# Understanding integrations in Security Hub CSPM
AWS Security Hub CSPM can ingest security findings from several AWS services and supported third-party AWS Partner Network security solutions. These integrations can help you get a comprehensive view of security and compliance across your AWS environment. Security Hub CSPM ingests findings from integrated solutions and converts them to the AWS Security Finding Format (ASFF).
**Important**
For supported AWS and third-party product integrations, Security Hub CSPM receives and consolidates findings that are generated only after you enable Security Hub CSPM for your AWS accounts. The service doesn't retroactively receive and consolidate security findings that were generated before you enabled Security Hub CSPM.
The **Integrations** page of the Security Hub CSPM console provides access to available AWS and third-party product integrations. The Security Hub CSPM API also has operations for managing integrations.
An integration might not be available in all AWS Regions. If an integration isn't supported in the Region that you are currently signed in to on the Security Hub CSPM console, it doesn't appear on the **Integrations** page of the console. For a list of integrations that are available in the China Regions and AWS GovCloud (US) Regions, see [Availability of integrations by Region](securityhub-regions.md#securityhub-regions-integration-support).
In addition to AWS service and built-in third-party integrations, you can integrate custom security products with Security Hub CSPM. You can then send findings from these products to Security Hub CSPM by using the Security Hub CSPM API. You can also use the API to update existing findings that Security Hub CSPM received from a custom security product.
**Topics**
+ [
# Reviewing a list of Security Hub CSPM integrations
](securityhub-integrations-view-filter.md)
+ [
# Enabling the flow of findings from a Security Hub CSPM integration
](securityhub-integration-enable.md)
+ [
# Disabling the flow of findings from a Security Hub CSPM integration
](securityhub-integration-disable.md)
+ [
# Viewing findings from a Security Hub CSPM integration
](securityhub-integration-view-findings.md)
+ [
# AWS service integrations with Security Hub CSPM
](securityhub-internal-providers.md)
+ [
# Third-party product integrations with Security Hub CSPM
](securityhub-partner-providers.md)
+ [
# Integrating Security Hub CSPM with custom products
](securityhub-custom-providers.md)
# Reviewing a list of Security Hub CSPM integrations
Choose your preferred method, and follow the steps to review a list of integrations in AWS Security Hub CSPM or details about a specific integration.
------
#### [ Security Hub CSPM console ]
**To review integration options and details (console)**
1. Open the AWS Security Hub CSPM console at [https://console.aws.amazon.com/securityhub/](https://console.aws.amazon.com/securityhub/).
1. In the Security Hub CSPM navigation pane, choose **Integrations**.
On the **Integrations** page, integrations with other AWS services are listed first, followed by integrations with third-party products.
For each integration, the **Integrations** page provides the following information:
+ The name of the company
+ The name of the product
+ A description of the integration
+ The categories that the integration applies to
+ How to enable the integration
+ The current status of the integration
You can filter the list by entering text from the following fields:
+ Company name
+ Product name
+ Integration description
+ Categories
------
#### [ Security Hub CSPM API ]
**To review integration options and details (API)**
To get a list of integrations, use the [https://docs.aws.amazon.com//securityhub/1.0/APIReference/API_DescribeProducts.html](https://docs.aws.amazon.com//securityhub/1.0/APIReference/API_DescribeProducts.html) operation. If you're using the AWS CLI, run the [https://docs.aws.amazon.com/cli/latest/reference/securityhub/describe-products.html](https://docs.aws.amazon.com/cli/latest/reference/securityhub/describe-products.html) command.
To retrieve details for a specific product integration, use the `ProductArn` parameter to specify the Amazon Resource Name (ARN) of the integration.
For example, the following AWS CLI command retrieves details about the Security Hub CSPM integration with 3CORESec.
```
$ aws securityhub describe-products --product-arn "arn:aws:securityhub:us-east-1::product/3coresec/3coresec"
```
------
# Enabling the flow of findings from a Security Hub CSPM integration
On the **Integrations** page of the AWS Security Hub CSPM console, you can see the required steps to enable each integration.
For most of the integrations with other AWS services, the only required step to enable the integration is to enable the other service. The integration information includes a link to the other service's home page. When you enable the other service, a resource-level permission that allows Security Hub CSPM to receive findings from the service is then automatically created and applied.
For third-party product integrations, you may need to purchase the integration from the AWS Marketplace, and then configure the integration. The integration information provides links to complete these tasks.
If more than one version of a product is available in AWS Marketplace, select the version that you wan to subscribe to, and then choose **Continue to Subscribe**. For example, some products offer a standard version and an AWS GovCloud (US) version.
When you enable a product integration, a resource policy is automatically attached to that product subscription. This resource policy defines the permissions that Security Hub CSPM needs to receive findings from that product.
After you complete any preliminary steps to enable an integration, you can then disable and re-enable the flow of findings from that integration. On the **Integrations** page, for integrations that send findings, the **Status** information indicates whether you are currently accepting findings.
------
#### [ Security Hub CSPM console ]
**To enable the flow of findings from an integration (console)**
1. Open the AWS Security Hub CSPM console at [https://console.aws.amazon.com/securityhub/](https://console.aws.amazon.com/securityhub/).
1. In the Security Hub CSPM navigation pane, choose **Integrations**.
1. For integrations that send findings, the **Status** information indicates whether Security Hub CSPM is currently accepting findings from that integration.
1. Choose **Accept findings**.
------
#### [ Security Hub CSPM API ]
Use the [https://docs.aws.amazon.com//securityhub/1.0/APIReference/API_EnableImportFindingsForProduct.html](https://docs.aws.amazon.com//securityhub/1.0/APIReference/API_EnableImportFindingsForProduct.html) operation. If you're using the AWS CLI, run the [https://docs.aws.amazon.com/cli/latest/reference/securityhub/enable-import-findings-for-product.html](https://docs.aws.amazon.com/cli/latest/reference/securityhub/enable-import-findings-for-product.html) command. To enable Security Hub to receive findings from an integration, you need the product ARN. To obtain the ARNs for the available integrations, use the [https://docs.aws.amazon.com//securityhub/1.0/APIReference/API_DescribeProducts.html](https://docs.aws.amazon.com//securityhub/1.0/APIReference/API_DescribeProducts.html) operation. If you're using the AWS CLI, run the [https://docs.aws.amazon.com/cli/latest/reference/securityhub/describe-products.html](https://docs.aws.amazon.com/cli/latest/reference/securityhub/describe-products.html).
For example, the following AWS CLI command enables Security Hub CSPM to receive findings from the CrowdStrike Falcon integration. This example is formatted for Linux, macOS, or Unix, and it uses the backslash (\$1) line-continuation character to improve readability.
```
$ aws securityhub enable-import-findings-for product --product-arn "arn:aws:securityhub:us-east-1:123456789333:product/crowdstrike/crowdstrike-falcon"
```
------
# Disabling the flow of findings from a Security Hub CSPM integration
Choose your preferred method, and follow the steps to disable the flow of findings from an AWS Security Hub CSPM integration.
------
#### [ Security Hub CSPM console ]
**To disable the flow of findings from an integration (console)**
1. Open the AWS Security Hub CSPM console at [https://console.aws.amazon.com/securityhub/](https://console.aws.amazon.com/securityhub/).
1. In the Security Hub CSPM navigation pane, choose **Integrations**.
1. For integrations that send findings, the **Status** information indicates whether Security Hub CSPM is currently accepting findings from that integration.
1. Choose **Stop accepting findings**.
------
#### [ Security Hub CSPM API ]
Use the [https://docs.aws.amazon.com//securityhub/1.0/APIReference/API_DisableImportFindingsForProduct.html](https://docs.aws.amazon.com//securityhub/1.0/APIReference/API_DisableImportFindingsForProduct.html) operation. If you're using the AWS CLI, run the [https://docs.aws.amazon.com/cli/latest/reference/securityhub/disable-import-findings-for-product.html](https://docs.aws.amazon.com/cli/latest/reference/securityhub/disable-import-findings-for-product.html) command. To disable the flow of findings from an integration, you need the subscription ARN for the enabled integration. To obtain the subscription ARN, use the [https://docs.aws.amazon.com//securityhub/1.0/APIReference/API_ListEnabledProductsForImport.html](https://docs.aws.amazon.com//securityhub/1.0/APIReference/API_ListEnabledProductsForImport.html) operation. If you're using the AWS CLI, run the [https://docs.aws.amazon.com/cli/latest/reference/securityhub/list-enabled-products-for-import.html](https://docs.aws.amazon.com/cli/latest/reference/securityhub/list-enabled-products-for-import.html).
For example, the following AWS CLI command disables the flow of findings to Security Hub CSPM from the CrowdStrike Falcon integration. This example is formatted for Linux, macOS, or Unix, and it uses the backslash (\$1) line-continuation character to improve readability.
```
$ aws securityhub disable-import-findings-for-product --product-subscription-arn "arn:aws:securityhub:us-west-1:123456789012:product-subscription/crowdstrike/crowdstrike-falcon"
```
------
# Viewing findings from a Security Hub CSPM integration
When you start accepting findings from an AWS Security Hub CSPM integration, the **Integrations** page of the Security Hub CSPM console displays the **Status** of the integration as **Accepting findings**. To review a list of findings from the integration, choose **See findings**.
The findings list shows the active findings for the selected integration that have a workflow status of `NEW` or `NOTIFIED`.
If you enable cross-Region aggregation, then in the aggregation Region, the list includes findings from the aggregation Region and from linked Regions where the integration is enabled. Security Hub does not automatically enable integrations based on the cross-Region aggregation configuration.
In other Regions, the finding list for an integration only contains findings from the current Region.
For information on how to configure cross-Region aggregation, see [Understanding cross-Region aggregation in Security Hub CSPM](finding-aggregation.md).
From the findings list, you can perform the following actions.
+ [Change the filters and grouping for the list](securityhub-findings-manage.md)
+ [View details for individual findings](securityhub-findings-viewing.md#finding-view-details-console)
+ [Update the workflow status of findings](findings-workflow-status.md)
+ [Send findings to custom actions](findings-custom-action.md)
# AWS service integrations with Security Hub CSPM
AWS Security Hub CSPM supports integrations with several other AWS services. These integrations can help you get a comprehensive view of security and compliance across your AWS environment.
Unless indicated otherwise below, AWS service integrations that send findings to Security Hub CSPM are activated automatically after you enable Security Hub CSPM and the other service. Integrations that receive Security Hub CSPM findings might require additional steps for activation. Review the information about each integration to learn more.
Some integrations aren't available in all AWS Regions. On the Security Hub CSPM console, an integration doesn't appear on the **Integrations** page if it isn't supported in the current Region. For a list of integrations that are available in the China Regions and AWS GovCloud (US) Regions, see [Availability of integrations by Region](securityhub-regions.md#securityhub-regions-integration-support).
## Overview of AWS service integrations with Security Hub CSPM
The following table provides an overview of AWS services that send findings to Security Hub CSPM or receive findings from Security Hub CSPM.
| Integrated AWS service | Direction |
| --- | --- |
| [AWS Config](#integration-config) | Sends findings |
| [AWS Firewall Manager](#integration-aws-firewall-manager) | Sends findings |
| [Amazon GuardDuty](#integration-amazon-guardduty) | Sends findings |
| [AWS Health](#integration-health) | Sends findings |
| [AWS Identity and Access Management Access Analyzer](#integration-iam-access-analyzer) | Sends findings |
| [Amazon Inspector](#integration-amazon-inspector) | Sends findings |
| [AWS IoT Device Defender](#integration-iot-device-defender) | Sends findings |
| [Amazon Macie](#integration-amazon-macie) | Sends findings |
| [Amazon Route 53 Resolver DNS Firewall](#integration-amazon-r53rdnsfirewall) | Sends findings |
| [AWS Systems Manager Patch Manager](#patch-manager) | Sends findings |
| [AWS Audit Manager](#integration-aws-audit-manager) | Receives findings |
| [Amazon Q Developer in chat applications](#integration-chatbot) | Receives findings |
| [Amazon Detective](#integration-amazon-detective) | Receives findings |
| [Amazon Security Lake](#integration-security-lake) | Receives findings |
| [AWS Systems Manager Explorer and OpsCenter](#integration-ssm-explorer-opscenter) | Receives and updates findings |
| [AWS Trusted Advisor](#integration-trusted-advisor) | Receives findings |
## AWS services that send findings to Security Hub CSPM
The following AWS services integrate with and can send findings to Security Hub CSPM. Security Hub CSPM converts the findings to the [AWS Security Finding Format](securityhub-findings-format.md).
### AWS Config (Sends findings)
AWS Config is a service that allows you to assess, audit, and evaluate the configurations of your AWS resources. AWS Config continuously monitors and records your AWS resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations.
By using the integration with AWS Config, you can see the results of AWS Config managed and custom rule evaluations as findings in Security Hub CSPM. These findings can be viewed alongside other Security Hub CSPM findings, providing a comprehensive overview of your security posture.
AWS Config uses Amazon EventBridge to send AWS Config rule evaluations to Security Hub CSPM. Security Hub CSPM transforms the rule evaluations into findings that follow the [AWS Security Finding Format](securityhub-findings-format.md). Security Hub CSPM then enriches the findings on a best-effort basis by getting more information about the impacted resources, such as the Amazon Resource Name (ARN), resource tags, and creation date.
