YAWPS
Yet Another Workflow Parser for SecurityHub
"Screaming pepper" by Rum Bucolic Ape is licensed with CC BY-ND 2.0. To view a copy of this license, visit https://creativecommons.org/licenses/by-nd/2.0/
Purpose
Currently SecurityHub has a ChatBot integration thats a bit lacking. All of securityhub goes to chatbot, which means a singular flooding channel of alerts.
With cloud-custodians recent support for securityhub and organizations we have a good way to send all alerts for an entire org to slack. But that means every account goes to a single channel.
This repo is part of a multi-series talk/demo on how to intelligently route account messages to differing Slack channels.
In the scenario where a team owns an account it would be nice to let cloud-custodian generate meaningful securityhub notifications that go to specific team channels.
For this talk we will simply tag AWS accounts with 2 tags account_name (a human readable name) and slack_channel (a slack channel to direct those security hub notifications to).
A blog post and KubeCon talk will be coming soon with more information
Prerequisites
The only real pre-requisite here is a working multi-account SecurityHub
Configuration
| Environment Variable | Description |
|---|---|
SLACK_FALLBACK_CHANNEL |
Channel to fallback to if the slack_channel tag is not provided on the account |
SLACK_TOKEN |
the path in SSM to the slack token` |
SLACK_TOKEN_SSM_PATH |
if a SLACK_TOKEN is not found, this is where to grab it from the EC2 Param store |
LOGGING_LEVEL |
the logging level to use. Default is INFO |
ENABLE_FORK_COPY_SEVERITY |
Enable the ability to fork some messages to another channel by severity. Value can be True or False. Default is False |
FORK_COPY_SEVERITY_VALUE |
If ENABLE_FORK_COPY_SEVERITY is True, what severity level to fork by. Should be an integer between 0 and 100. Default is 90 |
ENABLE_FORK_ONLY_SEVERITY |
Enable the ability to fork some messages to only another channel by severity. Value can be True or False. Default is False |
FORK_ONLY_SEVERITY_VALUE |
If ENABLE_FORK_ONLY_SEVERITY is True, what severity level to fork by. Should be an integer between 0 and 100. Default is 100 |
Forking
There are a few use cases for forking.
In general (all defaults) YAWPS will only send to the channel found in the tag or the SLACK_FALLBACK_CHANNEL (because it's required).
This is great until you have rules that you want a second team (lets say security) to also see and follow up with.
Using ENABLE_FORK_COPY_SEVERITY and FORK_COPY_SEVERITY_VALUE lets you also send to that second slack channel. Lets say you set FORK_COPY_SEVERITY_VALUE to 90. This means that anything rated 90 will send to both.
Another use-case exists: not sending team specific alerts. Lets say that an alert is not actionable by the configured team, but is purely for security visibility (like failed IAM logins etc). You can use ENABLE_FORK_ONLY_SEVERITY set to, say 100, in this scenario so that custom rules can set severity to 100 and send it only to security and bypass the primary team. This is good for noise filtration and helping to keep things actionable by a singular source.
Deploy
ServerLess
TODO
Terraform
- Download this repository (or a released artifact)
- Run
make zipto produce a fully deployable s3 artifact - Deploy something similar to this terraform
Testing
$ poetry install
$ poetry run tox
8 Jul 16, 2022
102 Nov 16, 2022
6 Sep 07, 2022
4 Sep 05, 2022
1 Nov 11, 2021
4 Feb 11, 2022
23 Dec 16, 2022
10k Jan 01, 2023
1 Jun 28, 2022
893 Jan 02, 2023
2 May 15, 2022
95 Dec 13, 2022
7.2k Dec 30, 2022
369 Dec 30, 2022
3 Oct 03, 2022
1 Dec 26, 2021
1 Jan 27, 2022
2.7k Jan 03, 2023
1.2k Dec 31, 2022
2 Jan 06, 2022