Security Hub (OCSF) Integration

Note: This page is the official configuration guide for the autobotAI Security Hub (OCSF) integration listed in the AWS Security Hub partner console.

Overview

AWS Security Hub provides a centralized view of your security posture across your AWS environment. This integration consumes Security Hub (OCSF) findings in OCSF 1.6 format via Amazon EventBridge, enabling autobotAI to power automated security response workflows and compliance monitoring.

Security Hub CSPM continues to use the AWS Security Finding Format (ASFF) and is treated as a separate integration from the OCSF-based stream described here.

By using the listener integration with Security Hub (OCSF), you can:

Receive real-time security findings from AWS Security Hub
Create automated response workflows for security incidents
Integrate Security Hub findings with your existing automation pipelines
Monitor compliance and security posture in a unified dashboard

Security Hub (OCSF) vs Security Hub CSPM (ASFF)

It is important to distinguish between Security Hub CSPM (ASFF) (Cloud Security Posture Management) and the event-driven Security Hub (OCSF) integration via EventBridge:

Security Hub (OCSF): Delivers security findings from AWS services (GuardDuty, Inspector, etc.) in the Open Cybersecurity Schema Framework (OCSF) format. It is event-driven and provides real-time alerts.
Security Hub CSPM (ASFF): Focuses on compliance standards (CIS, PCI DSS) using the AWS Security Finding Format (ASFF). It typically performs periodic scans rather than real-time event streaming.

Key differences include:

Real-time Response: Security Hub CSPM (ASFF) typically performs periodic compliance scans (e.g., every 12-24 hours) to evaluate resources against standards like CIS or PCI DSS. In contrast, the Security Hub (OCSF) EventBridge integration allows autobotAI to receive and act upon findings the instant they are generated, significantly reducing your Mean Time to Remediate (MTTR).
Immediate Threat Detection: While Security Hub CSPM (ASFF) focuses on static configurations, the Security Hub (OCSF) finding stream aggregates active threat intelligence from services like GuardDuty, Amazon Inspector, and IAM Access Analyzer. This ensures you can automate responses to malicious activity as it happens.
Efficiency and Cost: Polling for updates in Security Hub CSPM (ASFF) can be resource-intensive and slow. The event-driven model used here is more efficient, as AWS "pushes" only the relevant findings to autobotAI exactly when they occur.
Operational Agility: This integration enables "Self-Healing" infrastructure. By listening to Security Hub (OCSF), autobotAI can automatically revert unauthorized security group changes or quarantine compromised instances without waiting for the next scheduled CSPM scan.

Note: For existing Security Hub CSPM (ASFF) integrations, continue to use the Security Hub Findings - Imported detail type. The Security Hub Findings Imported V2 detail type is used for the new Security Hub (OCSF) integration described on this page.

Value Add for Security Hub (OCSF) Customers

When you connect Security Hub (OCSF) to autobotAI, findings are not only collected but also prioritized and automatically remediated through bots and workflows. autobotAI can, for example:

Quarantine compromised EC2 instances when critical findings are detected
Automatically revert risky security group changes
Disable exposed IAM credentials
Open incident tickets in your ITSM when high-severity findings are detected
Trigger custom remediation playbooks based on finding type and severity

This gives customers a real-time, automated response layer on top of AWS Security Hub, reducing Mean Time to Detect (MTTD) and Mean Time to Remediate (MTTR).

Prerequisites

Before setting up the AWS Security Hub integration, ensure you have:

Active AWS Account
- An active AWS account with Security Hub enabled in your region
- Security Hub already configured and collecting findings
autobotAI Account
- A registered autobotAI account
- Admin or Editor permissions to create listeners
Security Hub Enabled
- Security Hub enabled in your AWS account
- Findings being collected and published

Architecture

The integration uses AWS EventBridge to securely forward Security Hub findings to autobotAI:

AWS Security Hub → EventBridge Rule → API Destination → autobotAI Listener

Components:

EventBridge Rule: Filters and forwards Security Hub findings
API Destination: Secure endpoint for receiving findings
Connection: API key authentication between AWS and autobotAI
autobotAI Listener: Receives and processes incoming findings

Delegated Admin and Home Region

If you are using a Security Hub delegated administrator account and aggregating findings into a home region, deploy this EventBridge rule only in the delegated admin's home region. All aggregated Security Hub (OCSF) findings flow to that region, ensuring autobotAI receives findings from every account in your AWS Organization without per-account or per-region rules.

Setup Instructions

Step 1: Create a Security Hub Listener in autobotAI

Navigate to Listeners
- Go to the autobotAI dashboard
- Click on "Bot Building Blocks" → "Listeners"
Create New Listener
- Click on "+ New" to create a new listener
Configure Listener Details
- Name: Give your listener a descriptive name (e.g., "Security Hub (OCSF) Findings")
- Description: Add a brief description for reference
- Authentication Method: Select Secret Key in Headers
- Click on "Next"
Generate Authentication
- autobotAI will automatically generate a unique Listener URL and Secret Key
- Click "Generate" if needed
Important: Save Your Credentials
- Copy both the Listener URL and Secret Key
- Store these securely - they will be needed for AWS configuration

Step 2: Deploy CloudFormation Template

Follow these steps to deploy the integration using the provided CloudFormation template.