For more information about this integration, see the following sections.
#### How AWS Config sends findings to Security Hub CSPM
All findings in Security Hub CSPM use the standard JSON format of ASFF. ASFF includes details about the origin of the finding, the affected resource, and the current status of the finding. AWS Config sends managed and custom rule evaluations to Security Hub CSPM through EventBridge. Security Hub CSPM transforms the rule evaluations into findings that follow ASFF and enriches the findings on a best-effort basis.
##### Types of findings that AWS Config sends to Security Hub CSPM
After the integration is activated, AWS Config sends evaluations of all AWS Config managed rules and custom rules to Security Hub CSPM. Only evaluations that were performed after Security Hub CSPM was enabled are sent. For example, suppose that an AWS Config rule evaluation reveals five failed resources. If you enable Security Hub CSPM after that evaluation and the rule then reveals a sixth failed resource, AWS Config sends only the sixth resource evaluation to Security Hub CSPM.
Evaluations from [service-linked AWS Config rules](securityhub-setup-prereqs.md), such as those used to run checks for Security Hub CSPM controls, are excluded. The exception is findings generated by service-linked rules that AWS Control Tower creates and manages in AWS Config. Including findings for these rules helps ensure that your findings data includes the results of proactive checks performed by AWS Control Tower.
##### Sending AWS Config findings to Security Hub CSPM
When the integration is activated, Security Hub CSPM will automatically assign the permissions necessary to receive findings from AWS Config. Security Hub CSPM uses service-to-service level permissions that provide you with a safe way to activate this integration and import findings from AWS Config via Amazon EventBridge.
##### Latency for sending findings
When AWS Config creates a new finding, you can usually view the finding in Security Hub CSPM within five minutes.
##### Retrying when Security Hub CSPM is not available
AWS Config sends findings to Security Hub CSPM on a best-effort basis through EventBridge. When an event isn't successfully delivered to Security Hub CSPM, EventBridge retries delivery for up to 24 hours or 185 times, whichever comes first.
##### Updating existing AWS Config findings in Security Hub CSPM
After AWS Config sends a finding to Security Hub CSPM, it can send updates to the same finding to Security Hub CSPM to reflect additional observations of the finding activity. Updates are only sent for `ComplianceChangeNotification` events. If no compliance change occurs, updates aren't sent to Security Hub CSPM. Security Hub CSPM deletes findings 90 days after the most recent update or 90 days after creation if no update occurs.
Security Hub CSPM doesn't archive findings that are sent from AWS Config even if you delete the associated resource.
##### Regions in which AWS Config findings exist
AWS Config findings occur on a Regional basis. AWS Config sends findings to Security Hub CSPM in the same Region or Regions where the findings occur.
### Viewing AWS Config findings in Security Hub CSPM
To view your AWS Config findings, choose **Findings** from the Security Hub CSPM navigation pane. To filter the findings to display only AWS Config findings, choose **Product name** in the search bar drop down. Enter **Config**, and choose **Apply**.
#### Interpreting AWS Config finding names in Security Hub CSPM
Security Hub CSPM transforms AWS Config rule evaluations into findings that follow the [AWS Security Finding Format (ASFF)](securityhub-findings-format.md). AWS Config rule evaluations use a different event pattern compared to ASFF. The following table maps the AWS Config rule evaluation fields with their ASFF counterpart as they appear in Security Hub CSPM.
| Config rule evaluation finding type | ASFF finding type | Hardcoded value |
| --- | --- | --- |
| detail.awsAccountId | AwsAccountId | |
| detail.newEvaluationResult.resultRecordedTime | CreatedAt | |
| detail.newEvaluationResult.resultRecordedTime | UpdatedAt | |
| | ProductArn | "arn::securityhub:::product/aws/config" |
| | ProductName | "Config" |
| | CompanyName | "AWS" |
| | Region | "eu-central-1" |
| configRuleArn | GeneratorId, ProductFields | |
| detail.ConfigRuleARN/finding/hash | Id | |
| detail.configRuleName | Title, ProductFields | |
| detail.configRuleName | Description | "This finding is created for a resource compliance change for config rule: \$1\$1detail.ConfigRuleName\$1" |
| Configuration Item "ARN" or Security Hub CSPM computed ARN | Resources[i].id | |
| detail.resourceType | Resources[i].Type | "AwsS3Bucket" |
| | Resources[i].Partition | "aws" |
| | Resources[i].Region | "eu-central-1" |
| Configuration Item "configuration" | Resources[i].Details | |
| | SchemaVersion | "2018-10-08" |
| | Severity.Label | See "Interpreting Severity Label" below |
| | Types | ["Software and Configuration Checks"] |
| detail.newEvaluationResult.complianceType | Compliance.Status | "FAILED", "NOT\$1AVAILABLE", "PASSED", or "WARNING" |
| | Workflow.Status | "RESOLVED" if an AWS Config finding is generated with a Compliance.Status of "PASSED," or if the Compliance.Status changes from "FAILED" to "PASSED." Otherwise, Workflow.Status will be "NEW." You can change this value with the [BatchUpdateFindings](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_BatchUpdateFindings.html) API operation. |
#### Interpreting severity label
All findings from AWS Config rule evaluations have a default severity label of **MEDIUM** in the ASFF. You can update the severity label of a finding with the [https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_BatchUpdateFindings.html](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_BatchUpdateFindings.html) API operation.
#### Typical finding from AWS Config
Security Hub CSPM transforms AWS Config rule evaluations into findings that follow the ASFF. The following is an example of a typical finding from AWS Config in the ASFF.
**Note**
If the description is more than 1,024 characters, it will be truncated to 1,024 characters and will say "(truncated)" at the end.
```
{
"SchemaVersion": "2018-10-08",
"Id": "arn:aws:config:eu-central-1:123456789012:config-rule/config-rule-mburzq/finding/45g070df80cb50b68fa6a43594kc6fda1e517932",
"ProductArn": "arn:aws:securityhub:eu-central-1::product/aws/config",
"ProductName": "Config",
"CompanyName": "AWS",
"Region": "eu-central-1",
"GeneratorId": "arn:aws:config:eu-central-1:123456789012:config-rule/config-rule-mburzq",
"AwsAccountId": "123456789012",
"Types": [
"Software and Configuration Checks"
],
"CreatedAt": "2022-04-15T05:00:37.181Z",
"UpdatedAt": "2022-04-19T21:20:15.056Z",
"Severity": {
"Label": "MEDIUM",
"Normalized": 40
},
"Title": "s3-bucket-level-public-access-prohibited-config-integration-demo",
"Description": "This finding is created for a resource compliance change for config rule: s3-bucket-level-public-access-prohibited-config-integration-demo",
"ProductFields": {
"aws/securityhub/ProductName": "Config",
"aws/securityhub/CompanyName": "AWS",
"aws/securityhub/FindingId": "arn:aws:securityhub:eu-central-1::product/aws/config/arn:aws:config:eu-central-1:123456789012:config-rule/config-rule-mburzq/finding/46f070df80cd50b68fa6a43594dc5fda1e517902",
"aws/config/ConfigRuleArn": "arn:aws:config:eu-central-1:123456789012:config-rule/config-rule-mburzq",
"aws/config/ConfigRuleName": "s3-bucket-level-public-access-prohibited-config-integration-demo",
"aws/config/ConfigComplianceType": "NON_COMPLIANT"
},
"Resources": [{
"Type": "AwsS3Bucket",
"Id": "arn:aws:s3:::amzn-s3-demo-bucket",
"Partition": "aws",
"Region": "eu-central-1",
"Details": {
"AwsS3Bucket": {
"OwnerId": "4edbba300f1caa608fba2aad2c8fcfe30c32ca32777f64451eec4fb2a0f10d8c",
"CreatedAt": "2022-04-15T04:32:53.000Z"
}
}
}],
"Compliance": {
"Status": "FAILED"
},
"WorkflowState": "NEW",
"Workflow": {
"Status": "NEW"
},
"RecordState": "ACTIVE",
"FindingProviderFields": {
"Severity": {
"Label": "MEDIUM"
},
"Types": [
"Software and Configuration Checks"
]
}
}
```
### Enabling and configuring the integration
After you enable Security Hub CSPM, this integration is activated automatically. AWS Config immediately begins to send findings to Security Hub CSPM.
### Stopping the publication of findings to Security Hub CSPM
To stop sending findings to Security Hub CSPM, you can use the Security Hub CSPM console or Security Hub CSPM API.
For instructions on stopping the flow of findings, see [Enabling the flow of findings from a Security Hub CSPM integration](securityhub-integration-enable.md).
### AWS Firewall Manager (Sends findings)
Firewall Manager sends findings to Security Hub CSPM when a web application firewall (WAF) policy for resources or a web access control list (web ACL) rule is not in compliance. Firewall Manager also sends findings when AWS Shield Advanced is not protecting resources, or when an attack is identified.
After you enable Security Hub CSPM, this integration is automatically activated. Firewall Manager immediately begins to send findings to Security Hub CSPM.
To learn more about the integration, view the **Integrations** page in the Security Hub CSPM console.
To learn more about Firewall Manager, see the [https://docs.aws.amazon.com/waf/latest/developerguide/](https://docs.aws.amazon.com/waf/latest/developerguide/).
### Amazon GuardDuty (Sends findings)
GuardDuty sends all of the finding types that it generates to Security Hub CSPM. Some finding types have prerequisites, enablement requirements, or Regional limitations. For more information, see [GuardDuty finding types](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-active.html) in the *Amazon GuardDuty User Guide*.
New findings from GuardDuty are sent to Security Hub CSPM within five minutes. Updates to findings are sent based on the **Updated findings** setting for Amazon EventBridge in GuardDuty settings.
When you generate GuardDuty sample findings using the GuardDuty **Settings** page, Security Hub CSPM receives the sample findings and omits the prefix `[Sample]` in the finding type. For example, the sample finding type in GuardDuty `[SAMPLE] Recon:IAMUser/ResourcePermissions` is displayed as `Recon:IAMUser/ResourcePermissions` in Security Hub CSPM.
After you enable Security Hub CSPM, this integration is automatically activated. GuardDuty immediately begins to send findings to Security Hub CSPM.
For more information about the GuardDuty integration, see [Integrating with AWS Security Hub CSPM](https://docs.aws.amazon.com/guardduty/latest/ug/securityhub-integration.html) in the *Amazon GuardDuty User Guide*.
### AWS Health (Sends findings)
AWS Health provides ongoing visibility into your resource performance and the availability of your AWS services and AWS accounts. You can use AWS Health events to learn how service and resource changes might affect your applications that run on AWS.
The integration with AWS Health does not use `BatchImportFindings`. Instead, AWS Health uses service-to-service event messaging to send findings to Security Hub CSPM.
For more information about the integration, see the following sections.
#### How AWS Health sends findings to Security Hub CSPM
In Security Hub CSPM, security issues are tracked as findings. Some findings come from issues that are detected by other AWS services or by third-party partners. Security Hub CSPM also has a set of rules that it uses to detect security issues and generate findings.
Security Hub CSPM provides tools to manage findings from across all of these sources. You can view and filter lists of findings and view details for a finding. See [Reviewing finding details and history in Security Hub CSPM](securityhub-findings-viewing.md). You can also track the status of an investigation into a finding. See [Setting the workflow status of findings in Security Hub CSPM](findings-workflow-status.md).
All findings in Security Hub CSPM use a standard JSON format called the [AWS Security Finding Format (ASFF)](securityhub-findings-format.md). ASFF includes details about the source of the issue, the affected resources, and the current status of the finding.
AWS Health is one of the AWS services that sends findings to Security Hub CSPM.
##### Types of findings that AWS Health sends to Security Hub CSPM
After the integration is enabled, AWS Health sends findings that meet one or more of the listed specifications to Security Hub CSPM. Security Hub CSPM ingests the findings in the [AWS Security Finding Format (ASFF)](securityhub-findings-format.md).
+ Findings that contain any of the following values for AWS service:
+ `RISK`
+ `ABUSE`
+ `ACM`
+ `CLOUDHSM`
+ `CLOUDTRAIL`
+ `CONFIG`
+ `CONTROLTOWER`
+ `DETECTIVE`
+ `EVENTS`
+ `GUARDDUTY`
+ `IAM`
+ `INSPECTOR`
+ `KMS`
+ `MACIE`
+ `SES`
+ `SECURITYHUB`
+ `SHIELD`
+ `SSO`
+ `COGNITO`
+ `IOTDEVICEDEFENDER`
+ `NETWORKFIREWALL`
+ `ROUTE53`
+ `WAF`
+ `FIREWALLMANAGER`
+ `SECRETSMANAGER`
+ `BACKUP`
+ `AUDITMANAGER`
+ `ARTIFACT`
+ `CLOUDENDURE`
+ `CODEGURU`
+ `ORGANIZATIONS`
+ `DIRECTORYSERVICE`
+ `RESOURCEMANAGER`
+ `CLOUDWATCH`
+ `DRS`
+ `INSPECTOR2`
+ `RESILIENCEHUB`
+ Findings with the words `security`, `abuse`, or `certificate` in the AWS Health `typeCode` field
+ Findings where the AWS Health service is `risk` or `abuse`
##### Sending AWS Health findings to Security Hub CSPM
When you choose to accept findings from AWS Health, Security Hub CSPM will automatically assign the permissions necessary to receive the findings from AWS Health. Security Hub CSPM uses service-to-service level permissions that provide you with a safe, easy way to enable this integration and import findings from AWS Health via Amazon EventBridge on your behalf. Choosing **Accept Findings** grants Security Hub CSPM permission to consume findings from AWS Health.
