# Automation rules in EventBridge EventBridge automation rules You can use automation rules in Amazon EventBridge to respond to Security Hub findings. Security Hub sends findings to EventBridge as events in near real time. You can write basic rules that indicate what automated actions to take when an events match the rules. Actions that can be automatically triggered include the following: + Configuring an API destination in EventBridge. + Invoking Amazon EC2 run commands + Invoking Lambda functions + Invoking Step Functions state machines + Notifying an Amazon SNS topic or an Amazon SQS queue + Relaying events to Kinesis Data Streams + Sending a finding to a third-party ticketing, chat, SIEM, or incident response and management tool + [Sending an event to an EventBridge bus in another AWS account](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-event-bus-example-policy-cross-account-custom-bus-source.html) Security Hub sends new findings and updated findings to EventBridge as events. Then you configure EventBridge rules to respond to each Security Hub event. For more information, see [What is EventBridge?](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-what-is.html) in the *EventBridge User Guide*. **Note** If you have EventBridge rules defined for findings in Security Hub CSPM, the rules could overlap with rules defined for Security Hub. To avoid sending duplicate findings, evaluate the rules you have defined for Security Hub CSPM to determine if they overlap with rules you are have defined for Security Hub. Where applicable disable any Security Hub CSPM rules that are replaced by Security Hub rules. **Note** As a best practice, make sure users with permission to access EventBridge use AWS Identity and Access Management policies that grant the minimum required permissions. For more information, see [EventBridge and AWS Identity and Access Management](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-iam.html) in the *EventBridge User Guide*. # EventBridge event types Security Hub uses the following Amazon EventBridge event types to integrate with EventBridge. On the EventBridge dashboard for Security Hub, **All Events** includes all of these event types. ## Findings Imported V2 Security Hub automatically sends all new findings and all updates to existing findings to EventBridge as **Findings Imported V2** events. Each **Findings Imported V2** event contains a single finding. Every finding that's imported and every finding updated through a [https://docs.aws.amazon.com/](https://docs.aws.amazon.com/) request triggers a **Findings Imported V2** event. For administrator accounts, the event feed in EventBridge includes events for findings from both their account and from their member accounts. In an aggregation Region, the event feed includes events for findings from the aggregation Region and the linked Regions. Cross-Region findings are included in the event feed in near real time. You can define rules in EventBridge that automatically route findings to a remediation workflow, third-party tool, or [other supported EventBridge target](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-targets.html). The rules can include filters that only apply the rule if the finding has specific attribute values. You use this method to automatically send all findings, or all findings that have specific characteristics, to a response or remediation workflow. **Note** Security Hub and Security Hub CSPM both send findings to EventBridge under the source of `aws.securityhub`. Ensure that your EventBridge rules use the detail-type that is specific to Security Hub in order to avoid duplicate notifications related to Security Hub CSPM findings. # EventBridge event formats The **Findings Imported V2** event type uses the following event format. **Example** This format is used when Security Hub sends an event to EventBridge. ``` { "version":"0", "id":"CWE-event-id", "detail-type":"Findings Imported V2", "source":"aws.securityhub", "account":"111122223333", "time":"2019-04-11T21:52:17Z", "region":"us-west-2", "resources":[ "e51603d1054aad9d9f498d82d6e81acf4cf6bc88140e8ad2273123c73b81084" ], "detail":{ "findings": [{ }] } } ``` Each event sends a single finding. `` is the content in JSON of the finding sent by the event. For a complete list of finding attributes, see [OCSF findings in Security Hub CSPM](https://docs.aws.amazon.com/securityhub/latest/userguide/security-hub-adv-ocsf-findings.html). # Configuring rules for EventBridge You can create a rule in Amazon EventBridge that defines an action to take when a **Findings Imported V2** event is received. **Findings Imported V2** events are triggered by updates through [https://docs.aws.amazon.com//securityhub/1.0/APIReference/API_BatchUpdateFindingsV2.html](https://docs.aws.amazon.com//securityhub/1.0/APIReference/API_BatchUpdateFindingsV2.html). Each