInvokeFirehoseRole": {
"Type": "AWS::IAM::Role",
"DeletionPolicy": "Delete",
"Properties": {
"RoleName": "MSSentinelSecurityHubEventBridgeRole",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "TrustEventBridgeService",
"Effect": "Allow",
"Principal": {
"Service": "events.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"aws:SourceAccount": {
"Fn::Sub": "${AWS::AccountId}"
}
}
}
}
]
},
"Policies": [
{
"PolicyName": "MSSentinelSecurityHubEventBridgePolicy",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ActionsForFirehose",
"Effect": "Allow",
"Action": [
"firehose:PutRecord",
"firehose:PutRecordBatch"
],
"Resource": [
{
"Fn::GetAtt": [
"SecurityHubDeliveryStream",
"Arn"
]
}
]
}
]
}
}
]
}
},
"EventBridgeInvokeFirehoseRule": {
"Type": "AWS::Events::Rule",
"DeletionPolicy": "Delete",
"Properties": {
"Name": "securityhub-findings-to-s3-bucket",
"Description": "Rule to invoke Data Firehose delivery stream to send Security Hub findings to S3 bucket.",
"EventBusName": "default",
"EventPattern": {
"source": [
"aws.securityhub"
],
"detail-type": [
"Security Hub Findings - Imported"
]
},
"State": "ENABLED",
"Targets": [
{
"Arn": {
"Fn::GetAtt": [
"SecurityHubDeliveryStream",
"Arn"
]
},
"Id": "SecurityHubFindingsToFirehose",
"RoleArn": {
"Fn::GetAtt": [
"EventBridgeInvokeFirehoseRole",
"Arn"
]
}
}
]
}
},
"SentinelSQSQueue": {
"Type": "AWS::SQS::Queue",
"DeletionPolicy": "Delete",
"Properties": {
"QueueName": {
"Ref": "SentinelSQSQueueName"
},
"Tags": [
{
"Key": "Bucket",
"Value": {
"Ref": "BucketName"
}
}
]
}
},
"SentinelSQSQueuePolicyForS3": {
"Type": "AWS::SQS::QueuePolicy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Sid": "Allow S3 to send notification messages to SQS queue",
"Action": [
"SQS:SendMessage"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"SentinelSQSQueue",
"Arn"
]
}
],
"Principal": {
"Service": "s3.amazonaws.com"
},
"Condition": {
"StringEquals": {
"aws:SourceAccount": {
"Fn::Sub": "${AWS::AccountId}"
}
},
"ArnLike": {
"aws:SourceArn": {
"Fn::Sub": "arn:${AWS::Partition}:s3:*:*:${BucketName}"
}
}
}
},
{
"Sid": "Allow Assumed role to read/delete/change visibility of SQS messages and get queue url.",
"Action": [
"SQS:ChangeMessageVisibility",
"SQS:DeleteMessage",
"SQS:ReceiveMessage",
"SQS:GetQueueUrl"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"SentinelSQSQueue",
"Arn"
]
}
],
"Principal": {
"AWS": [
{
"Fn::GetAtt": [
"SentinelWebIdentityBasedRole",
"Arn"
]
}
]
}
}
]
},
"Queues": [
{
"Ref": "SentinelSQSQueue"
}
]
}
}
},
"Outputs": {
"SentinelRoleArn": {
"Value": {
"Fn::GetAtt": [
"SentinelWebIdentityBasedRole",
"Arn"
]
},
"Description": "Role ARN for Sentinel Role that is inserted into Amazon Web Service S3 Connector in the Sentinel Data Connectors portal."