##### Latency for sending findings
When AWS Health creates a new finding, it is usually sent to Security Hub CSPM within five minutes.
##### Retrying when Security Hub CSPM is not available
AWS Health sends findings to Security Hub CSPM on a best-effort basis through EventBridge. When an event isn't successfully delivered to Security Hub CSPM, EventBridge retries sending the event for 24 hours.
##### Updating existing findings in Security Hub CSPM
After AWS Health sends a finding to Security Hub CSPM, it can send updates to the same finding to reflect additional observations of the finding activity to Security Hub CSPM.
##### Regions in which findings exist
For global events, AWS Health sends findings to Security Hub CSPM in us-east-1 (AWS partition), cn-northwest-1 (China partition), and gov-us-west-1 (GovCloud partition). AWS Health sends Region-specific events to Security Hub CSPM in the same Region or Regions where the events occur.
#### Viewing AWS Health findings in Security Hub CSPM
To view your AWS Health findings in Security Hub CSPM, choose **Findings** from the navigation panel. To filter the findings to display only AWS Health findings, choose **Health** from the **Product name** field.
##### Interpreting AWS Health finding names in Security Hub CSPM
AWS Health sends the findings to Security Hub CSPM using the [AWS Security Finding Format (ASFF)](securityhub-findings-format.md). AWS Health finding uses a different event pattern compared to Security Hub CSPM ASFF format. The table below details all the AWS Health finding fields with their ASFF counterpart as they appear in Security Hub CSPM.
| Health finding type | ASFF finding type | Hardcoded value |
| --- | --- | --- |
| account | AwsAccountId | |
| detail.startTime | CreatedAt | |
| detail.eventDescription.latestDescription | Description | |
| detail.eventTypeCode | GeneratorId | |
| detail.eventArn (including account) \$1 hash of detail.startTime | Id | |
| "arn:aws:securityhub:::product/aws/health" | ProductArn | |
| account or resourceId | Resources[i].id | |
| | Resources[i].Type | "Other" |
| | SchemaVersion | "2018-10-08" |
| | Severity.Label | See "Interpreting Severity Label" below |
| “AWS Health -" detail.eventTypeCode | Title | |
| - | Types | ["Software and Configuration Checks"] |
| event.time | UpdatedAt | |
| URL of the event on Health console | SourceUrl | |
##### Interpreting severity label
The severity label in the ASFF finding is determined using the following logic:
+ Severity **CRITICAL** if:
+ The `service` field in the AWS Health finding has the value `Risk`
+ The `typeCode` field in the AWS Health finding has the value `AWS_S3_OPEN_ACCESS_BUCKET_NOTIFICATION`
+ The `typeCode` field in the AWS Health finding has the value `AWS_SHIELD_INTERNET_TRAFFIC_LIMITATIONS_PLACED_IN_RESPONSE_TO_DDOS_ATTACK`
+ The `typeCode` field in the AWS Health finding has the value `AWS_SHIELD_IS_RESPONDING_TO_A_DDOS_ATTACK_AGAINST_YOUR_AWS_RESOURCES`
Severity **HIGH** if:
+ The `service` field in the AWS Health finding has the value `Abuse`
+ The `typeCode` field in the AWS Health finding contains the value `SECURITY_NOTIFICATION`
+ The `typeCode` field in the AWS Health finding contains the value `ABUSE_DETECTION`
Severity **MEDIUM** if:
+ The `service` field in the finding is any of the following: `ACM`, `ARTIFACT`, `AUDITMANAGER`, `BACKUP`,`CLOUDENDURE`, `CLOUDHSM`, `CLOUDTRAIL`, `CLOUDWATCH`, `CODEGURGU`, `COGNITO`, `CONFIG`, `CONTROLTOWER`, `DETECTIVE`, `DIRECTORYSERVICE`, `DRS`, `EVENTS`, `FIREWALLMANAGER`, `GUARDDUTY`, `IAM`, `INSPECTOR`, `INSPECTOR2`, `IOTDEVICEDEFENDER`, `KMS`, `MACIE`, `NETWORKFIREWALL`, `ORGANIZATIONS`, `RESILIENCEHUB`, `RESOURCEMANAGER`, `ROUTE53`, `SECURITYHUB`, `SECRETSMANAGER`, `SES`, `SHIELD`, `SSO`, or `WAF`
+ The **typeCode** field in the AWS Health finding contains the value `CERTIFICATE`
+ The **typeCode** field in the AWS Health finding contains the value `END_OF_SUPPORT`
##### Typical finding from AWS Health
AWS Health sends findings to Security Hub CSPM using the [AWS Security Finding Format (ASFF)](securityhub-findings-format.md). The following is an example of a typical finding from AWS Health.
**Note**
If the description is more than 1024 characters, it will be truncated to 1024 characters and will say *(truncated)* at the end.
```
{
"SchemaVersion": "2018-10-08",
"Id": "arn:aws:health:us-east-1:123456789012:event/SES/AWS_SES_CMF_PENDING_TO_SUCCESS/AWS_SES_CMF_PENDING_TO_SUCCESS_303388638044_33fe2115-8dad-40ce-b533-78e29f49de96/101F7FBAEFC663977DA09CFF56A29236602834D2D361E6A8CA5140BFB3A69B30",
"ProductArn": "arn:aws:securityhub:us-east-1::product/aws/health",
"GeneratorId": "AWS_SES_CMF_PENDING_TO_SUCCESS",
"AwsAccountId": "123456789012",
"Types": [
"Software and Configuration Checks"
],
"CreatedAt": "2022-01-07T16:34:04.000Z",
"UpdatedAt": "2022-01-07T19:17:43.000Z",
"Severity": {
"Label": "MEDIUM",
"Normalized": 40
},
"Title": "AWS Health - AWS_SES_CMF_PENDING_TO_SUCCESS",
"Description": "Congratulations! Amazon SES has successfully detected the MX record required to use 4557227d-9257-4e49-8d5b-18a99ced4be9.cmf.pinpoint.sysmon-iad.adzel.com as a custom MAIL FROM domain for verified identity cmf.pinpoint.sysmon-iad.adzel.com in AWS Region US East (N. Virginia).\\n\\nYou can now use this MAIL FROM domain with cmf.pinpoint.sysmon-iad.adzel.com and any other verified identity that is configured to use it. For information about how to configure a verified identity to use a custom MAIL FROM domain, see http://docs.aws.amazon.com/ses/latest/DeveloperGuide/mail-from-set.html .\\n\\nPlease note that this email only applies to AWS Region US East (N. Virginia).",
"SourceUrl": "https://phd.aws.amazon.com/phd/home#/event-log?eventID=arn:aws:health:us-east-1::event/SES/AWS_SES_CMF_PENDING_TO_SUCCESS/AWS_SES_CMF_PENDING_TO_SUCCESS_303388638044_33fe2115-8dad-40ce-b533-78e29f49de96",
"ProductFields": {
"aws/securityhub/FindingId": "arn:aws:securityhub:us-east-1::product/aws/health/arn:aws:health:us-east-1::event/SES/AWS_SES_CMF_PENDING_TO_SUCCESS/AWS_SES_CMF_PENDING_TO_SUCCESS_303388638044_33fe2115-8dad-40ce-b533-78e29f49de96",
"aws/securityhub/ProductName": "Health",
"aws/securityhub/CompanyName": "AWS"
},
"Resources": [
{
"Type": "Other",
"Id": "4557227d-9257-4e49-8d5b-18a99ced4be9.cmf.pinpoint.sysmon-iad.adzel.com"
}
],
"WorkflowState": "NEW",
"Workflow": {
"Status": "NEW"
},
"RecordState": "ACTIVE",
"FindingProviderFields": {
"Severity": {
"Label": "MEDIUM"
},
"Types": [
"Software and Configuration Checks"
]
}
}
]
}
```
#### Enabling and configuring the integration
After you enable Security Hub CSPM, this integration is automatically activated. AWS Health immediately begins to send findings to Security Hub CSPM.
#### Stopping the publication of findings to Security Hub CSPM
To stop sending findings to Security Hub CSPM, you can use the Security Hub CSPM console or Security Hub CSPM API.
For instructions on stopping the flow of findings, see [Enabling the flow of findings from a Security Hub CSPM integration](securityhub-integration-enable.md).
### AWS Identity and Access Management Access Analyzer (Sends findings)
With IAM Access Analyzer, all findings are sent to Security Hub CSPM.
IAM Access Analyzer uses logic-based reasoning to analyze resource-based policies that are applied to supported resources in your account. IAM Access Analyzer generates a finding when it detects a policy statement that lets an external principal access a resource in your account.
In IAM Access Analyzer, only the administrator account can see findings for analyzers that apply to an organization. For organization analyzers, the `AwsAccountId` ASFF field reflects the administrator account ID. Under `ProductFields`, the `ResourceOwnerAccount` field indicates the account in which the finding was discovered. If you enable analyzers individually for each account, Security Hub CSPM generates multiple findings, one that identifies the administrator account ID and one that identifies the resource account ID.
For more information, see [Integration with AWS Security Hub CSPM](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-securityhub-integration.html) in the *IAM User Guide*.
### Amazon Inspector (Sends findings)
Amazon Inspector is a vulnerability management service that continuously scans your AWS workloads for vulnerabilities. Amazon Inspector automatically discovers and scans Amazon EC2 instances and container images that reside in the Amazon Elastic Container Registry. The scan looks for software vulnerabilities and unintended network exposure.
After you enable Security Hub CSPM, this integration is automatically activated. Amazon Inspector immediately begins to send all of the findings that it generates to Security Hub CSPM.
For more information about the integration, see [Integration with AWS Security Hub CSPM](https://docs.aws.amazon.com/inspector/latest/user/securityhub-integration.html) in the *Amazon Inspector User Guide*.
Security Hub CSPM can also receive findings from Amazon Inspector Classic. Amazon Inspector Classic sends findings to Security Hub CSPM that are generated through assessment runs for all supported rules packages.
For more information about the integration, see [Integration with AWS Security Hub CSPM](https://docs.aws.amazon.com/inspector/latest/userguide/securityhub-integration.html) in the *Amazon Inspector Classic User Guide*.
Findings for Amazon Inspector and Amazon Inspector Classic use the same product ARN. Amazon Inspector findings have the following entry in `ProductFields`:
```
"aws/inspector/ProductVersion": "2",
```
**Note**
Security findings generated by [Amazon Inspector Code Security](https://docs.aws.amazon.com/inspector/latest/user/code-security-assessments.html) are not available for this integration. However, you can access these particular findings in the Amazon Inspector console and through the [Amazon Inspector API](https://docs.aws.amazon.com/inspector/v2/APIReference/Welcome.html).
### AWS IoT Device Defender (Sends findings)
AWS IoT Device Defender is a security service that audits the configuration of your IoT devices, monitors connected devices to detect abnormal behavior, and helps mitigate security risks.
After enabling both AWS IoT Device Defender and Security Hub CSPM, visit the [Integrations page of the Security Hub CSPM console](https://console.aws.amazon.com/securityhub/home#/integrations), and choose **Accept findings** for Audit, Detect, or both. AWS IoT Device Defender Audit and Detect begin to send all findings to Security Hub CSPM.
AWS IoT Device Defender Audit sends check summaries to Security Hub CSPM, which contain general information for a specific audit check type and audit task. AWS IoT Device Defender Detect sends violation findings for machine learning (ML), statistical, and static behaviors to Security Hub CSPM. Audit also sends finding updates to Security Hub CSPM.
For more information about this integration, see [Integration with AWS Security Hub CSPM](https://docs.aws.amazon.com/iot/latest/developerguide/securityhub-integration.html) in the *AWS IoT Developer Guide*.
### Amazon Macie (Sends findings)
Amazon Macie is a data security service that discovers sensitive data by using machine learning and pattern matching, provides visibility into data security risks, and enables automated protection against those risks. A finding from Macie can indicate that a potential policy violation or sensitive data exists in your Amazon S3 data estate.
After you enable Security Hub CSPM, Macie automatically starts sending policy findings to Security Hub CSPM. You can configure the integration to also send sensitive data findings to Security Hub CSPM.
In Security Hub CSPM, the finding type for a policy or sensitive data finding is changed to a value that is compatible with ASFF. For example, the `Policy:IAMUser/S3BucketPublic` finding type in Macie is displayed as `Effects/Data Exposure/Policy:IAMUser-S3BucketPublic` in Security Hub CSPM.
Macie also sends generated sample findings to Security Hub CSPM. For sample findings, the name of the affected resource is `macie-sample-finding-bucket` and the value for the `Sample` field is `true`.
For more information, see [Evaluating Macie findings with Security Hub](https://docs.aws.amazon.com/macie/latest/user/securityhub-integration.html) in the *Amazon Macie User Guide*.