Download the Template
- Download the autobotAI Security Hub CloudFormation template: autobotAI-Security-Hub-EventBridge.yml
- Save the file to your local machine.
Open CloudFormation Console
- Go to the AWS CloudFormation console in your preferred region.
- Click "Create stack" and select "With new resources (standard)".
Specify template source
- Select "Upload a template file".
- Click "Choose file" and select the autobotAI-Security-Hub-EventBridge.yml file you downloaded in step 1.
- Click "Next".
Provide stack name
- Stack name: autobotAI-Security-Hub-EventBridge
Configure stack parameters
- APIEndPoint: Your autobotAI listener URL (from Step 1)
- APIKeyName: x-secret-key (default)
- APIKeyValue: Your autobotAI secret key (from Step 1)
Configure capabilities
- Click "Next"
- Enable the required capabilities:
  - IAM Permissions: AWS Auto Scaling creates IAM resources
  - CAPABILITY_IAM (if it prompts)
Configure stack options (optional)
- Review advanced settings if needed
- Keep defaults for most scenarios
Create and monitor
- Check the Capabilities checkbox at the bottom and click on "Next"
- Click on "Submit"
- Wait for deployment (typically 1-3 minutes)
- Monitor progress in the "Stack operations" tab
Verify successful deployment
- Check that stack status shows "CREATE_COMPLETE"
- Review the created resources in the "Resources" tab
- Note the ARNs for troubleshooting if needed

Optional: Manual EventBridge Rule Creation (Console)

If you prefer not to use CloudFormation, you can create the EventBridge rule manually:

Go to the Amazon EventBridge console and choose Rules → Create rule.
Set a rule name, for example autobotAI-Security-Hub-Findings.
For Event source, choose AWS events or EventBridge partner events.
For Event pattern, select Event pattern form and configure:
- Event source: AWS services
- Service name: Security Hub
- Event type: Security Hub Findings Imported V2

Alternatively, use Custom pattern (JSON editor) with:

json
{
  "source": ["aws.securityhub"],
  "detail-type": ["Security Hub Findings Imported V2"]
}

For Target, select API destination and choose the destination created for your autobotAI listener (or create a new API destination using the listener URL and secret key provided in Step 1).
Configure the API destination (if creating new):
- Name: autobotAI-Listener
- API destination endpoint: Your autobotAI listener URL
- HTTP method: POST
- Connection: Create new connection with API key authorization using your autobotAI secret key
Save the rule and ensure its state is ENABLED.

For detailed steps on creating API destinations, see the Amazon EventBridge API Destinations documentation.

Step 3: Verify Integration

Check EventBridge Rule
- Go to AWS EventBridge console
- Find the rule named autobotAI-Security-Hub-Findings
- Verify it's enabled and targeting your API destination
Test Security Hub Findings
- Trigger a Security Hub finding by making a change to your AWS resources
- Wait a few minutes for the finding to appear
Verify in autobotAI
- Go to your listener in autobotAI
- Click "Test" to view recent events
- You should see Security Hub finding data being received

CloudFormation Template

The integration uses the following CloudFormation template:

Template URL:

https://autobot-ai.s3.amazonaws.com/autobotAI-Security-Hub-EventBridge.yml

Template Components:

EventBridge API Destination

Forwards Security Hub findings to your autobotAI listener endpoint

Properties:

Name: autobotAI-security-hub-listener-webhook
Invocation Endpoint: Your listener URL
HttpMethod: POST
Rate Limit: 300 invocations per second
Authorization: API key authentication

EventBridge Connection

Establishes secure connection to your autobotAI listener

Properties:

Name: autobotAI-security-hub-listener-connection
Authorization Type: API_KEY
API Key Name: x-secret-key
API Key Value: Your listener secret

IAM Roles and Policies

Grants EventBridge permission to invoke your API destination

Resources:

IAM Role: autobotAI_EventBridge_Invoke_Api_Destination
Managed Policy: autobotAI_EventBridge_Invoke_Api_Destination_Policy

EventBridge Rule

Filters and forwards Security Hub findings

Event Pattern:

Source: aws.securityhub
Detail Type: Security Hub Findings Imported V2
AWS Account ID: Your account ID
State: Enabled

Security Considerations

Authentication

API Key Authentication: Uses header-based authentication
Secret Key Protection: Treat your secret key as sensitive data
HTTPS Only: All communication uses HTTPS for encryption

Data Privacy

Findings remain in your AWS account until forwarded
No data is stored on autobotAI servers
You maintain full control over your Security Hub data

