/cdn.vox-cdn.com/uploads/chorus_asset/file/24016885/STK093_Google_04.jpg)
/cdn.vox-cdn.com/uploads/chorus_asset/file/24808816/Starfield__The_Settled_Systems___Supra_Et_Ultra_____Starfield__The_Settled_Systems___Supra_Et_Ultra_2023_7_25_94252.263_1440p_streamshot.png)
Cloud giant Amazon Web Services (AWS) thinks it has the answer to alerting fatigue in the form of automated tasks.
The new capability, part of AWS Security Hub, aims to prevent potentially dangerous human errors from manually filtering through large numbers of security alerts, where the repetitive nature of work may lead analysts to downplay the importance of threats. Hence the AWS argument.
Security alerts, or findings, from all other areas of AWS — as well as from more than 65 AWS Partner Network (APN) solutions — are aggregated within Security Hub. Automated actions for these findings were previously possible, but involved using Amazon EventBridge, AWS Lambda Functions, AWS Systems Manager Automation Runbooks, or AWS Step Functions Step.
new rules
It also requires the correct IAM permissions if these actions are to be run across multiple accounts and regions, as well as maintaining the Lambda function and EventBridge rule to keep the automation flow going as expected.
Now, however, automated actions are possible right out of the gate, with the ability to set up rules to automatically update various fields in the findings, such as changing their severity and workflow status, adding notes, or deleting them automatically. suppress with
AWS claims that there is a lot of flexibility in how you can use these rules. For example, users can change the severity of an alert based on account ID, and add a note to provide additional information or instructions to the person conducting the investigation.
Such an automation rule can be set up through the AWS CLI, console, Security Hub API, or the AWS SDK for Python (Boto3). You can also set up multiple rules for the same findings, and assign the order in which Security Hub executes automated actions. The rule with the highest value is applied last, and therefore has the last effect on the relevant field.
You can also change the severity based on the resource tag. Another example scenario for using the new automation feature is to suppress a search that has been flagged by GuardDuty as informational, meaning there is no threat and flagged to provide information only ; So you may want to hide further findings that have been marked as informative.
Templates are also available from which new rules can be created, and are regularly updated to reflect specific use cases that may apply to multiple customers. The template you choose can also be modified to suit your specific needs.
And if you work in multiple regions, you can duplicate rules created in your central security hub to work with them.
The announcement came as part of the AWS re:Inforce 2023 conference. Automation rules can now be used in Security Hub, and AWS is encouraging customers to post a comment in the repost or contact support for more information and assistance with the new feature.