### Amazon Route 53 Resolver DNS Firewall (Sends findings)
With Amazon Route 53 Resolver DNS Firewall, you can filter and regulate outbound DNS traffic for your virtual private cloud (VPC). You do this by creating reusable collections of filtering rules in DNS Firewall rule groups, associating the rule groups with your VPC, and then monitoring activity in DNS Firewall logs and metrics. Based on the activity, you can adjust DNS Firewall behavior. DNS Firewall is a feature of Route 53 Resolver.
Route 53 Resolver DNS Firewall can send several types of findings to Security Hub CSPM:
+ Findings related to queries blocked or alerted on for domains associated with AWS Managed Domain Lists, which are domain lists that AWS manages.
+ Findings related to queries blocked or alerted on for domains associated with a custom domain list that you define.
+ Findings related to queries blocked or alerted on by DNS Firewall Advanced, which is a Route 53 Resolver feature that can detect queries associated with advanced DNS threats such as Domain Generation Algorithms (DGAs) and DNS Tunneling.
After you enable Security Hub CSPM and Route 53 Resolver DNS Firewall, DNS Firewall automatically starts sending findings for AWS Managed Domain Lists and DNS Firewall Advanced to Security Hub CSPM. To also send findings for a custom domain list to Security Hub CSPM, manually enable the integration in Security Hub CSPM.
In Security Hub CSPM, all findings from Route 53 Resolver DNS Firewall have the following type: `TTPs/Impact/Impact:Runtime-MaliciousDomainRequest.Reputation`.
For more information, see [Sending findings from Route 53 Resolver DNS Firewall to Security Hub](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/securityhub-integration.html) in the *Amazon Route 53 Developer Guide*.
### AWS Systems Manager Patch Manager (Sends findings)
AWS Systems Manager Patch Manager sends findings to Security Hub CSPM when instances in a customer's fleet go out of compliance with their patch compliance standard.
Patch Manager automates the process of patching managed instances with both security related and other types of updates.
After you enable Security Hub CSPM, this integration is automatically activated. Systems Manager Patch Manager immediately begins to send findings to Security Hub CSPM.
For more information about using Patch Manager, see [AWS Systems Manager Patch Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-patch.html) in the *AWS Systems Manager User Guide*.
## AWS services that receive findings from Security Hub CSPM
The following AWS services are integrated with Security Hub CSPM and receive findings from Security Hub CSPM. Where noted, the integrated service may also update findings. In this case, finding updates that you make in the integrated service will also be reflected in Security Hub CSPM.
### AWS Audit Manager (Receives findings)
AWS Audit Manager receives findings from Security Hub CSPM. These findings help Audit Manager users to prepare for audits.
To learn more about Audit Manager, see the [https://docs.aws.amazon.com/audit-manager/latest/userguide/what-is.html](https://docs.aws.amazon.com/audit-manager/latest/userguide/what-is.html). [AWS Security Hub CSPM checks supported by AWS Audit Manager](https://docs.aws.amazon.com/audit-manager/latest/userguide/control-data-sources-ash.html) lists the controls for which Security Hub CSPM sends findings to Audit Manager.
### Amazon Q Developer in chat applications (Receives findings)
Amazon Q Developer in chat applications is an interactive agent that helps you to monitor and interact with your AWS resources in your Slack channels and Amazon Chime chat rooms.
Amazon Q Developer in chat applications receives findings from Security Hub CSPM.
To learn more about the Amazon Q Developer in chat applications integration with Security Hub CSPM, see the [Security Hub CSPM integration overview](https://docs.aws.amazon.com/chatbot/latest/adminguide/related-services.html#security-hub) in the *Amazon Q Developer in chat applications Administrator Guide*.
### Amazon Detective (Receives findings)
Detective automatically collects log data from your AWS resources and uses machine learning, statistical analysis, and graph theory to help you visualize and conduct faster and more efficient security investigations.
The Security Hub CSPM integration with Detective allows you to pivot from Amazon GuardDuty findings in Security Hub CSPM into Detective. You can then use the Detective tools and visualizations to investigate them. The integration does not require any additional configuration in Security Hub CSPM or Detective.
For findings received from other AWS services, the finding details panel on the Security Hub CSPM console includes an **Investigate in Detective** subsection. That subsection contains a link to Detective where you can further investigate the security issue that the finding flagged. You can also build a behavior graph in Detective based on Security Hub CSPM findings to conduct more effective investigations. For more information, see [AWS security findings ](https://docs.aws.amazon.com/detective/latest/adminguide/source-data-types-asff.html) in the *Amazon Detective Administration Guide*.
If cross-Region aggregation is enabled, then when you pivot from the aggregation Region, Detective opens in the Region where the finding originated.
If a link does not work, then for troubleshooting advice, see [Troubleshooting the pivot](https://docs.aws.amazon.com/detective/latest/userguide/profile-pivot-from-service.html#profile-pivot-troubleshooting).
### Amazon Security Lake (Receives findings)
Security Lake is a fully-managed security data lake service. You can use Security Lake to automatically centralize security data from cloud, on-premises, and custom sources into a data lake that's stored in your account. Subscribers can consume data from Security Lake for investigative and analytics use cases.
To activate this integration, you must enable both services and add Security Hub CSPM as a source in the Security Lake console, Security Lake API, or AWS CLI. Once you complete these steps, Security Hub CSPM begins to send all findings to Security Lake.
Security Lake automatically normalizes Security Hub CSPM findings and converts them to a standardized open-source schema called Open Cybersecurity Schema Framework (OCSF). In Security Lake, you can add one or more subscribers to consume Security Hub CSPM findings.
For more information about this integration, including instructions on adding Security Hub CSPM as a source and creating subscribers, see [Integration with AWS Security Hub CSPM](https://docs.aws.amazon.com/security-lake/latest/userguide/securityhub-integration.html) in the *Amazon Security Lake User Guide*.
### AWS Systems Manager Explorer and OpsCenter (Receives and updates findings)
AWS Systems Manager Explorer and OpsCenter receive findings from Security Hub CSPM, and update those findings in Security Hub CSPM.
Explorer provides you with a customizable dashboard, providing key insights and analysis into the operational health and performance of your AWS environment.
OpsCenter provides you with a central location to view, investigate, and resolve operational work items.
For more information about Explorer and OpsCenter, see [Operations management](https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-ops-center.html) in the *AWS Systems Manager User Guide*.
### AWS Trusted Advisor (Receives findings)
Trusted Advisor draws upon best practices learned from serving hundreds of thousands of AWS customers. Trusted Advisor inspects your AWS environment, and then makes recommendations when opportunities exist to save money, improve system availability and performance, or help close security gaps.
When you enable both Trusted Advisor and Security Hub CSPM, the integration is updated automatically.
Security Hub CSPM sends the results of its AWS Foundational Security Best Practices checks to Trusted Advisor.
For more information about the Security Hub CSPM integration with Trusted Advisor, see [Viewing AWS Security Hub CSPM controls in AWS Trusted Advisor](https://docs.aws.amazon.com/awssupport/latest/user/security-hub-controls-with-trusted-advisor.html) in the *AWS Support User Guide*.
# Third-party product integrations with Security Hub CSPM
AWS Security Hub CSPM integrates with multiple third-party partner products. An integration can perform one or more of the following actions:
+ Send findings that it generates to Security Hub CSPM
+ Receive findings from Security Hub CSPM
+ Update findings in Security Hub CSPM
Integrations that send findings to Security Hub CSPM have an Amazon Resource Name (ARN).
An integration might not be available in all AWS Regions. If an integration isn't supported in the Region that you are currently signed in to on the Security Hub CSPM console, it doesn't appear on the **Integrations** page of the console. For a list of integrations that are available in the China Regions and AWS GovCloud (US) Regions, see [Availability of integrations by Region](securityhub-regions.md#securityhub-regions-integration-support).
If you have a security solution and are interested in becoming a Security Hub CSPM partner, send email to securityhub-partners@amazon.com. For more information, see the [Partner Integration Guide](https://docs.aws.amazon.com/securityhub/latest/partnerguide/integration-overview.html).
## Overview of third-party integrations with Security Hub CSPM
The following table provides an overview of the third-party integrations that can send findings to Security Hub CSPM or receive findings from Security Hub CSPM.
| Integration | Direction | ARN (if applicable) |
| --- | --- | --- |
| [3CORESec – 3CORESec NTA](#integration-3coresec-nta) | Sends findings | `arn:aws:securityhub:::product/3coresec/3coresec` |
| [Alert Logic – SIEMless Threat Management](#integration-alert-logic-siemless) | Sends findings | `arn:aws:securityhub::733251395267:product/alertlogic/althreatmanagement` |
| [Aqua Security – Aqua Cloud Native Security Platform](#integration-aqua-security-cloud-native-security-platform) | Sends findings | `arn:aws:securityhub:::product/aquasecurity/aquasecurity` |
| [Aqua Security – Kube-bench](#integration-aqua-security-kubebench) | Sends findings | `arn:aws:securityhub:::product/aqua-security/kube-bench` |
| [Armor – Armor Anywhere](#integration-armor-anywhere) | Sends findings | `arn:aws:securityhub::679703615338:product/armordefense/armoranywhere` |
| [AttackIQ – AttackIQ](#integration-attackiq) | Sends findings | `arn:aws:securityhub:::product/attackiq/attackiq-platform` |
| [Barracuda Networks – Cloud Security Guardian](#integration-barracuda-cloud-security-guardian) | Sends findings | `arn:aws:securityhub::151784055945:product/barracuda/cloudsecurityguardian` |
| [BigID – BigID Enterprise](#integration-bigid-enterprise) | Sends findings | `arn:aws:securityhub:::product/bigid/bigid-enterprise` |
| [Blue Hexagon – Blue Hexagon forAWS](#integration-blue-hexagon-for-aws) | Sends findings | `arn:aws:securityhub:::product/blue-hexagon/blue-hexagon-for-aws` |
| [Check Point – CloudGuard IaaS](#integration-checkpoint-cloudguard-iaas) | Sends findings | `arn:aws:securityhub::758245563457:product/checkpoint/cloudguard-iaas` |
| [Check Point – CloudGuard Posture Management](#integration-checkpoint-cloudguard-posture-management) | Sends findings | `arn:aws:securityhub::634729597623:product/checkpoint/dome9-arc` |
| [Claroty – xDome](#integration-claroty-xdome) | Sends findings | `arn:aws:securityhub:::product/claroty/xdome` |
| [Cloud Storage Security – Antivirus for Amazon S3](#integration-checkpoint-cloudguard-posture-management) | Sends findings | `arn:aws:securityhub:::product/cloud-storage-security/antivirus-for-amazon-s3` |
| [Contrast Security](#integration-contrast-security) | Sends findings | `arn:aws:securityhub:::product/contrast-security/security-assess` |
| [CrowdStrike – CrowdStrike Falcon](#integration-crowdstrike-falcon) | Sends findings | `arn:aws:securityhub::517716713836:product/crowdstrike/crowdstrike-falcon` |
| [CyberArk – Privileged Threat Analytics](#integration-cyberark-privileged-threat-analytics) | Sends findings | `arn:aws:securityhub::749430749651:product/cyberark/cyberark-pta` |
| [Data Theorem – Data Theorem](#integration-data-theorem) | Sends findings | `arn:aws:securityhub:::product/data-theorem/api-cloud-web-secure` |
| [Drata](#integration-drata) | Sends findings | `arn:aws:securityhub:::product/drata/drata-integration` |
| [Forcepoint – Forcepoint CASB](#integration-forcepoint-casb) | Sends findings | `arn:aws:securityhub::365761988620:product/forcepoint/forcepoint-casb` |
| [Forcepoint – Forcepoint Cloud Security Gateway](#integration-forcepoint-cloud-security-gateway) | Sends findings | `arn:aws:securityhub:::product/forcepoint/forcepoint-cloud-security-gateway` |
| [Forcepoint – Forcepoint DLP](#integration-forcepoint-dlp) | Sends findings | `arn:aws:securityhub::365761988620:product/forcepoint/forcepoint-dlp` |
| [Forcepoint – Forcepoint NGFW](#integration-forcepoint-ngfw) | Sends findings | `arn:aws:securityhub::365761988620:product/forcepoint/forcepoint-ngfw` |
| [Fugue – Fugue](#integration-fugue) | Sends findings | `arn:aws:securityhub:::product/fugue/fugue` |
