• EnglishEspañol日本語한국어Português
  • Log inStart now

AWS security integration

You can import AWS Security Hub findings into New Relic to achieve a single, unified view of vulnerabilities. The process uses EventBridge to post findings from AWS Security reporting services via an AWS API Destination.

After completing these steps, you will see new vulnerabilities detected by AWS Security tools in your New Relic account in real time, and you'll be able to build out analytics dashboards and enable on newly detected issues.

You can also import AWS GuardDuty and Inspector findings and view them through custom dashboards or queries using NRDB.

Prerequisites

To send AWS security data to New Relic:

Create an API destination for ingest

Create API destination

  1. In your AWS UI navigate to EventBridge > Integrations > API destinations > Create API destination.

  2. Fill in the prompts.

  3. Construct your endpoint using the pattern below, and enter it into API destination endpoint:

    https://security-ingest-processor.service.newrelic.com/v1/security/webhooks/awssecurityhub?Api-Key=NEW_RELIC_LICENSE_KEY

    Important

    Use the EU endpoint if you're using an EU license key: https://security-ingest-processor.service.eu.newrelic.com/v1/security/webhooks/awssecurityhub?Api-Key=NEW_RELIC_LICENSE_KEY

  4. Select POST as the HTTP method.

  5. Select Create a new connection.

Create a new connection

  1. Fill in the fields in the new prompt.
  2. For Destination select Other.
  3. For Authorization type select API Key.
  4. For API Key Name type Api-Key and paste your New Relic as the value.

Create an EventBridge rule

Once you've created an API destination for ingest, create an Eventbridge rule to forward security-related events to an API destination for New Relic's ingest.

Define rule detail

  1. In your AWS UI navigate to EventBridge > Rules > Create Rule.
  2. Enter a name in the name field, such as SecurityEvent_NewRelicSIP_EventForwarder_Rule.
  3. Enter a description, such as Forwards Security Hub, GuardDuty, and Inspector events to the New Relic Security Ingest Processor (SIP).
  4. For event bus, select default.
  5. For rule type, select Rule with an event pattern.
  6. Select Next.

Build event pattern

  1. In the new pane select AWS events or EventBridge partner events as the event source.

  2. Optional: Choose any Security Hub sample event from the dropdown to test your rule against.

  3. For the event pattern, enter the select the custom patterns pane and input a pattern. For example the pattern below matches events from Security Hub, Guard Duty, and Inspector:

    {
    "detail-type": [
    {
    "prefix": "Security Hub"
    },
    {
    "prefix": "GuardDuty Finding"
    },
    {
    "prefix": "Inspector2"
    }
    ]
    }

Select the API destination as the rule target

  1. For Target types, select EventBridge API destination.
  2. For API destination, select Use an existing API destination.
  3. Using the dropdown, select the API destination you created in step 1.
  4. For execution role, select Create a new role for this specific resource.

Configure tags (Optional)

Configure your tags as needed.

Review and Create

Review all your selections and make any changes as necessary.

Review in NRDB

To review logs ingested via AWS Event Bridge, you can use the following NRQL query:

FROM Vulnerability SELECT * WHERE source LIKE 'AWS%' SINCE 3 MONTHS AGO

Note that GuardDuty and Inspector results will only show this way, while SecurityHub vulnerabilities will be visible in New Relic's Vulnerability Management (if available).

Copyright © 2024 New Relic Inc.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.