Access Control

Only your AWS account can configure the EventBridge rule
The CloudFormation stack requires appropriate IAM permissions
Review IAM roles to ensure least privilege access

Troubleshooting

Stack Creation Fails

Problem: CloudFormation stack fails to create

Solutions:

IAM Permissions: Ensure you have permission to create EventBridge resources
Region: Verify Security Hub is enabled in the same region as deployment
Limit Exceeded: Check AWS service quotas for EventBridge resources
Network: Ensure outbound HTTPS connectivity to autobotAI

No Findings Received

Problem: Security Hub findings not appearing in autobotAI

Troubleshooting Steps:

Check EventBridge Rule Status
- Go to AWS EventBridge console
- Verify rule is enabled and rule state is "ENABLED"
- Check rule's event pattern matches your findings
Verify API Destination
- Check that the API destination exists and is healthy
- Test the endpoint manually using curl or Postman
- Verify the URL and secret key are correct
Check Listener Status
- Confirm your listener in autobotAI is active
- Click "Test" to view listener activity
- Check for any authentication errors
Review CloudWatch Logs
- Check EventBridge rule delivery logs
- Look for API destination invocation failures
- Verify Lambda execution logs (if applicable)

Security Hub Findings Not Matching

Problem: EventBridge rule not matching your Security Hub findings

Solutions:

Verify Findings
- Check actual finding structure in Security Hub console
- Confirm source and detail type values
Adjust Event Pattern
- Modify the CloudFormation template event pattern if needed
- Use CloudWatch Logs Insights to analyze matching findings
Check Finding State
- Security Hub findings must be imported to trigger the rule
- Ensure findings are being processed through Security Hub workflows

Best Practices

Security Hub Findings Management

Enable Necessary Standards
- Enable AWS Security Best Practices standard
- Configure for your organization's compliance requirements
Configure Automated Remediation
- Set up AWS Config rules for continuous compliance
- Configure automated response actions for critical findings
Regular Review Schedule
- Review findings weekly to identify trends
- Prioritize findings based on severity and business impact

autobotAI Workflow Optimization

Create Dedicated Bots
- Build specific bots for common Security Hub finding types
- Automate responses for frequent finding patterns
Configure Alerting
- Set up notification rules for high-severity findings
- Integrate with incident management systems
Monitor Performance
- Track listener response times
- Optimize bot workflows for efficient processing

Cost Management

EventBridge Pricing
- Monitor EventBridge rule executions
- Set budget alerts for API destination costs
Security Hub Costs
- Review Security Hub standard configurations
- Optimize for only relevant compliance requirements
autobotAI Usage
- Monitor workflow execution costs
- Review listener event volume for cost optimization

Supported Security Hub Findings

The integration supports Security Hub (OCSF) findings with the following event pattern:

Source: aws.securityhub

Detail Type: Security Hub Findings Imported V2

Findings are delivered in Open Cybersecurity Schema Framework (OCSF) 1.6 format, with AWS Security Hub-specific resource attributes preserved for compatibility and enrichment.

Finding Fields:

Finding ID
Title
Description
Severity
Confidence
Sources
Resources
Product ARN
Types
First Observed At
Last Observed At
Created At
Updated At
Classification
User Action
Compliance
Related Findings
Record State
Verification State
Workflow

The payload structure follows the OCSF 1.6 Security Hub finding schema; fields such as severity, resources, product ARN, and timestamps are mapped according to the OCSF standard, with AWS-specific resource attributes preserved for enrichment.

Next Steps

Create Security Response Workflows

Build Bots for Findings
- Create bots to analyze incoming Security Hub findings
- Implement automated remediation actions
Set Up Approval Workflows
- Configure approval chains for critical findings
- Implement escalation policies for unresolved issues
Integration with Other Tools
- Connect to incident management systems
- Integrate with threat intelligence platforms

Monitor and Optimize

Setup Dashboards
- Create visualizations for Security Hub findings
- Build alerting and reporting dashboards
Regular Audits
- Review Security Hub findings weekly
- Analyze trends and identify patterns
- Continuously improve security posture
Documentation
- Maintain detailed records of security responses
- Document successful remediation strategies
- Share lessons learned with security team

Support and Resources

AWS Documentation

autobotAI Resources

Additional Help

Contact autobotAI support for integration issues
Review CloudFormation template documentation
Check AWS CloudFormation service limits

Migration from Existing Integrations

If you have existing Security Hub integration patterns, consider migrating to this architecture for:

Centralized Management: All Security Hub findings processed through autobotAI
Automated Workflows: Built-in bot creation from findings
Unified Dashboard: Single view of all security events
Improved Security: API key authentication and encrypted communication

Migration Steps:

Create new listener in autobotAI
Deploy CloudFormation stack
Update security policies to reference new listener URL
Decommission old integration endpoints
Test end-to-end functionality

Need Help? If you encounter any issues during setup, contact autobotAI support with:

CloudFormation stack status
Security Hub finding samples
EventBridge rule logs