},
"SentinelSQSQueueURL": {
"Description": "AWS SQS Queue URL that is inserted into Amazon Web Service S3 Connector in the Sentinel Data Connectors portal.",
"Value": {
"Ref": "SentinelSQSQueue"
}
},
"SentinelSQSQueueArn": {
"Description": "Log destination ARN to be used when setting up other accounts to exports logs",
"Value": {
"Fn::GetAtt": [
"SentinelSQSQueue",
"Arn"
]
}
},
"SentinelSQSQueueName": {
"Description": "SQS Name",
"Value": {
"Fn::GetAtt": [
"SentinelSQSQueue",
"QueueName"
]
}
}
}
}
転送する Findings を限定してみた
Microsoft Sentinel に転送する Findings のサービスを制限してみます。
EventBridge のイベントパターンで下記を指定することで製品名でフィルタできます。Security Hub CSPM セキュリティ基準の内容と Amazon GuardDuty の検出結果のみを対象とした例です。
{
"source": ["aws.securityhub"],
"detail-type": ["Security Hub Findings - Imported"],
"detail": {
"findings": {
"ProductName": ["GuardDuty", "Security Hub"]
}
}
}
さらに、重要度も絞る場合の例です。Security Hub では、コンプライアンスステータスが PASSED のコントロールは INFORMATIONAL となるため、下記のパターンとすることで解決済みのコントロールを Microsoft Sentinel に転送しなくなります。本ブログではこのパターンで試してみます。
{
"source": ["aws.securityhub"],
"detail-type": ["Security Hub Findings - Imported"],
"detail": {
"findings": {
"ProductName": ["GuardDuty", "Security Hub"],
"Severity": {
"Label": ["LOW", "MEDIUM", "HIGH", "CRITICAL"]
}
}
}
}
Microsoft Sentinel が提供する CloudFormation テンプレートを YAML 形式に変更して EventBridge ルールの設定を変更したテンプレート例です。EventBridge 部分だけ抜粋しています。
EventBridgeInvokeFirehoseRule:
Type: AWS::Events::Rule
DeletionPolicy: Delete
Properties:
Name: securityhub-findings-to-s3-bucket
Description: >-
Rule to invoke Data Firehose delivery stream to send Security Hub
findings to S3 bucket.
EventBusName: default
EventPattern:
source:
- aws.securityhub
detail-type:
- Security Hub Findings - Imported
detail:
findings:
ProductName:
- GuardDuty
- Security Hub
Severity:
Label:
- LOW
- MEDIUM
- HIGH
- CRITICAL
State: ENABLED
Targets:
- Arn:
Fn::GetAtt:
- SecurityHubDeliveryStream
- Arn
Id: SecurityHubFindingsToFirehose
RoleArn:
Fn::GetAtt:
- EventBridgeInvokeFirehoseRole
- Arn
全文は下記となります。長いので折りたたんでいます。
CloudFormation テンプレート
AWSTemplateFormatVersion: '2010-09-09'
Description: >-
This Stack creates Amazon Data Firehose, Amazon EventBridge, S3 Bucket, Simple
Queue Service (SQS), IAM roles and necessray permission policies to ingest
Security Hub Findings to Microsoft Sentinel workspace.
Parameters:
AwsRoleName:
Type: String
Description: >-
Enter the ARN name for the role. The name must start with 'OIDC_',
otherwise the connector will not function properly.
AllowedPattern: OIDC_[-_a-zA-Z0-9]+
Default: OIDC_MicrosoftSentinelRoleSecurityHub
BucketName:
Type: String
AllowedPattern: ^[a-z0-9][a-z0-9-.]{1,61}[a-z0-9]$
Description: >-
Enter the name of the S3 bucket. Bucket name must be unique within the
global namespace and follow the bucket naming rules.
Default: microsoft-sentinel-securityhub-s3-bucket
SentinelSQSQueueName:
Default: MicrosoftSentinelSecurityHubSqs
Type: String
Description: Enter the name for the SQS Queue.
SentinelWorkspaceId:
Type: String
Description: Enter the Microsoft Sentinel Workspace ID
CreateNewBucket:
AllowedValues:
- true
- false
Default: true
Description: Set to false to have Amazon S3 use an existing S3 Bucket.
Type: String
Conditions:
CreateNewBucketCondition:
Fn::Equals:
- Ref: CreateNewBucket
- true
Resources:
SentinelWebIdentityBasedRole:
Type: AWS::IAM::Role
Properties:
RoleName:
Ref: AwsRoleName
Description: Role to provide Microsoft Sentinel access to Security Hub Findings.
