AWS Security Hub

Stack Serverless Security

This page explains how to make data from the AWS Security Hub integration appear in the following places within Elastic Security:

Findings page: Data appears on the Misconfigurations tab.
Alert and Entity details flyouts: Applicable data appears in the Insights section.

In order for AWS Security Hub data to appear in these workflows:

Follow the steps to set up the AWS Security Hub integration.
Make sure the integration version is at least 2.31.1.
Ensure you have read privileges for the security_solution-*.misconfiguration_latest index.
While configuring the AWS Security Hub integration, turn on Collect AWS Security Hub Findings from AWS. We recommend you also set the Initial Interval value to 2160h (equivalent to 90 days) to ingest existing logs.

Note

You can ingest data from the AWS Security Hub integration for other purposes without following these steps.