You can import AWS Security Hub findings into New Relic to achieve a single, unified view of vulnerabilities. The process uses EventBridge to post findings from AWS Security reporting services via an AWS API Destination.
After completing these steps, you will see new vulnerabilities detected by AWS Security tools in your New Relic account in real time, and you'll be able to build out analytics dashboards and enable on newly detected issues.
You can also import AWS GuardDuty and Inspector findings and view them through custom dashboards or queries using NRDB.
Prerequisites
To send AWS security data to New Relic:
- Enable AWS Security Hub on your AWS account.
- Obtain a New Relic license key for the account you want to report data to.
Create an API destination for ingest
Create API destination
In your AWS UI navigate to EventBridge > Integrations > API destinations > Create API destination.
Fill in the prompts.
Construct your endpoint using the pattern below, and enter it into API destination endpoint:
https://security-ingest-processor.service.newrelic.com/v1/security/webhooks/awssecurityhub?Api-Key=NEW_RELIC_LICENSE_KEYImportante
Use the EU endpoint if you're using an EU license key:
https://security-ingest-processor.service.eu.newrelic.com/v1/security/webhooks/awssecurityhub?Api-Key=NEW_RELIC_LICENSE_KEY
Select POST as the HTTP method.
Select Create a new connection.
Create a new connection
- Fill in the fields in the new prompt.
- For Destination select Other.
- For Authorization type select API Key.
- For API Key Name type
Api-Key
and paste your New Relic as the value.
Create an EventBridge rule
Once you've created an API destination for ingest, create an Eventbridge rule to forward security-related events to an API destination for New Relic's ingest.
Define rule detail
- In your AWS UI navigate to EventBridge > Rules > Create Rule.
- Enter a name in the name field, such as
SecurityEvent_NewRelicSIP_EventForwarder_Rule
. - Enter a description, such as
Forwards Security Hub, GuardDuty, and Inspector events to the New Relic Security Ingest Processor (SIP)
. - For event bus, select
default
. - For rule type, select
Rule with an event pattern
. - Select Next.
Build event pattern
In the new pane select AWS events or EventBridge partner events as the event source.
Optional: Choose any Security Hub sample event from the dropdown to test your rule against.
For the event pattern, enter the select the custom patterns pane and input a pattern. For example the pattern below matches events from Security Hub, Guard Duty, and Inspector:
{"detail-type": [{"prefix": "Security Hub"},{"prefix": "GuardDuty Finding"},{"prefix": "Inspector2"}]}
Select the API destination as the rule target
- For Target types, select EventBridge API destination.
- For API destination, select Use an existing API destination.
- Using the dropdown, select the API destination you created in step 1.
- For execution role, select Create a new role for this specific resource.
Configure tags (Optional)
Configure your tags as needed.
Review and Create
Review all your selections and make any changes as necessary.
Review in NRDB
To review logs ingested via AWS Event Bridge, you can use the following NRQL query:
FROM Vulnerability SELECT * WHERE source LIKE 'AWS%' SINCE 3 MONTHS AGO
Note that GuardDuty and Inspector results will only show this way, while SecurityHub vulnerabilities will be visible in New Relic's Vulnerability Management (if available).