| [Guardicore – Centra 4.0](#integration-guardicore-centra) | Sends findings | `arn:aws:securityhub:::product/guardicore/guardicore` |
| [HackerOne – Vulnerability Intelligence](#integration-hackerone-vulnerability-intelligence) | Sends findings | `arn:aws:securityhub:::product/hackerone/vulnerability-intelligence` |
| [JFrog – Xray](#integration-jfrog-xray) | Sends findings | `arn:aws:securityhub:::product/jfrog/jfrog-xray` |
| [Juniper Networks – vSRX Next Generation Firewall](#integration-junipernetworks-vsrxnextgenerationfirewall) | Sends findings | `arn:aws:securityhub:::product/juniper-networks/vsrx-next-generation-firewall` |
| [k9 Security – Access Analyzer](#integration-k9-security-access-analyzer) | Sends findings | `arn:aws:securityhub:::product/k9-security/access-analyzer` |
| [Lacework – Lacework](#integration-lacework) | Sends findings | `arn:aws:securityhub:::product/lacework/lacework` |
| [McAfee – MVISION Cloud Native Application Protection Platform (CNAPP)](#integration-mcafee-mvision-cnapp) | Sends findings | `arn:aws:securityhub:::product/mcafee-skyhigh/mcafee-mvision-cloud-aws` |
| [NETSCOUT – NETSCOUT Cyber Investigator](#integration-netscout-cyber-investigator) | Sends findings | `arn:aws:securityhub:us-east-1::product/netscout/netscout-cyber-investigator` |
| [Orca Cloud Security Platform](#integration-orca-cloud-security-platform) | Sends findings | `arn:aws:securityhub:::product/orca-security/orca-security` |
| [Palo Alto Networks – Prisma Cloud Compute](#integration-palo-alto-prisma-cloud-compute) | Sends findings | `arn:aws:securityhub::496947949261:product/twistlock/twistlock-enterprise` |
| [Palo Alto Networks – Prisma Cloud Enterprise](#integration-palo-alto-prisma-cloud-enterprise) | Sends findings | `arn:aws:securityhub::188619942792:product/paloaltonetworks/redlock` |
| [Plerion – Cloud Security Platform](#integration-plerion) | Sends findings | `arn:aws:securityhub:::product/plerion/cloud-security-platform` |
| [Prowler – Prowler](#integration-prowler) | Sends findings | `arn:aws:securityhub:::product/prowler/prowler` |
| [Qualys – Vulnerability Management](#integration-qualys-vulnerability-management) | Sends findings | `arn:aws:securityhub::805950163170:product/qualys/qualys-vm` |
| [Rapid7 – InsightVM](#integration-rapid7-insightvm) | Sends findings | `arn:aws:securityhub::336818582268:product/rapid7/insightvm` |
| [SentinelOne – SentinelOne](#integration-sentinelone) | Sends findings | `arn:aws:securityhub:::product/sentinelone/endpoint-protection` |
| [Snyk](#integration-snyk) | Sends findings | `arn:aws:securityhub:::product/snyk/snyk` |
| [Sonrai Security – Sonrai Dig](#integration-sonrai-dig) | Sends findings | `arn:aws:securityhub:::product/sonrai-security/sonrai-dig` |
| [Sophos – Server Protection](#integration-sophos-server-protection) | Sends findings | `arn:aws:securityhub::062897671886:product/sophos/sophos-server-protection` |
| [StackRox – StackRox Kubernetes Security](#integration-stackrox-kubernetes-security) | Sends findings | `arn:aws:securityhub:::product/stackrox/kubernetes-security` |
| [Sumo Logic – Machine Data Analytics](#integration-sumologic-machine-data-analytics) | Sends findings | `arn:aws:securityhub::956882708938:product/sumologicinc/sumologic-mda` |
| [Symantec – Cloud Workload Protection](#integration-symantec-cloud-workload-protection) | Sends findings | `arn:aws:securityhub::754237914691:product/symantec-corp/symantec-cwp` |
| [Tenable – Tenable.io](#integration-tenable-tenableio) | Sends findings | `arn:aws:securityhub::422820575223:product/tenable/tenable-io` |
| [Trend Micro – Cloud One](#integration-trend-micro) | Sends findings | `arn:aws:securityhub:::product/trend-micro/cloud-one` |
| [Vectra – Cognito Detect](#integration-vectra-ai-cognito-detect) | Sends findings | `arn:aws:securityhub::978576646331:product/vectra-ai/cognito-detect` |
| [Wiz](#integration-wiz) | Sends findings | `arn:aws:securityhub:::product/wiz-security/wiz-security` |
| [Atlassian - Jira Service Management](#integration-atlassian-jira-service-management) | Receives and updates findings | Not applicable |
| [Atlassian - Jira Service Management Cloud](#integration-atlassian-jira-service-management-cloud) | Receives and updates findings | Not applicable |
| [Atlassian – Opsgenie](#integration-atlassian-opsgenie) | Receives findings | Not applicable |
| [Dynatrace](#integration-dynatrace) | Receives findings | Not applicable |
| [Elastic](#integration-elastic) | Receives findings | Not applicable |
| [Fortinet – FortiCNP](#integration-fortinet-forticnp) | Receives findings | Not applicable |
| [IBM – QRadar](#integration-ibm-qradar) | Receives findings | Not applicable |
| [Logz.io Cloud SIEM](#integration-logzio-cloud-siem) | Receives findings | Not applicable |
| [MetricStream](#integration-metricstream) | Receives findings | Not applicable |
| [MicroFocus – MicroFocus Arcsight](#integration-microfocus-arcsight) | Receives findings | Not applicable |
| [New Relic Vulnerability Management](#integration-new-relic-vulnerability-management) | Receives findings | Not applicable |
| [PagerDuty – PagerDuty](#integration-pagerduty) | Receives findings | Not applicable |
| [Palo Alto Networks – Cortex XSOAR](#integration-palo-alto-cortex-xsoar) | Receives findings | Not applicable |
| [Palo Alto Networks – VM-Series](#integration-palo-alto-vmseries) | Receives findings | Not applicable |
| [Rackspace Technology – Cloud Native Security](#integration-rackspace-cloud-native-security) | Receives findings | Not applicable |
| [Rapid7 – InsightConnect](#integration-rapid7-insightconnect) | Receives findings | Not applicable |
| [RSA – RSA Archer](#integration-rsa-archer) | Receives findings | Not applicable |
| [ServiceNow – ITSM](#integration-servicenow-itsm) | Receives and updates findings | Not applicable |
| [Slack – Slack](#integration-slack) | Receives findings | Not applicable |
| [Splunk – Splunk Enterprise](#integration-splunk-enterprise) | Receives findings | Not applicable |
| [Splunk – Splunk Phantom](#integration-splunk-phantom) | Receives findings | Not applicable |
| [ThreatModeler](#integration-threatmodeler) | Receives findings | Not applicable |
| [Trellix – Trellix Helix](#integration-fireeye-helix) | Receives findings | Not applicable |
| [Caveonix – Caveonix Cloud](#integration-caveonix-cloud) | Sends and receives findings | `arn:aws:securityhub:::product/caveonix/caveonix-cloud` |
| [Cloud Custodian – Cloud Custodian](#integration-cloud-custodian) | Sends and receives findings | `arn:aws:securityhub:::product/cloud-custodian/cloud-custodian` |
| [DisruptOps, Inc. – DisruptOPS](#integration-disruptops) | Sends and receives findings | `arn:aws:securityhub:::product/disruptops-inc/disruptops` |
| [Kion](#integration-kion) | Sends and receives findings | `arn:aws:securityhub:::product/cloudtamerio/cloudtamerio` |
| [Turbot – Turbot](#integration-turbot) | Sends and receives findings | `arn:aws:securityhub::453761072151:product/turbot/turbot` |
## Third-party integrations that send findings to Security Hub CSPM
The following third-party partner product integrations can send findings to Security Hub CSPM. Security Hub CSPM transforms the findings into the [AWS Security Finding Format](securityhub-findings-format.md).
### 3CORESec – 3CORESec NTA
**Integration type:** Send
**Product ARN:** `arn:aws:securityhub:::product/3coresec/3coresec`
3CORESec provides managed detection services for both on-premises and AWS systems. Their integration with Security Hub CSPM allows visibility into threats such as malware, privilege escalation, lateral movement, and improper network segmentation.
[Product link](https://3coresec.com)
[Partner documentation](https://docs.google.com/document/d/1TPUuuyoAVrMKRVnGKouRy384ZJ1-3xZTnruHkIHJqWQ/edit?usp=sharing)
### Alert Logic – SIEMless Threat Management
**Integration type:** Send
**Product ARN:** `arn:aws:securityhub::733251395267:product/alertlogic/althreatmanagement`
Get the right level of coverage: vulnerability and asset visibility, threat detection and incident management, AWS WAF, and assigned SOC analyst options.
[Product link](https://www.alertlogic.com/solutions/platform/aws-security/)
[Partner documentation](https://docs.alertlogic.com/configure/aws-security-hub.htm)
### Aqua Security – Aqua Cloud Native Security Platform
**Integration type:** Send
**Product ARN:** `arn:aws:securityhub:::product/aquasecurity/aquasecurity`
Aqua Cloud Native Security Platform (CSP) provides full lifecycle security for container-based and serverless applications, from your CI/CD pipeline to runtime production environments.
[Product link](https://blog.aquasec.com/aqua-aws-security-hub)
[Partner documentation](https://github.com/aquasecurity/aws-security-hub-plugin)
### Aqua Security – Kube-bench
**Integration type:** Send
**Product ARN:** `arn:aws:securityhub:::product/aqua-security/kube-bench`
Kube-bench is an open-source tool that runs the Center for Internet Security (CIS) Kubernetes Benchmark against your environment.
[Product link](https://github.com/aquasecurity/kube-bench/blob/master/README.md)
[Partner documentation](https://github.com/aquasecurity/kube-bench/blob/master/README.md)
### Armor – Armor Anywhere
**Integration type:** Send
**Product ARN:** `arn:aws:securityhub::679703615338:product/armordefense/armoranywhere`
Armor Anywhere delivers managed security and compliance for AWS.
[Product link](https://aws.amazon.com/marketplace/seller-profile?id=797425f4-6823-4cf6-82b5-634f9a9ec347)
[Partner documentation](https://amp.armor.com/account/cloud-connections)
### AttackIQ – AttackIQ
**Integration type:** Send
**Product ARN:** `arn:aws:securityhub:::product/attackiq/attackiq-platform`
AttackIQ Platform emulates real adversarial behavior aligned with the MITRE ATT&CK Framework to help validate and improve your overall security posture.
[Product link](https://go.attackiq.com/BD-AWS-Security-Hub_LP.html)
[Partner documentation](https://github.com/AttackIQ/attackiq.github.io)
### Barracuda Networks – Cloud Security Guardian
**Integration type:** Send
**Product ARN:** `arn:aws:securityhub::151784055945:product/barracuda/cloudsecurityguardian`
Barracuda Cloud Security Sentry helps organizations stay secure while building applications in, and moving workloads to, the public cloud.
[AWS Marketplace link](https://aws.amazon.com/marketplace/pp/B07KF2X7QJ)
[Product link](https://www.barracuda.com/solutions/aws)
### BigID – BigID Enterprise
**Integration type:** Send
**Product ARN:** `arn:aws:securityhub:::product/bigid/bigid-enterprise`
The BigID Enterprise Privacy Management Platform helps companies manage and protect sensitive data (PII) across all their systems.
[Product link](https://github.com/bigexchange/aws-security-hub)
[Partner documentation](https://github.com/bigexchange/aws-security-hub)
### Blue Hexagon – Blue Hexagon for AWS
**Integration type:** Send
**Product ARN:** `arn:aws:securityhub:::product/blue-hexagon/blue-hexagon-for-aws`
Blue Hexagon is a real time threat detection platform. It uses deep learning principles to detect known and unknown threats, including malware and network anomalies.
[AWS Marketplace link](https://aws.amazon.com/marketplace/pp/prodview-fvt5ts3ulhrtk?sr=0-1&ref_=beagle&applicationId=AWSMPContessa)
[Partner documentation](https://bluehexagonai.atlassian.net/wiki/spaces/BHDOC/pages/395935769/Deploying+Blue+Hexagon+with+AWS+Traffic+Mirroring#DeployingBlueHexagonwithAWSTrafficMirroringDeployment-Integrations)
### Check Point – CloudGuard IaaS
**Integration type:** Send
**Product ARN:** `arn:aws:securityhub::758245563457:product/checkpoint/cloudguard-iaas`
Check Point CloudGuard easily extends comprehensive threat prevention security to AWS while protecting assets in the cloud.
[Product link](https://aws.amazon.com/marketplace/seller-profile?id=a979fc8a-dd48-42c8-84cc-63d5d50e3a2f)
[Partner documentation](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk140412)
### Check Point – CloudGuard Posture Management
**Integration type:** Send
**Product ARN:** `arn:aws:securityhub::634729597623:product/checkpoint/dome9-arc`
A SaaS platform that delivers verifiable cloud network security, advanced IAM protection, and comprehensive compliance and governance.
[Product link](https://aws.amazon.com/marketplace/seller-profile?id=a979fc8a-dd48-42c8-84cc-63d5d50e3a2f)
[Partner documentation](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk144592&partition=General&product=CloudGuard)
### Claroty – xDome
**Integration type:** Send
**Product ARN:** `arn:aws:securityhub:::product/claroty/xdome`
Claroty xDome helps organizations secure their cyber-physical systems across the Extended Internet of Things (XIoT) within industrial (OT), healthcare (IoMT), and enterprise (IoT) environments.
[Product link](https://claroty.com/)
[Partner documentation](https://claroty.com/resources/integration-briefs/the-claroty-aws-securityhub-integration-guide)
### Cloud Storage Security – Antivirus for Amazon S3
**Integration type:** Send
**Product ARN:** `arn:aws:securityhub:::product/cloud-storage-security/antivirus-for-amazon-s3`
Cloud Storage Security provides cloud native anti-malware and antivirus scanning for Amazon S3 objects.
Antivirus for Amazon S3 offers real time and scheduled scans of objects and files in Amazon S3 for malware and threats. It provides visibility and remediation for problem and infected files.
