Integrate with AWS Security Hub

You can generate alerts in Sophos Cloud Optix from findings from AWS security services.

Integrating findings from the services provided by AWS Security Hub into Sophos Cloud Optix makes it easier to manage security in your AWS environments.

You can generate and manage alerts from the following AWS security services:

  • Amazon Inspector
  • Amazon Macie
  • Amazon GuardDuty
  • Patch Manager (a capability of AWS Systems Manager)
  • AWS Firewall Manager
  • IAM Access Analyzer

You can choose which of these services can generate alerts in Sophos Cloud Optix. See Available AWS service integrations.

AWS Security Hub can also receive findings from the following:

  • third-party products that you enable in AWS
  • custom integrations that you set up in AWS
  • AWS Config rules

The Sophos Cloud Optix integration doesn't use these to generate alerts.

Setting up integration with AWS Security Hub

In your AWS management console you must first turn on AWS Security Hub and the AWS security services you want to use. You must have the StackSetAdministration and StackSetExecution roles to set up the integration.

The integration creates AWS Lambda functions in your AWS environment to send findings from AWS Security Hub to Sophos Cloud Optix.

The integration does this in two stages, as follows:

  1. It creates an IAM role using a CloudFormation template provided by Sophos.
  2. It creates AWS Lambda functions that use this IAM role, using CloudFormation StackSets provided by Sophos.

To set up the integration, in Sophos Cloud Optix go to Settings and click Integrations > AWS Security Hub

Follow the instructions to integrate AWS Security Hub with Sophos Cloud Optix.

Using AWS Security Hub integration with AWS Organizations

If you are using AWS Organizations, Sophos Cloud Optix can receive AWS Security Hub alerts.

You need to configure your sub-accounts to post AWS Security Hub alerts to their management account. You don't have to create stacks and stacksets in your sub-accounts.

Managing alerts from AWS Security Hub

Alerts from AWS Security Hub are generated in Sophos Cloud Optix after integration finishes. It may take up to an hour for setup to complete and for alerts to appear. Alerts aren't generated in Sophos Cloud Optix for findings created in AWS Security Hub before the integration finished.

In Sophos Cloud Optix, these alerts are labeled AWS Security Hub. You can filter them in Alerts using the Type column filter.

You can also configure Sophos Cloud Optix to send AWS Security Hub alerts by email and third-party integrations such as Jira, ServiceNow, Microsoft Teams, and Slack.

The summary for each AWS Security Hub alert in Sophos Cloud Optix includes the name of the AWS service that provided the finding, for example Amazon Macie. The information provided in these alerts, including severity, is provided by AWS and isn't controlled by Sophos.