Security team example: Creating a Security Hub automation rule

The security team receives findings related to threat detection, including Amazon GuardDuty findings. For a complete list of GuardDuty finding types that are categorized by AWS resource type, see Finding types in the GuardDuty documentation. Security teams must be familiar with all of these finding types.

For this example, the security team is accepting the level of associated risk for security findings in an AWS account that is used strictly for learning purposes and does not include important or sensitive data. The name of this account is sandbox, and the account ID is 123456789012. The security team can create an AWS Security Hub automation rule that suppresses all GuardDuty findings from this account. They can either create a rule from a template, which covers many common use cases, or they can create a custom rule. In Security Hub, we recommend previewing the results of the criteria to confirm that the rule returns the intended findings.

The following are the parameters used to create this automation rule:

For more information, see Automation rules in the Security Hub documentation. Security teams have many options for investigating and remediating findings for detected threats. For extensive guidance, see the AWS Security Incident Response Guide. We recommend reviewing this guide to confirm that you have established strong incident response processes.