[Product link](https://cloudstoragesec.com/)
[Partner documentation](https://help.cloudstoragesec.com/console-overview/console-settings/#send-scan-result-findings-to-aws-security-hub)
### Contrast Security – Contrast Assess
**Integration type:** Send
**Product ARN:** `arn:aws:securityhub:::product/contrast-security/security-assess`
Contrast Security Contrast Assess is an IAST tool that offers real-time vulnerability detection in web apps, APIs, and microservices. Contrast Assess integrates with Security Hub CSPM to help provide centralized visibility and response for all your workloads.
[Product link](https://aws.amazon.com/marketplace/pp/prodview-g5df2jw32felw)
[Partner documentation](https://docs.contrastsecurity.com/en/securityhub.html)
### CrowdStrike – CrowdStrike Falcon
**Integration type:** Send
**Product ARN:** `arn:aws:securityhub::517716713836:product/crowdstrike/crowdstrike-falcon`
The CrowdStrike Falcon single, lightweight sensor unifies next-generation antivirus, endpoint detection and response, and 24/7 managed hunting through the cloud.
[AWS Marketplace link](https://aws.amazon.com/marketplace/seller-profile?id=f4fb055a-5333-4b6e-8d8b-a4143ad7f6c7)
[Partner documentation](https://github.com/CrowdStrike/falcon-integration-gateway)
### CyberArk – Privileged Threat Analytics
**Integration type:** Send
**Product ARN:** `arn:aws:securityhub::749430749651:product/cyberark/cyberark-pta`
Privileged Threat Analytics collect, detect, alert, and respond to high-risk activity and behavior of privileged accounts to contain in-progress attacks.
[Product link](https://www.cyberark.com/solutions/digital-transformation/cloud-virtualization-security/)
[Partner documentation](https://cyberark-customers.force.com/mplace/s/#a352J000000dZATQA2-a392J000001Z3eaQAC)
### Data Theorem – Data Theorem
**Integration type:** Send
**Product ARN:** `arn:aws:securityhub:::product/data-theorem/api-cloud-web-secure`
Data Theorem continuously scans web applications, APIs, and cloud resources in search of security flaws and data privacy gaps to prevent AppSec data breaches.
[Product link](https://www.datatheorem.com/partners/aws/)
[Partner documentation](https://datatheorem.atlassian.net/wiki/spaces/PKB/pages/1730347009/AWS+Security+Hub+Integration)
### Drata
**Integration type:** Send
**Product ARN:** `arn:aws:securityhub:::product/drata/drata-integration`
Drata is a compliance automation platform that helps you achieve and maintain compliance with various frameworks, such as SOC2, ISO, and GDPR. The integration between Drata and Security Hub CSPM helps you centralize your security findings in one location.
[AWS Marketplace link](https://aws.amazon.com/marketplace/pp/prodview-3ubrmmqkovucy)
[Partner documentation](https://drata.com/partner/aws)
### Forcepoint – Forcepoint CASB
**Integration type:** Send
**Product ARN:** `arn:aws:securityhub::365761988620:product/forcepoint/forcepoint-casb`
Forcepoint CASB allows you to discover cloud application use, analyze risk, and enforce appropriate controls for SaaS and custom applications.
[Product link](https://www.forcepoint.com/platform/technology-partners/securing-your-amazon-web-services-aws-workloads)
[Partner documentation](https://frcpnt.com/casb-securityhub)
### Forcepoint – Forcepoint Cloud Security Gateway
**Integration type:** Send
Product ARN: `arn:aws:securityhub:::product/forcepoint/forcepoint-cloud-security-gateway`
Forcepoint Cloud Security Gateway is a converged cloud security service that provides visibility, control, and threat protection for users and data, wherever they are.
[Product link](https://www.forcepoint.com/product/cloud-security-gateway)
[Partner documentation](https://forcepoint.github.io/docs/csg_and_aws_security_hub/#forcepoint-cloud-security-gateway-and-aws-security-hub)
### Forcepoint – Forcepoint DLP
**Integration type:** Send
**Product ARN:** `arn:aws:securityhub::365761988620:product/forcepoint/forcepoint-dlp`
Forcepoint DLP addresses human-centric risk with visibility and control everywhere your people work and everywhere your data resides.
[Product link](https://www.forcepoint.com/platform/technology-partners/securing-your-amazon-web-services-aws-workloads)
[Partner documentation](https://frcpnt.com/dlp-securityhub)
### Forcepoint – Forcepoint NGFW
**Integration type:** Send
**Product ARN:** `arn:aws:securityhub::365761988620:product/forcepoint/forcepoint-ngfw`
Forcepoint NGFW lets you connect your AWS environment into your enterprise network with the scalability, protection, and insights needed to manage your network and respond to threats.
[Product link](https://www.forcepoint.com/platform/technology-partners/securing-your-amazon-web-services-aws-workloads)
[Partner documentation](https://frcpnt.com/ngfw-securityhub)
### Fugue – Fugue
**Integration type:** Send
**Product ARN:** `arn:aws:securityhub:::product/fugue/fugue`
Fugue is an agent-less, scalable cloud-native platform that automates the continuous validation of infrastructure-as-code and cloud runtime environments using the same policies.
[Product link](https://www.fugue.co/aws-security-hub-integration)
[Partner documentation](https://docs.fugue.co/integrations-aws-security-hub.html)
### Guardicore – Centra 4.0
**Integration type:** Send
**Product ARN:** `arn:aws:securityhub:::product/guardicore/guardicore`
Guardicore Centra provides flow visualization, micro-segmentation, and breach detection for workloads in modern data centers and clouds.
[Product link](https://aws.amazon.com/marketplace/seller-profile?id=21127457-7622-49be-81a6-4cb5dd77a088)
[Partner documentation](https://customers.guardicore.com/login)
### HackerOne – Vulnerability Intelligence
**Integration type:** Send
**Product ARN:** `arn:aws:securityhub:::product/hackerone/vulnerability-intelligence`
The HackerOne platform partners with the global hacker community to uncover the most relevant security issues. Vulnerability Intelligence enables your organization to go beyond automated scanning. It shares vulnerabilities that HackerOne ethical hackers have validated and provided steps to reproduce.
[AWS marketplace link](https://aws.amazon.com/marketplace/seller-profile?id=10857e7c-011b-476d-b938-b587deba31cf)
[Partner documentation](https://docs.hackerone.com/en/articles/8562571-aws-security-hub-integration)
### JFrog – Xray
**Integration type:** Send
**Product ARN:** `arn:aws:securityhub:::product/jfrog/jfrog-xray`
JFrog Xray is a universal application security Software Composition Analysis (SCA) tool that continuously scans binaries for license compliance and security vulnerabilities so that you can run a secure software supply chain.
[AWS Marketplace link](https://aws.amazon.com/marketplace/seller-profile?id=68002c4f-c9d1-4fa7-b827-fd7204523fb7)
[Partner documentation](https://www.jfrog.com/confluence/display/JFROG/Xray+Integration+with+AWS+Security+Hub)
### Juniper Networks – vSRX Next Generation Firewall
**Integration type:** Send
**Product ARN:** `arn:aws:securityhub:::product/juniper-networks/vsrx-next-generation-firewall`
Juniper Networks' vSRX Virtual Next Generation Firewall delivers a complete cloud-based virtual firewall with advanced security, secure SD-WAN, robust networking, and built-in automation.
[AWS Marketplace link](https://aws.amazon.com/marketplace/pp/prodview-z7jcugjx442hw)
[Partner documentation](https://www.juniper.net/documentation/us/en/software/vsrx/vsrx-consolidated-deployment-guide/vsrx-aws/topics/topic-map/security-aws-cloudwatch-security-hub-and-logs.html#id-enable-and-configure-security-hub-on-vsrx)
[Product link](https://www.juniper.net/documentation/us/en/software/vsrx/vsrx-consolidated-deployment-guide/vsrx-aws/topics/topic-map/security-aws-cloudwatch-security-hub-and-logs.html)
### k9 Security – Access Analyzer
**Integration type:** Send
**Product ARN:** `arn:aws:securityhub:::product/k9-security/access-analyzer`
k9 Security notifies you when important access changes occur in your AWS Identity and Access Management account. With k9 Security, you can understand the access that users and IAM roles have to critical AWS services and your data.
k9 Security is built for continuous delivery, allowing you to operationalize IAM with actionable access audits and simple policy automation for AWS CDK and Terraform.
[Product link](https://www.k9security.io/lp/operationalize-aws-iam-security-hub)
[Partner documentation](https://www.k9security.io/docs/how-to-configure-k9-access/)
### Lacework – Lacework
**Integration type:** Send
**Product ARN:** `arn:aws:securityhub:::product/lacework/lacework`
Lacework is the data-driven security platform for the cloud. The Lacework Cloud Security Platform automates cloud security at scale so you can innovate with speed and safety.
[Product link](https://www.lacework.com/platform/aws/)
[Partner documentation](https://www.lacework.com/platform/aws/)
### McAfee – MVISION Cloud Native Application Protection Platform (CNAPP)
**Integration type:** Send
**Product ARN:** `arn:aws:securityhub:::product/mcafee-skyhigh/mcafee-mvision-cloud-aws`
McAfee MVISION Cloud Native Application Protection Platform (CNAPP) offers Cloud Security Posture Management (CSPM) and Cloud Workload Protection Platform (CWPP) for your AWS environment.
[Product link](https://aws.amazon.com/marketplace/pp/prodview-ol6txkzkdyacc)
[Partner documentation](https://success.myshn.net/Cloud_Native_Application_Protection_Platform_(IaaS)/Amazon_Web_Services_(AWS)/Integrate_MVISION_Cloud_with_AWS_Security_Hub)
### NETSCOUT – NETSCOUT Cyber Investigator
**Integration type:** Send
**Product ARN:** `arn:aws:securityhub:::product/netscout/netscout-cyber-investigator`
NETSCOUT Cyber Investigator is an enterprise-wide network threat, risk investigation, and forensic analysis platform that helps to reduce the impact of cyber threats on businesses.
[Product link](https://aws.amazon.com/marketplace/pp/prodview-reujxcu2cv3f4?qid=1608874215786&sr=0-1&ref_=srh_res_product_title)
[Partner documentation](https://www.netscout.com/solutions/cyber-investigator-aws)
### Orca Cloud Security Platform
**Integration type:** Send
**Product ARN:** `arn:aws:securityhub:::product/orca-security/orca-security`
The Orca Cloud Security Platform identifies, prioritizes, and remediates risks and compliance issues across your entire cloud estate. Orca’s agentless-first, AI-driven platform offers comprehensive coverage detecting vulnerabilities, misconfigurations, lateral movement, API risks, sensitive data, anomalous events and behaviors, and overly permissive identities.
Orca integrates with Security Hub CSPM to bring deep cloud security telemetry into Security Hub CSPM. Orca, using its SideScanning technology, prioritizes risk across cloud infrastructure, workloads, applications, data, APIs, identities, and more.
[Product link](https://orca.security/partners/technology/amazon-web-services-aws/)
[Partner documentation](https://docs.orcasecurity.io/docs/integrating-amazon-security-hub)
### Palo Alto Networks – Prisma Cloud Compute
**Integration type:** Send
**Product ARN:** `arn:aws:securityhub::496947949261:product/twistlock/twistlock-enterprise`
Prisma Cloud Compute is a cloud native cybersecurity platform that protects VMs, containers, and serverless platforms.
[Product link](https://aws.amazon.com/marketplace/seller-profile?id=0ed48363-5064-4d47-b41b-a53f7c937314)
[Partner documentation](https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/alerts/aws_security_hub.html)
### Palo Alto Networks – Prisma Cloud Enterprise
**Integration type:** Send
**Product ARN:** `arn:aws:securityhub::188619942792:product/paloaltonetworks/redlock`
Protects your AWS deployment with cloud security analytics, advanced threat detection, and compliance monitoring.
[Product link](https://aws.amazon.com/marketplace/seller-profile?id=0ed48363-5064-4d47-b41b-a53f7c937314)
[Partner documentation](https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin/configure-external-integrations-on-prisma-cloud/integrate-prisma-cloud-with-aws-security-hub)
### Plerion – Cloud Security Platform
**Integration type:** Send
**Product ARN:** `arn:aws:securityhub:::product/plerion/cloud-security-platform`
Plerion is a Cloud Security Platform with a unique threat-led, risk-driven approach that offers preventative, detective, and corrective action across your workloads. The integration between Plerion and Security Hub CSPM allows customers to centralize and act upon their security findings in one place.
[AWS Marketplace link](https://aws.amazon.com/marketplace/seller-profile?id=464b7833-edb8-43ee-b083-d8a298b7ba08)
[Partner documentation](https://au.app.plerion.com/resource-center/platform-documentation/integrations/outbound/securityHub)
### Prowler – Prowler
**Integration type:** Send
**Product ARN:** `arn:aws:securityhub:::product/prowler/prowler`
Prowler is an open source security tool to perform AWS checks related to security best practices, hardening, and continuous monitoring.
[Product link](https://github.com/prowler-cloud/prowler)
[Partner documentation](https://github.com/prowler-cloud/prowler#security-hub-integration)
### Qualys – Vulnerability Management
**Integration type:** Send
**Product ARN:** `arn:aws:securityhub::805950163170:product/qualys/qualys-vm`
Qualys Vulnerability Management (VM) continuously scans and identifies vulnerabilities, protecting your assets.
