Integrating AWS Security Hub in ServiceNow - AWS Service Management Connector
Configuring AWSSynchronizing AWS Security Hub to the Connector in ServiceNowValidating AWS Security Hub integration

Integrating AWS Security Hub in ServiceNow

AWS Security Hub enables users to view security Findings from AWS services such as Amazon Guard Duty and Amazon Inspector, as well as AWS Partner solutions.

If you use both AWS Security Hub and ServiceNow ITSM, the AWS Service Management Connector for ServiceNow allows you to create an automated, bidirectional integration between Security Hub and ServiceNow ITSM. This two-way integration synchronizes your Security Hub findings and ServiceNow tickets.

Specifically, as a ServiceNow administrator, you can use this integration to automatically create ServiceNow incident or problem tickets from AWS Security Hub findings. When you update those tickets in ServiceNow, the changes are automatically replicated back to the original Security Hub findings. For example, when you resolve the ticket in ServiceNow, the workflow status of the Security Hub finding also changes to RESOLVED. This action ensures that Security Hub always has up-to-date information about your security posture.

View the following video, AWS Security Hub - Bidirectional integration with ServiceNow ITSM, for an overview of the AWS Security Hub integration to the Connector for ServiceNow.

Configuring AWS Security Hub in ServiceNow

This section describes how to configure your AWS services in ServiceNow.

To configure AWS Security Hub integration features

  1. Enable AWS Security Hub. For more information, see Setting up AWS Security Hub with the Console.

  2. Set up an SQS queue to receive updated Findings. Name the queue, AwsServiceManagementConnectorForSecurityHubQueue, to align with the default name in the ServiceNow System Properties for the AWS Security Hub integration. For more information, see Getting started with Amazon SQS.

  3. Set up an Amazon EventBridge rule to detect changes to Findings and push these to the queue. For more information, see Getting started with Amazon EventBridge.

    The rule should have this event pattern and point to the SQS queue created in Step 2.

    "EventPattern": {

       "source": [

        "aws.securityhub"

        ]
}

  4. You can also customize this CloudWatch Events rule to only pull in Security Hub findings that have specific finding types, severity labels, workflow statuses, or compliance statuses. For details about how to filter the event pattern, see Configuring an EventBridge rule for automatically sent findings in the AWS Security Hub User Guide.

Note

You can use the AWS CloudFormation templates for the Connector for ServiceNow to automate the AWS Config custom resource and AWS Security Hub integration features. For more information, see Baseline Permissions.

Synchronizing AWS Security Hub to the Connector in ServiceNow

This section shows you how to synchronize AWS Security Hub to the Connector in ServiceNow.

To configure AWS Security Hub synchronization behavior to the Connector in ServiceNow

  1. In the ServiceNow filter navigator in the fulfiller (stand user interface) view, enter AWS Service Management Connector.

  2. Choose System Properties, then AWS Security Hub.

  3. Set these configuration items:

    • Choose the types of AWS Security Hub Findings to sync in ServiceNow: CRITICAL, HIGH, MEDIUM, LOW, and INFORMATIONAL.

    • Choose an action for a newly synced Finding to the Connector in ServiceNow:

      • Do Nothing. This action only imports Security Finding types for the scoped app. Users with scoped app permissions can view and choose to create an Incident or Problem. Do Nothing is the default value in the Connector.

      • Create Incident. This action automatically creates Incidents from Security Findings and syncs updates in ServiceNow to AWS Security Hub.

      • Create Problem. This action automatically creates Incidents from Security Findings and syncs updates in ServiceNow to AWS Security Hub.

      • Create Incident and Problem. This action automatically creates Incidents and Problems from Security Findings and syncs updates in ServiceNow to AWS Security Hub.

    • Adjust the maximum number of messages to fetch from the SQS queue per sync, account, or Region (default 50). By default, the sync process runs every five minutes.

    • Change the SQS Queue name if you’re not using the default that the Connector created. The CloudFormation template supplies the Connector.

