The Now Platform® Washington DC release is live. Watch now!
on 06-21-2019 02:23 PM
On June 25, 2019, Amazon Web Services announced the general availability of AWS Security Hub, a solution that provides visibility into high-priority security vulnerabilities and threats that could impact users’ AWS environments and compliance status. AWS Security Hub is a central repository of security alerts, or findings, that are aggregated and prioritized so that security professionals can identify issues and quickly take action.
The integration with ServiceNow provides AWS Security Hub customers with an option to push security findings into ServiceNow Security Operations as well as ServiceNow IT Service Management ticketing systems. More information on the Security Operations integration can be found here. Note that this posting is specific to the ITSM integration – users are welcome to use these instructions, but please note the ITSM integration is not an official ServiceNow-supported solution at this time.
Security remains a critical issue for users across both on-premises data centers and cloud environments. As the world’s largest public cloud provider, AWS has developed several security solutions, such as AWS Inspector for vulnerability scanning, AWS GuardDuty for network intrusion detection, and AWS Macie for anomaly detection, to help protect users. AWS has also partnered with dozens of independent, best-of-breed security companies to provide visibility into AWS Security Hub was launched to help reduce the time and effort needed to collect, correlate, and prioritize security findings across multiple AWS and partner tools. Security findings are formatted in a common data model, and results can be displayed and discovered from a single console.
The integration of AWS Security Hub with ServiceNow helps users take relevant action on security findings. The integration with ITSM gives users to ability to automatically open incident tickets for high priority issues. The integration with SecOps adds even more functionality by correlating and prioritizing findings based on their impact to compliance status as well as impact to the business.
AWS Security Hub uses CloudWatch to “push” findings gathered in the previous hour to ServiceNow every 15 minutes (scheduled forwards). Findings will also be pushed if manually triggered from Security Hub (manual forwards). Both methods trigger a Lambda function which posts findings from Security Hub to ServiceNow via REST.
Note: your instance must have Event Management activated for this integration to work
Download the files you will need from here. This zip file contains the CloudFormation template and Lambda function you will need to complete this exercise
Congratulations! You have completed the AWS side of the configuration. Now let's test it to confirm that events are being sent from AWS Security Hub to your ServiceNow instance.
Congratulations! You have successfully sent an AWS Security Hub event from AWS to ServiceNow.
Supporting files may be downloaded here https://servicenow-my.sharepoint.com/:u:/p/grant_hulbert/Eby-jqjoi8tDsXuXuBuf3sEBEF7fiCjjsEqSTw5dzeu...
Link to CFN template and the zip files is broken. Could you update the correct link to those files?
Also where do we see these GuardDuty Findings in ServiceNow?