[Product link](https://www.qualys.com/public-cloud/#aws)
[Partner documentation](https://qualys-secure.force.com/discussions/s/article/000005831)
### Rapid7 – InsightVM
**Integration type:** Send
**Product ARN:** `arn:aws:securityhub::336818582268:product/rapid7/insightvm`
Rapid7 InsightVM provides vulnerability management for modern environments, allowing you to efficiently find, prioritize, and remediate vulnerabilities.
[Product link](https://www.rapid7.com/products/insightvm/)
[Partner documentation](https://docs.rapid7.com/insightvm/aws-security-hub/)
#### SentinelOne – SentinelOne
**Integration type:** Send
**Product ARN:** `arn:aws:securityhub:::product/sentinelone/endpoint-protection`
SentinelOne is an autonomous extended detection and response (XDR) platform encompassing AI-powered prevention, detection, response, and hunting across endpoints, containers, cloud workloads, and IoT devices.
[AWS Marketplace link](https://aws.amazon.com/marketplace/pp/prodview-2qxvr62fng6li?sr=0-2&ref_=beagle&applicationId=AWSMPContessa)
[Product link](https://www.sentinelone.com/press/sentinelone-announces-integration-with-aws-security-hub/)
### Snyk
**Integration type:** Send
**Product ARN:** `arn:aws:securityhub:::product/snyk/snyk`
Snyk provides a security platform that scans app components for security risks in workloads running on AWS. These risks are sent to Security Hub CSPM as findings, helping developers and security teams visualize and prioritize them along with the rest of their AWS security findings.
[AWS Marketplace link](https://aws.amazon.com/marketplace/seller-profile?id=bb528b8d-079c-455e-95d4-e68438530f85)
[Partner documentation](https://docs.snyk.io/integrations/event-forwarding/aws-security-hub)
### Sonrai Security – Sonrai Dig
**Integration type:** Send
**Product ARN:** `arn:aws:securityhub:::product/sonrai-security/sonrai-dig`
Sonrai Dig monitors and remediates cloud misconfigurations and policy violations, so you can improve your security and compliance posture.
[Product link](https://sonraisecurity.com/solutions/amazon-web-services-aws-and-sonrai-security/)
[Partner documentation](https://sonraisecurity.com/blog/monitor-privilege-escalation-risk-of-identities-from-aws-security-hub-with-integration-from-sonrai/)
### Sophos – Server Protection
**Integration type:** Send
**Product ARN:** `arn:aws:securityhub::062897671886:product/sophos/sophos-server-protection`
Sophos Server Protection defends the critical applications and data at the core of your organization, using comprehensive defense-in-depth techniques.
[Product link](https://www.sophos.com/en-us/products/cloud-native-security/aws)
### StackRox – StackRox Kubernetes Security
**Integration type:** Send
**Product ARN:** `arn:aws:securityhub:::product/stackrox/kubernetes-security`
StackRox helps enterprises secure their container and Kubernetes deployments at scale by enforcing their compliance and security policies across the entire container life cycle – build, deploy, and run.
[Product link](https://aws.amazon.com/marketplace/pp/B07RP4B4P1)
[Partner documentation](https://help.stackrox.com/docs/integrate-with-other-tools/integrate-with-aws-security-hub/)
### Sumo Logic – Machine Data Analytics
**Integration type:** Send
**Product ARN:** `arn:aws:securityhub::956882708938:product/sumologicinc/sumologic-mda`
Sumo Logic is a secure, machine data analytics platform that enables development and security operations teams to build, run, and secure their AWS applications.
[Product link](https://www.sumologic.com/application/aws-security-hub/)
[Partner documentation](https://help.sumologic.com/07Sumo-Logic-Apps/01Amazon_and_AWS/AWS_Security_Hub)
### Symantec – Cloud Workload Protection
**Integration type:** Send
**Product ARN:** `arn:aws:securityhub::754237914691:product/symantec-corp/symantec-cwp`
Cloud Workload Protection provides complete protection for your Amazon EC2 instances with antimalware, intrusion prevention, and file integrity monitoring.
[Product link](https://www.broadcom.com/products/cyber-security/endpoint/hybrid-cloud/cloud-workload-protection)
[Partner documentation](https://help.symantec.com/cs/scwp/SCWP/v130271667_v111037498/Intergration-with-AWS-Security-Hub/?locale=EN_US&sku=CWP_COMPUTE)
### Tenable – Tenable.io
**Integration type:** Send
**Product ARN:** `arn:aws:securityhub::422820575223:product/tenable/tenable-io`
Accurately identify, investigate, and prioritize vulnerabilities. Managed in the cloud.
[Product link](https://www.tenable.com/)
[Partner documentation](https://github.com/tenable/Security-Hub)
### Trend Micro – Cloud One
**Integration type:** Send
**Product ARN:** `arn:aws:securityhub:::product/trend-micro/cloud-one`
Trend Micro Cloud One provides the right security information to teams at the right time and place. This integration sends security findings to Security Hub CSPM in real time, enhancing visibility into your AWS resources and Trend Micro Cloud One event details in Security Hub CSPM.
[AWS Marketplace link](https://aws.amazon.com/marketplace/pp/prodview-g232pyu6l55l4)
[Partner documentation](https://cloudone.trendmicro.com/docs/integrations/aws-security-hub/)
### Vectra – Cognito Detect
**Integration type:** Send
**Product ARN:** `arn:aws:securityhub::978576646331:product/vectra-ai/cognito-detect`
Vectra is transforming cybersecurity by applying advanced AI to detect and respond to hidden cyberattackers before they can steal or cause damage.
[AWS Marketplace link](https://aws.amazon.com/marketplace/pp/prodview-x2mabtjqsjb2w)
[Partner documentation](https://cognito-resource-guide.s3.us-west-2.amazonaws.com/Vectra_AWS_SecurityHub_Integration_Guide.pdf)
### Wiz – Wiz Security
**Integration type:** Send
**Product ARN:** `arn:aws:securityhub:::product/wiz-security/wiz-security`
Wiz continuously analyzes configurations, vulnerabilities, networks, IAM settings, secrets, and more across your AWS accounts, users, and workloads to discover critical issues that represent actual risk. Integrate Wiz with Security Hub CSPM to visualize and respond to issues that Wiz detects from the Security Hub CSPM console.
[AWS Marketplace link](https://aws.amazon.com/marketplace/pp/prodview-wgtgfzwbk4ahy)
[Partner documentation](https://docs.wiz.io/wiz-docs/docs/security-hub-integration)
## Third-party integrations that receive findings from Security Hub CSPM
The following third-party partner product integrations can receive findings from Security Hub CSPM. Where noted, the product might also update findings. In this case, updates that you make to findings in the partner product are also reflected in Security Hub CSPM.
### Atlassian - Jira Service Management
**Integration type:** Receive and update
The AWS Service Management Connector for Jira sends findings from Security Hub CSPM to Jira. Jira issues are created based on the findings. When the Jira issues are updated, the corresponding findings are updated in Security Hub CSPM.
The integration only supports Jira Server and Jira Data Center.
For an overview of the integration and how it works, watch the video [AWS Security Hub CSPM – Bidirectional integration with Atlassian Jira Service Management](https://www.youtube.com/watch?v=uEKwu0M8S3M).
[Product link](https://www.atlassian.com/software/jira/service-management)
[Partner documentation](https://docs.aws.amazon.com/servicecatalog/latest/adminguide/integrations-jiraservicedesk.html)
### Atlassian - Jira Service Management Cloud
**Integration type:** Receive and update
Jira Service Management Cloud is the cloud component of Jira Service Management.
The AWS Service Management Connector for Jira sends findings from Security Hub CSPM to Jira. The findings trigger the creation of issues in Jira Service Management Cloud. When you update those issues in Jira Service Management Cloud, the corresponding findings are also updated in Security Hub CSPM.
[Product link](https://marketplace.atlassian.com/apps/1221283/aws-service-management-connector-for-jsm?tab=overview&hosting=cloud)
[Partner documentation](https://docs.aws.amazon.com/smc/latest/ag/integrations-jsmcloud.html)
### Atlassian – Opsgenie
**Integration type:** Receive
Opsgenie is a modern incident management solution for operating always-on services, empowering development and operations teams to plan for service disruptions and stay in control during incidents.
Integrating with Security Hub CSPM ensures that mission critical security-related incidents are routed to the appropriate teams for immediate resolution.
[Product link](https://www.atlassian.com/software/opsgenie)
[Partner documentation](https://docs.opsgenie.com/docs/amazon-security-hub-integration-bidirectional)
### Dynatrace
**Integration type:** Receive
The Dynatrace integration with Security Hub CSPM helps to unify, visualize, and automate security findings across tools and environments. Adding Dynatrace runtime context to security findings allows smarter prioritization, helps reduce noise from alerts, and focuses your DevSecOps teams on efficiently remedying the critical issues that affect your production environments and applications.
[Product link](https://www.dynatrace.com/solutions/application-security/)
[Partner documentation](https://docs.dynatrace.com/docs/secure/threat-observability/security-events-ingest/ingest-aws-security-hub)
### Elastic
**Integration type:** Receive
Elastic builds search-powered solutions for security, observability, and search. With the Security Hub CSPM integration, Elastic ingests findings and insights from Security Hub CSPM programmatically, normalizes them for correlation and analytics, and presents unified dashboards and detections in Elastic Security, enabling faster triage and investigation without deploying agents.
[Product link](https://www.elastic.co/blog/elastic-integrates-leading-cloud-security-vendors)
[Partner documentation](https://www.elastic.co/docs/reference/integrations/aws/securityhub)
### Fortinet – FortiCNP
**Integration type:** Receive
FortiCNP is a Cloud Native Protection product that aggregates security findings into actionable insights and prioritizes security insights based on risk score to reduce alert fatigue and accelerate remediation.
[AWS Marketplace link](https://aws.amazon.com/marketplace/pp/prodview-vl24vc3mcb5ak)
[Partner documentation](https://docs.fortinet.com/document/forticnp/22.3.a/online-help/467775/aws-security-hub-configuration)
### IBM – QRadar
**Integration type:** Receive
IBM QRadar SIEM provides security teams with the ability to quickly and accurately detect, prioritize, investigate, and respond to threats.
[Product link](https://www.ibm.com/docs/en/qradar-common?topic=app-aws-security-hub-integration)
[Partner documentation](https://www.ibm.com/docs/en/qradar-common?topic=configuration-integrating-aws-security-hub)
### Logz.io Cloud SIEM
**Integration type:** Receive
Logz.io is a provider of Cloud SIEM that provides advanced correlation of log and event data to help security teams to detect, analyze, and respond to security threats in real time.
[Product link](https://logz.io/solutions/cloud-monitoring-aws/)
[Partner documentation](https://docs.logz.io/shipping/security-sources/aws-security-hub.html)
### MetricStream – CyberGRC
**Integration type:** Receive
MetricStream CyberGRC helps you manage, measure, and mitigate cybersecurity risks. By receiving Security Hub CSPM findings, CyberGRC provides more visibility into these risks, so you can prioritize cybersecurity investments and comply with IT policies.
[AWS Marketplace link](https://aws.amazon.com/marketplace/pp/prodview-5ph5amfrrmyx4?qid=1616170904192&sr=0-1&ref_=srh_res_product_title)
[Product link](https://www.metricstream.com/)
### MicroFocus – MicroFocus Arcsight
**Integration type:** Receive
ArcSight accelerates effective threat detection and response in real time, integrating event correlation and supervised and unsupervised analytics with response automation and orchestration.
[Product link](https://aws.amazon.com/marketplace/pp/B07RM918H7)
[Partner documentation](https://community.microfocus.com/cyberres/productdocs/w/connector-documentation/2768/smartconnector-for-amazon-web-services-security-hub)
### New Relic Vulnerability Management
**Integration type:** Receive
New Relic Vulnerability Management receives security findings from Security Hub CSPM, so you can get a centralized view of security alongside performance telemetry in context across your stack.
[AWS Marketplace link](https://aws.amazon.com/marketplace/pp/prodview-yg3ykwh5tmolg)
[Partner documentation](https://docs.newrelic.com/docs/vulnerability-management/integrations/aws/)
### PagerDuty – PagerDuty
**Integration type:** Receive
The PagerDuty digital operations management platform empowers teams to proactively mitigate customer-impacting issues by automatically turning any signal into the right insight and action.
AWS users can use the PagerDuty set of AWS integrations to scale their AWS and hybrid environments with confidence.
When coupled with Security Hub CSPM aggregated and organized security alerts, PagerDuty allows teams to automate their threat response process and quickly set up custom actions to prevent potential issues.
PagerDuty users who are undertaking a cloud migration project can move quickly, while decreasing the impact of issues that occur throughout the migration lifecycle.
[Product link](https://aws.amazon.com/marketplace/pp/prodview-5sf6wkximaixc?ref_=srh_res_product_title)
[Partner documentation](https://support.pagerduty.com/docs/aws-security-hub-integration-guide-pagerduty)
### Palo Alto Networks – Cortex XSOAR
**Integration type:** Receive
Cortex XSOAR is a Security Orchestration, Automation, and Response (SOAR) platform that integrates with your entire security product stack to accelerate incident response and security operations.