      Note

      We recommend you not change the SQS name in the ServiceNow scoped app (AwsServiceManagementConnectorForSecurityHubQueue) unless you change the SQS name in the AWS account.

  4. Choose Save after any changes.

    Fields synchronized from AWS Security Hub Findings to the ServiceNow scoped app AWS Security Hub Findings module in ServiceNow

Region The Region that generated the Finding.
Account Id The account that generated the Finding.
Company Name The company that generated the Finding (e.g. AWS).
Compliance Whether a resource passes the configured compliance criteria. Contains status (PASSED, WARNING, FAILED, NOT_AVAILABLE). If the resource does not pass, it will contain information about the reason.
Created At The creation time of the Finding.
Description A description of the Finding.
Criticality The level of importance for the resource associated with the Finding.
First Observed At First observation of when Findings captured any potential security issues.
Last Observed at The most recent time Findings captured any potential security issues.
Product Name The name of the product that generates the Finding (such as Security Hub).
Product Arn The ARN of the product that generates the Finding.
Record State Either ACTIVE or ARCHIVED.
Severity (normalized) A value from 0 to 100 that indicates the severity of the problem associated with the Finding.
Status PASSED, WARNING, FAILED, or NOT AVAILABLE.
Title The title of the Finding.
Updated At When the Finding provider last updated the record.
Workflow Status The workflow status can be: NEW, ASSIGNED, IN PROGRESS, RESOLVED, DEFERRED, or DUPLICATE.
Remediation Text A description of suggested action to resolve the discovered issue.
Remediation Url A link to a resource that can resolve the discovered issue.
Note

ServiceNow does not duplicate findings. If a Security Hub finding is sent to ServiceNow with the same finding ID as one previously sent to ServiceNow, we update the ticket with the most recent information in the finding.

Validating AWS Security Hub integration in ServiceNow

This section describes how to validate AWS Security Hub integration in ServiceNow.

To view Findings from AWS Security Hub

To view AWS Security Hub Findings, you must have the role, x_126749_aws_sc.finding_manager, from the Connector scope app.

  1. Log in to your ServiceNow instance as a user (for example, System Administrator) in the fulfiller view (standard user interface view).

  2. In the navigator, enter AWS Service Management.

  3. Choose AWS Security Hub.

  4. Choose Findings to show a list of all synced Findings.

  5. Choose a Finding to open the record.

  6. The Incident and Problem fields show the Incident and Problem related to the Finding if these exist.

  7. Choose the ⓘ symbol to the right of the field to preview the Incident or Problem.

  8. Choose Open Record on the preview form to open the Incident or Problem.

  9. If the Connector does not automatically create a ServiceNow Incident or Problem when a new Finding syncs, choose the link at the bottom of the form to create one manually.

This table shows how fields map from ServiceNow Findings records to ServiceNow as Incident or Problem records.

Finding Incident Problem
Created at Opened at Opened at
Company Name Company Company
Description Description Description
Criticality Impact Impact
Severity Urgency Urgency
Hardcoded to software Category Category
Id of record in cmdb_ci_service with name AWS Security Hub Business service Business service
Description Short description Short description
Reference to related Problem if it exists problem_id n/a

This table shows how fields synchronize between AWS Security Findings and ServiceNow Incidents or Problems.

AWS Security Hub value ServiceNow Incident ServiceNow Problem
Severity Label Urgency Urgency
Criticality Impact Impact

Fields synchronized between AWS Security Findings, Incidents, and Problems in ServiceNow

  • Finding severity label → Problem/Incident urgency

    • INFORMATIONAL or LOW → LOW

    • MEDIUM → MEDIUM

    • HIGH or CRITICAL → HIGH

  • Finding criticality → Problem/Incident impact

    • 0 - 29 → LOW

    • 30 - 69 → MEDIUM

    • 70 - 100 → HIGH

Fields synchronized from Findings to AWS Security Hub

  • Severity (Label and Normalized)

  • WorkflowStatus