rule contains an event pattern, which identifies the events that trigger the rule. The event pattern always contains the event source (`aws.securityhub`) and the event type (**Findings Imported V2**). The event pattern can also specify filters to identify the findings that the rule applies to. The event rule then identifies the rule targets. The targets are the actions to take when EventBridge receives a **Findings Imported V2** event and the finding matches the filters. The instructions provided here use the EventBridge console. When you use the console, EventBridge automatically creates the required resource-based policy that enables EventBridge to write to Amazon CloudWatch Logs. You can also use the [https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_PutRule.html](https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_PutRule.html) operation of the EventBridge API. However, if you use the EventBridge API, then you must create the resource-based policy. For information about the required policy, see [CloudWatch Logs permissions](https://docs.aws.amazon.com/eventbridge/latest/userguide/resource-based-policies-eventbridge.html#cloudwatchlogs-permissions) in the *Amazon EventBridge User Guide*. ## Format of the event pattern The format of the event pattern for **Findings Imported V2** events is as follows: ``` { "source": [ "aws.securityhub" ], "detail-type": [ "Findings Imported V2" ], "detail": { "findings": { } } } ``` + `source` identifies Security Hub as the service that generates the event. + `detail-type` identifies the type of event. + `detail` is optional and provides the filter values for the event pattern. If the event pattern does not contain a `detail` field, then all findings trigger the rule. You can filter the findings based on any finding attribute. For each attribute, you provide a comma-separated array of one or more values. ``` "": [ "", ""] ``` If you provide more than one value for an attribute, then those values are joined by `OR`. A finding matches the filter for an individual attribute if the finding has any of the listed values. For example, if you provide both `INFORMATIONAL` and `LOW` as values for `Severity.Label`, then the finding matches if it has a severity label of either `INFORMATIONAL` or `LOW`. The attributes are joined by `AND`. A finding matches if it matches the filter criteria for all of the provided attributes. When you provide an attribute value, it must reflect the location of that attribute within the AWS Open Cybersecurity Schema Framework (OCSF) structure. In the following example, the event pattern provides filter values for `ProductArn` and `Severity.Label`, so a finding matches if it is generated by Amazon Inspector and it has a severity label of either `INFORMATIONAL` or `LOW`. ``` { "source": [ "aws.securityhub" ], "detail-type": [ "Findings Imported V2" ], "detail": { "findings": { "ProductArn": ["arn:aws:securityhub:us-east-1::product/aws/inspector"], "Severity": { "Label": ["INFORMATIONAL", "LOW"] } } } } ``` ## Creating an event rule You can use a predefined event pattern or a custom event pattern to create a rule in EventBridge. If you select a predefined pattern, EventBridge automatically fills in `source` and `detail-type`. EventBridge also provides fields to specify filter values for the following finding attributes: + `cloud.account.uid` + `compliance.status` + `metadata.product.name` + `resources.uid` + `severity` + `status` **To create an EventBridge rule (console)** 1. Open the Amazon EventBridge console at [https://console.aws.amazon.com/events/](https://console.aws.amazon.com/events/). 1. Using the following values, create an EventBridge rule that monitors finding events: + For **Rule type**, choose **Rule with an event pattern**. + Choose how to build the event pattern. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-v2-cwe-event-rules.html) + For **Target types**, choose **AWS service**, and for **Select a target**, choose a target such as an Amazon SNS topic or AWS Lambda function. The target is triggered when an event is received that matches the event pattern defined in the rule. For details about creating rules, see [Creating Amazon EventBridge rules that react to events](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-create-rule.html) in the *Amazon EventBridge User Guide*. **Note** If you have EventBridge rules defined for findings in Security Hub CSPM, the rules could overlap with rules defined for Security Hub. To avoid sending duplicate findings, evaluate the rules you have defined for Security Hub CSPM to determine if they overlap with rules you are have defined for Security Hub. Where applicable disable any Security Hub CSPM rules that are replaced by Security Hub rules.