[Product link](https://aws.amazon.com/marketplace/seller-profile?id=0ed48363-5064-4d47-b41b-a53f7c937314)
[Partner documentation](https://xsoar.pan.dev/docs/reference/integrations/aws---security-hub)
### Palo Alto Networks – VM-Series
**Integration type:** Receive
Palo Alto VM-Series integration with Security Hub CSPM collects threat intelligence and sends it to the VM-Series next-generation firewall as an automatic security policy update that blocks malicious IP address activity.
[Product link](https://github.com/PaloAltoNetworks/pan_aws_security_hub)
[Partner documentation](https://github.com/PaloAltoNetworks/pan_aws_security_hub)
### Rackspace Technology – Cloud Native Security
**Integration type:** Receive
Rackspace Technology provides managed security services on top of native AWS security products for 24x7x365 monitoring by Rackspace SOC, advanced analysis, and threat remediation.
[Product link](https://www.rackspace.com/managed-aws/capabilities/security)
### Rapid7 – InsightConnect
**Integration type:** Receive
Rapid7 InsightConnect is a security orchestration and automation solution that enables your team to optimize SOC operations with little to no code.
[Product link](https://www.rapid7.com/platform/)
[Partner documentation](https://docs.rapid7.com/insightconnect/aws-security-hub/)
### RSA – RSA Archer
**Integration type:** Receive
RSA Archer IT and Security Risk Management allows you to determine which assets are critical to your business, establish and communicate security policies and standards, detect and respond to attacks, identify and remediate security deficiencies, and establish clear IT risk management best practices.
[Product link](https://community.rsa.com/docs/DOC-111898)
[Partner documentation](https://community.rsa.com/docs/DOC-111898)
### ServiceNow – ITSM
**Integration type:** Receive and update
The ServiceNow integration with Security Hub CSPM allows security findings from Security Hub CSPM to be viewed within ServiceNow ITSM. You can also configure ServiceNow to automatically create an incident or problem when it receives a finding from Security Hub CSPM.
Any updates to these incidents and problems result in updates to the findings in Security Hub CSPM.
For an overview of the integration and how it works, watch the video [AWS Security Hub CSPM - Bidirectional integration with ServiceNow ITSM](https://www.youtube.com/watch?v=OYTi0sjEggE).
[Product link](https://docs.aws.amazon.com/servicecatalog/latest/adminguide/integrations-servicenow.html)
[Partner documentation](https://docs.aws.amazon.com/servicecatalog/latest/adminguide/securityhub-config.html)
### Slack – Slack
**Integration type:** Receive
Slack is a layer of the business technology stack that brings together people, data, and applications. It is a single place where people can effectively work together, find important information, and access hundreds of thousands of critical applications and services to do their best work.
[Product link](https://github.com/aws-samples/aws-securityhub-to-slack)
[Partner documentation](https://docs.aws.amazon.com/chatbot/latest/adminguide/related-services.html)
### Splunk – Splunk Enterprise
**Integration type:** Receive
Splunk uses Amazon CloudWatch Events as a consumer of Security Hub CSPM findings. Send your data to Splunk for advanced security analytics and SIEM.
[Product link](https://splunkbase.splunk.com/app/5767)
[Partner documentation](https://github.com/splunk/splunk-for-securityHub)
### Splunk – Splunk Phantom
**Integration type:** Receive
With the Splunk Phantom application for AWS Security Hub CSPM, findings are sent to Phantom for automated context enrichment with additional threat intelligence information or to perform automated response actions.
[Product link](https://splunkbase.splunk.com/app/5767)
[Partner documentation](https://splunkphantom.s3.amazonaws.com/phantom-sechub-setup.html)
### ThreatModeler
**Integration type:** Receive
ThreatModeler is an automated threat modeling solution that secures and scales the enterprise software and cloud development life cycle.
[Product link](https://aws.amazon.com/marketplace/pp/B07S65ZLPQ)
[Partner documentation](https://threatmodeler-setup-quickstart.s3.amazonaws.com/ThreatModeler+Setup+Guide/ThreatModeler+Setup+%26+Deployment+Guide.pdf)
### Trellix – Trellix Helix
**Integration type:** Receive
Trellix Helix is a cloud-hosted security operations platform that allows organizations to take control of any incident from alert to fix.
[Product link](https://www.trellix.com/en-us/products/helix.html)
[Partner documentation](https://docs.trellix.com/bundle/fe-helix-enterprise-landing/)
## Third-party integrations that send findings to and receive findings from Security Hub CSPM
The following third-party partner product integrations can send findings to and receive findings from Security Hub CSPM.
### Caveonix – Caveonix Cloud
**Integration type:** Send and receive
**Product ARN:** `arn:aws:securityhub:::product/caveonix/caveonix-cloud`
The Caveonix AI-powered platform automates visibility, assessment, and mitigation in hybrid clouds, covering cloud-native services, VMs, and containers. Integrated with AWS Security Hub CSPM, Caveonix merges AWS data and advanced analytics for insights into security alerts and compliance.
[AWS Marketplace link](https://aws.amazon.com/marketplace/pp/prodview-v6nlnxa5e67es)
[Partner documentation](https://support.caveonix.com/hc/en-us/articles/18171468832529-App-095-How-to-Integration-AWS-Security-Hub-with-Caveonix-Cloud-)
### Cloud Custodian – Cloud Custodian
**Integration type:** Send and receive
**Product ARN:** `arn:aws:securityhub:::product/cloud-custodian/cloud-custodian`
Cloud Custodian enables users to be well managed in the cloud. The simple YAML DSL allows easily defined rules to enable a well-managed cloud infrastructure that's both secure and cost optimized.
[Product link](https://cloudcustodian.io/docs/aws/topics/securityhub.html)
[Partner documentation](https://cloudcustodian.io/docs/aws/topics/securityhub.html)
### DisruptOps, Inc. – DisruptOPS
**Integration type:** Send and receive
**Product ARN:** `arn:aws:securityhub:::product/disruptops-inc/disruptops`
The DisruptOps Security Operations Platform helps organizations maintain best security practices in your cloud through the use of automated guardrails.
[Product link](https://disruptops.com/ad/securityhub-isa/)
[Partner documentation](https://disruptops.com/securityhub/)
### Kion
**Integration type:** Send and receive
**Product ARN:** `arn:aws:securityhub:::product/cloudtamerio/cloudtamerio`
Kion (formerly cloudtamer.io) is a complete cloud governance solution for AWS. Kion gives stakeholders visibility into cloud operations and helps cloud users manage accounts, control budget and cost, and ensure continuous compliance.
[Product link](https://kion.io/partners/aws)
[Partner documentation](https://support.kion.io/hc/en-us/articles/360046647551-AWS-Security-Hub)
### Turbot – Turbot
**Integration type:** Send and receive
**Product ARN:** `arn:aws:securityhub:::product/turbot/turbot`
Turbot ensures that your cloud infrastructure is secure, compliant, scalable, and cost optimized.
[Product link](https://turbot.com/features/)
[Partner documentation](https://turbot.com/blog/2018/11/aws-security-hub/)
# Integrating Security Hub CSPM with custom products
In addition to findings generated by integrated AWS services and third-party products, AWS Security Hub CSPM can consume findings that are generated by other custom security products.
You can send these findings to Security Hub CSPM by using the [https://docs.aws.amazon.com//securityhub/1.0/APIReference/API_BatchImportFindings.html](https://docs.aws.amazon.com//securityhub/1.0/APIReference/API_BatchImportFindings.html) operation of the Security Hub CSPM API. You can use the same operation to update findings from custom products that you already sent to Security Hub CSPM.
When setting up the custom integration, use the [guidelines and checklists](https://docs.aws.amazon.com/securityhub/latest/partnerguide/integration-guidelines-checklists.html) provided in the *Security Hub CSPM Partner Integration Guide*.
## Requirements and recommendations for custom product integrations
Before you can successfully invoke the [https://docs.aws.amazon.com//securityhub/1.0/APIReference/API_BatchImportFindings.html](https://docs.aws.amazon.com//securityhub/1.0/APIReference/API_BatchImportFindings.html) API operation, you must enable Security Hub CSPM.
You must also provide finding details for the custom product using the [AWS Security Finding Format (ASFF)](securityhub-findings-format.md). Review the following requirements and recommendations for custom product integrations:
**Setting the product ARN**
When you enable Security Hub CSPM, a default product Amazon Resource Name (ARN) for Security Hub CSPM is generated in your current account.
This product ARN has the following format: `arn:aws:securityhub:::product//default`. For example, `arn:aws:securityhub:us-west-2:123456789012:product/123456789012/default`.
Use this product ARN as the value for the [https://docs.aws.amazon.com//securityhub/1.0/APIReference/API_AwsSecurityFinding.html#securityhub-Type-AwsSecurityFinding-ProductArn](https://docs.aws.amazon.com//securityhub/1.0/APIReference/API_AwsSecurityFinding.html#securityhub-Type-AwsSecurityFinding-ProductArn) attribute when invoking the `BatchImportFindings` API operation.
**Setting the company and product names**
You can use `BatchImportFindings` to set a preferred company name and product name for the custom integration that is sending findings to Security Hub CSPM.
Your specified names replace the preconfigured company name and product name, called personal name and default name respectively, and appear in the Security Hub CSPM console and the JSON of each finding. See [BatchImportFindings for finding providers](finding-update-batchimportfindings.md).
**Setting the finding IDs**
You must supply, manage, and increment your own finding IDs, using the [https://docs.aws.amazon.com//securityhub/1.0/APIReference/API_AwsSecurityFinding.html#securityhub-Type-AwsSecurityFinding-Id](https://docs.aws.amazon.com//securityhub/1.0/APIReference/API_AwsSecurityFinding.html#securityhub-Type-AwsSecurityFinding-Id) attribute.
Each new finding should have a unique finding ID. If the custom product sends multiple findings with the same finding ID, Security Hub CSPM only processes the first finding.
**Setting the account ID**
You must specify your own account ID, using the [https://docs.aws.amazon.com//securityhub/1.0/APIReference/API_AwsSecurityFinding.html#securityhub-Type-AwsSecurityFinding-AwsAccountId](https://docs.aws.amazon.com//securityhub/1.0/APIReference/API_AwsSecurityFinding.html#securityhub-Type-AwsSecurityFinding-AwsAccountId) attribute.
**Setting the created at and updated at dates**
You must supply your own timestamps for the [https://docs.aws.amazon.com//securityhub/1.0/APIReference/API_AwsSecurityFinding.html#securityhub-Type-AwsSecurityFinding-CreatedAt](https://docs.aws.amazon.com//securityhub/1.0/APIReference/API_AwsSecurityFinding.html#securityhub-Type-AwsSecurityFinding-CreatedAt) and [https://docs.aws.amazon.com//securityhub/1.0/APIReference/API_AwsSecurityFinding.html#securityhub-Type-AwsSecurityFinding-UpdatedAt](https://docs.aws.amazon.com//securityhub/1.0/APIReference/API_AwsSecurityFinding.html#securityhub-Type-AwsSecurityFinding-UpdatedAt) attributes.
## Updating findings from custom products
In addition to sending new findings from custom products, you can also use the [https://docs.aws.amazon.com//securityhub/1.0/APIReference/API_BatchImportFindings.html](https://docs.aws.amazon.com//securityhub/1.0/APIReference/API_BatchImportFindings.html) API operation to update existing findings from custom products.
To update existing findings, use the existing finding ID (via the [https://docs.aws.amazon.com//securityhub/1.0/APIReference/API_AwsSecurityFinding.html#securityhub-Type-AwsSecurityFinding-Id](https://docs.aws.amazon.com//securityhub/1.0/APIReference/API_AwsSecurityFinding.html#securityhub-Type-AwsSecurityFinding-Id) attribute). Resend the full finding with the appropriate information updated in the request, including a modified [https://docs.aws.amazon.com//securityhub/1.0/APIReference/API_AwsSecurityFinding.html#securityhub-Type-AwsSecurityFinding-UpdatedAt](https://docs.aws.amazon.com//securityhub/1.0/APIReference/API_AwsSecurityFinding.html#securityhub-Type-AwsSecurityFinding-UpdatedAt) timestamp.
## Example custom integrations
You can use the following example custom product integrations as a guide to create your own custom solutions:
**Sending findings from Chef InSpec scans to Security Hub CSPM**
You can create an CloudFormation template that runs a [Chef InSpec](https://www.chef.io/products/chef-inspec/) compliance scan and then sends findings to Security Hub CSPM.
For more details, see [Continuous compliance monitoring with Chef InSpec and AWS Security Hub CSPM](https://aws.amazon.com/blogs/security/continuous-compliance-monitoring-with-chef-inspec-and-aws-security-hub/).
**Sending container vulnerabilities detected by Trivy to Security Hub CSPM**
You can create an CloudFormation template that uses [AquaSecurity Trivy](https://github.com/aquasecurity/trivy) to scan containers for vulnerabilities, and then sends those vulnerability findings to Security Hub CSPM.
For more details, see [How to build a CI/CD pipeline for container vulnerability scanning with Trivy andAWS Security Hub CSPM](https://aws.amazon.com/blogs/security/how-to-build-ci-cd-pipeline-container-vulnerability-scanning-trivy-and-aws-security-hub/).