Path: /
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AWSSecurityHubReadOnlyAccess
AssumeRolePolicyDocument:
Fn::Sub: >-
{"Version": "2012-10-17","Statement": [{"Effect": "Allow","Principal":
{"Federated":
"arn:aws:iam::${AWS::AccountId}:oidc-provider/sts.windows.net/33e01921-4d64-4f8c-a055-5bdaffd5e33d/"},"Action":
"sts:AssumeRoleWithWebIdentity","Condition": {"StringEquals":
{"sts.windows.net/33e01921-4d64-4f8c-a055-5bdaffd5e33d/:aud":
"api://1462b192-27f7-4cb9-8523-0f4ecb54b47e","sts:RoleSessionName":
"MicrosoftSentinel_${SentinelWorkspaceId}"}}}]}
Policies:
- PolicyName: AWSSecurityHubLoggingPolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Sid: AWSSecurityHubReadOnlyAccess
Effect: Allow
Action:
- securityhub:Get*
- securityhub:List*
- securityhub:BatchGet*
- securityhub:Describe*
Resource: '*'
S3Bucket:
Type: AWS::S3::Bucket
Condition: CreateNewBucketCondition
DeletionPolicy: Delete
Properties:
BucketName:
Ref: BucketName
OwnershipControls:
Rules:
- ObjectOwnership: BucketOwnerEnforced
VersioningConfiguration:
Status: Enabled
NotificationConfiguration:
QueueConfigurations:
- Queue:
Fn::GetAtt:
- SentinelSQSQueue
- Arn
Event: s3:ObjectCreated:*
Filter:
S3Key:
Rules:
- Name: prefix
Value:
Fn::Sub: AWSLogs/${AWS::AccountId}/SecurityHubFindings/
- Name: suffix
Value: .gz
S3BucketPolicy:
Type: AWS::S3::BucketPolicy
DeletionPolicy: Delete
Properties:
Bucket:
Ref: BucketName
PolicyDocument:
Version: '2012-10-17'
Statement:
- Sid: Allow Arn read access to S3 bucket.
Effect: Allow
Principal:
AWS:
Fn::GetAtt:
- SentinelWebIdentityBasedRole
- Arn
Action: s3:GetObject
Resource:
Fn::Join:
- ''
- - Fn::GetAtt:
- S3Bucket
- Arn
- /*
FirehoseDeliveryStreamRole:
Type: AWS::IAM::Role
DeletionPolicy: Delete
Properties:
RoleName: MSSentinelFirehoseDeliveryStreamRole
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Sid: TrustDataFirehoseService
Effect: Allow
Principal:
Service: firehose.amazonaws.com
Action: sts:AssumeRole
Policies:
- PolicyName: MSSentinelFirehoseDeliveryStreamPolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- s3:AbortMultipartUpload
- s3:GetBucketLocation
- s3:GetObject
- s3:ListBucket
- s3:ListBucketMultipartUploads
- s3:PutObject
Resource:
- Fn::GetAtt:
- S3Bucket
- Arn
- Fn::Join:
- ''
- - Fn::GetAtt:
- S3Bucket
- Arn
- /*
SecurityHubDeliveryStream:
Type: AWS::KinesisFirehose::DeliveryStream
DeletionPolicy: Delete
Properties:
DeliveryStreamName: MSSentinel-SecurityHub-FirehoseDeliveryStream
DeliveryStreamType: DirectPut
DeliveryStreamEncryptionConfigurationInput:
KeyType: AWS_OWNED_CMK
ExtendedS3DestinationConfiguration:
BucketARN:
Fn::GetAtt:
- S3Bucket
- Arn
BufferingHints:
SizeInMBs: 128
IntervalInSeconds: 300
CompressionFormat: GZIP
FileExtension: .gz
Prefix:
Fn::Sub: AWSLogs/${AWS::AccountId}/SecurityHubFindings/
ProcessingConfiguration:
Enabled: true
Processors:
- Type: AppendDelimiterToRecord
Parameters:
- ParameterName: Delimiter
ParameterValue: \n
RoleARN:
Fn::GetAtt:
- FirehoseDeliveryStreamRole
- Arn
EventBridgeInvokeFirehoseRole:
Type: AWS::IAM::Role
DeletionPolicy: Delete
Properties:
RoleName: MSSentinelSecurityHubEventBridgeRole
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Sid: TrustEventBridgeService
Effect: Allow
Principal:
Service: events.amazonaws.com
Action: sts:AssumeRole
Condition:
StringEquals:
aws:SourceAccount:
Fn::Sub: ${AWS::AccountId}
Policies:
- PolicyName: MSSentinelSecurityHubEventBridgePolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Sid: ActionsForFirehose
Effect: Allow
Action:
- firehose:PutRecord
- firehose:PutRecordBatch
Resource:
- Fn::GetAtt:
- SecurityHubDeliveryStream
- Arn
EventBridgeInvokeFirehoseRule:
Type: AWS::Events::Rule
DeletionPolicy: Delete
Properties:
Name: securityhub-findings-to-s3-bucket
Description: >-
Rule to invoke Data Firehose delivery stream to send Security Hub
findings to S3 bucket.
EventBusName: default
EventPattern:
source:
- aws.securityhub
detail-type:
- Security Hub Findings - Imported
detail:
findings:
ProductName:
- GuardDuty
- Security Hub
Severity:
Label:
- LOW
- MEDIUM
- HIGH
- CRITICAL
State: ENABLED
Targets:
- Arn:
Fn::GetAtt:
- SecurityHubDeliveryStream
- Arn
Id: SecurityHubFindingsToFirehose
RoleArn:
Fn::GetAtt:
- EventBridgeInvokeFirehoseRole
- Arn
SentinelSQSQueue:
Type: AWS::SQS::Queue
DeletionPolicy: Delete
Properties:
QueueName:
Ref: SentinelSQSQueueName
Tags:
- Key: Bucket
Value:
Ref: BucketName
SentinelSQSQueuePolicyForS3:
Type: AWS::SQS::QueuePolicy
Properties:
PolicyDocument:
Statement:
- Sid: Allow S3 to send notification messages to SQS queue
Action:
- SQS:SendMessage
Effect: Allow
Resource:
- Fn::GetAtt:
- SentinelSQSQueue
- Arn
Principal:
Service: s3.amazonaws.com
Condition:
StringEquals:
aws:SourceAccount:
Fn::Sub: ${AWS::AccountId}
ArnLike:
aws:SourceArn:
Fn::Sub: arn:${AWS::Partition}:s3:*:*:${BucketName}
- Sid: >-
Allow Assumed role to read/delete/change visibility of SQS
messages and get queue url.
Action:
- SQS:ChangeMessageVisibility
- SQS:DeleteMessage
- SQS:ReceiveMessage
- SQS:GetQueueUrl
Effect: Allow
Resource:
- Fn::GetAtt:
- SentinelSQSQueue
- Arn
Principal:
AWS:
- Fn::GetAtt:
- SentinelWebIdentityBasedRole
- Arn
Queues:
- Ref: SentinelSQSQueue
Outputs:
SentinelRoleArn:
Value:
Fn::GetAtt:
- SentinelWebIdentityBasedRole
- Arn
Description: >-
Role ARN for Sentinel Role that is inserted into Amazon Web Service S3
Connector in the Sentinel Data Connectors portal.
SentinelSQSQueueURL:
Description: >-
AWS SQS Queue URL that is inserted into Amazon Web Service S3 Connector in
the Sentinel Data Connectors portal.
Value:
Ref: SentinelSQSQueue
SentinelSQSQueueArn:
Description: >-
Log destination ARN to be used when setting up other accounts to exports
logs
Value:
Fn::GetAtt:
- SentinelSQSQueue
- Arn
SentinelSQSQueueName:
Description: SQS Name
Value:
Fn::GetAtt:
- SentinelSQSQueue
- QueueName
AWS 側で CloudFormation テンプレートをデプロイした後の EventBridge ルールの設定画面です。

次の設定をして、Microsoft Sentinel 側に転送されるデータを確認してみます。
- AWS Security Hub CSPM の「AWS Security Hub CSPM の基本的なセキュリティのベストプラクティス標準」を有効化
- Amazon GuardDuty のサンプルイベントを発行(下記のコマンド)
- Amazon Inspector や外部アクセスの IAM Access Analyzer を有効化(Microsoft Sentinel 側に転送されないことを確認するため)
aws guardduty create-sample-findings \
--detector-id $(aws guardduty list-detectors --query 'DetectorIds[0]' --output text) \
--finding-types "Backdoor:EC2/DenialOfService.Dns"
1日程度待ち、Microsoft Sentinel 側で Findings で確認してみます。
まず、製品名毎の Findings のカウントを確認します。
AWSSecurityHubFindings
| summarize FindingsCount = count() by AwsSecurityFindingProductName
| order by FindingsCount desc

意図したとおり、Microsoft Sentinel に転送されている Findings は Security Hub と GuardDuty のみとなっていることを確認できました。
次に Security Hub における重要度別の Findings のカウントを確認してみます。
AWSSecurityHubFindings
| where AwsSecurityFindingProductName == "Security Hub"
| extend SeverityLabel = tostring(AwsSecurityFindingSeverity.Label)
| summarize FindingsCount = count() by SeverityLabel
| order by FindingsCount desc

こちらも意図どおり、 INFORMATIONAL の Findings がないことを確認できました。
さいごに
AWS Security Hub CSPM の Findings を Microsoft Sentinel へ転送する構成で、EventBridge ルールのイベントパターンを変更することで Microsoft Sentinel に送信する Findings を限定する設定を試してみました。Microsoft Sentinel 側に不要な Findings を送信しないことでコスト削減したいときに有用です。
以上、このブログがどなたかのご参考になれば幸いです。








