Alcide kAudit integration with AWS SecurityHub requires configurations on both the AWS side and Alcide kAudit side. AWS configuration operations can be done via AWS Portal or CLI on the customer's AWS account to which the findings are sent, and in the AWS region of the selected SecurityHub. In the following CLI commands examples, this account is represented by ID: 111111111111. See AWS SecurityHub documentation for further information.
Enable AWS Security Hub
Enable SecurityHub on the account:
aws securityhub enable-security-hub
This change can be undone with:
aws securityhub disable-security-hub
Find the Alcide kAudit Product ARN
List the available products that can be integrated with SecurityHub, and find Alcide kAudit there. Extract the Alcide kAudit product ARN for the next steps in the configuration. If Alcide kAudit is not in the list please contact AWS support.
aws securityhub describe-products
Alcide kAudit product ARN example arn:aws:securityhub:us-west-2::product/alcide/alcide-kaudit
Enable Findings Import from Alcide kAudit Product
Enable Alcide kAudit to import findings to SecurityHub, using its product ARN and the appropriate AWS region for the SecurityHub. The response should be a matching product subscription ARN.
Listing all of the currently anabled products in the SecurityHub should now show the Alcide kAudit subscription:
aws securityhub list-enabled-products-for-import --region us-west-2
The product can later be disabled from importing findings with the following command and the product's subscription.
Configure AWS Policy to Let kAudit Import Findings
The AWS credentials for the kAudit integration may be configured in kAudit as an AWS Key pair (key ID and Secret) of a User, or as an STS role. These credentials should be associated with an AWS Policy that gives permissions to batch-import findings on the Alcide kAudit product ARN.
For example, create an AWS User with the following attached Policy permissions, and then create a Key pair for it:
Configure Alcide kAudit for AWS SecurityHub Integration
Configure Alcide kAudit to send its findings to SecurityHub using kAudit’s ConfigMap & Secret configuration option. See configuration guide here. Use the AWS credentials (User KeyPair or STS Role) prepared in the previous step.
View and Process Alcide kAudit Findings in AWS SecurityHub
AWS SecurityHub will now received detections (anomalies and incidents) and policy violations findings from Alcide kAudit. These findings can be viewed and processed using SecurityHub portal or CLI. For example, in the CLI, see the following for details on how to filter the findings:
aws securityhub get-findings help
As another example, in the CLI, see the following for details on how to transform the findings into insights: