SIEM Integration

AWS Security Hub Integration

Forward database audit events to AWS Security Hub as security findings. Consolidate database security alongside your AWS infrastructure findings using the ASFF format.

Start Free Trial View Configuration

ASFF Format

Events formatted as AWS Security Finding Format for native Security Hub integration.

Custom Insights

Create custom insights to aggregate and analyze database security findings.

EventBridge Integration

Trigger automated responses via EventBridge rules and Lambda functions.

Configuration Reference

1 Connection Settings

Field Type Required Default Description
name string Yes - A unique name for this SIEM connection (e.g., "aws-securityhub-prod")
provider select Yes aws-security-hub SIEM provider - select "AWS Security Hub"
enabled boolean No true Enable or disable event forwarding
region string Yes - AWS region for Security Hub (e.g., "us-east-1")
access_key_id string No - AWS access key ID (or use IAM role)
secret_access_key password No - AWS secret access key (or use IAM role)
role_arn string No - IAM role ARN to assume (recommended for EC2/ECS)

2 Security Hub-Specific Settings

Field Type Required Default Description
product_arn string Yes - Security Hub product ARN for DB Audit findings
company_name string No DBaudit Company name in ASFF findings
product_name string No Database Audit Product name in ASFF findings
aws_account_id string Yes - AWS account ID for findings

3 Event Filtering

Field Type Required Default Description
event_types multiselect No all Event types to forward: audit_events, alerts, ai_detections, policy_violations, classification_findings
severity_filter multiselect No all Filter by severity: critical, warning, info
database_filter array No - Limit to specific databases (empty = all databases)

4 Batching & Reliability

Field Type Required Default Description
batch_size number No 100 Number of events per batch (1-100 for Security Hub)
flush_interval_seconds number No 30 Maximum time between flushes (5-300 seconds)
retry_attempts number No 3 Number of retry attempts on failure

Setup Instructions

1

Create IAM Policy and User

Create an IAM policy with Security Hub permissions and attach it to a user or role.

                # Create IAM policy for DB Audit Security Hub integration
cat > dbaudit-securityhub-policy.json << 'EOF'
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "securityhub:BatchImportFindings",
        "securityhub:GetFindings",
        "securityhub:UpdateFindings"
      ],
      "Resource": "*"
    }
  ]
}
EOF

# Create the policy
aws iam create-policy \
    --policy-name DBauditSecurityHubPolicy \
    --policy-document file://dbaudit-securityhub-policy.json

# Create IAM user (or role) and attach policy
aws iam create-user --user-name dbaudit-securityhub
aws iam attach-user-policy \
    --user-name dbaudit-securityhub \
    --policy-arn arn:aws:iam::ACCOUNT_ID:policy/DBauditSecurityHubPolicy

# Create access keys
aws iam create-access-key --user-name dbaudit-securityhub

Tip: For DB Audit running on EC2 or ECS, use an IAM role instead of access keys for better security.

2

Enable Security Hub

Enable Security Hub in your AWS account and register DB Audit as a product.

                # Register DB Audit as a Security Hub product integration
# This is typically done once per AWS account

# Option 1: Use custom product integration
aws securityhub create-product-subscription \
    --product-arn arn:aws:securityhub:us-east-1::product/dbaudit/database-audit

# Option 2: Register as custom product (if not in marketplace)
# The product ARN will be:
# arn:aws:securityhub:REGION:ACCOUNT_ID:product/ACCOUNT_ID/default

# Enable Security Hub if not already enabled
aws securityhub enable-security-hub

# Verify Security Hub is enabled
aws securityhub describe-hub
3

Test API Connection

Verify the IAM credentials can import findings to Security Hub.

                # Test Security Hub API access
aws securityhub describe-hub

# Test batch import with a sample finding
aws securityhub batch-import-findings --findings '[
  {
    "SchemaVersion": "2018-10-08",
    "Id": "dbaudit/test/123",
    "ProductArn": "arn:aws:securityhub:us-east-1:ACCOUNT_ID:product/ACCOUNT_ID/default",
    "GeneratorId": "dbaudit-test",
    "AwsAccountId": "ACCOUNT_ID",
    "Types": ["Software and Configuration Checks"],
    "CreatedAt": "2024-01-15T10:30:45Z",
    "UpdatedAt": "2024-01-15T10:30:45Z",
    "Severity": {"Label": "LOW"},
    "Title": "Test Finding from DB Audit",
    "Description": "Test finding to verify integration",
    "Resources": [{"Type": "Other", "Id": "test-resource"}]
  }
]'

# Verify the finding was imported
aws securityhub get-findings --filters '{"Id": [{"Value": "dbaudit/test/123", "Comparison": "EQUALS"}]}'
4

Configure in DB Audit

Add the AWS Security Hub integration in the DB Audit dashboard.

  1. Navigate to Integrations → SIEM in DB Audit
  2. Click Add SIEM Integration
  3. Select AWS Security Hub as the provider
  4. Enter your AWS region and credentials (or role ARN)
  5. Enter your AWS account ID and product ARN
  6. Select event types to forward
  7. Test the connection and save
5

Create Custom Insights (Optional)

Create custom insights to aggregate and analyze DB Audit findings.

                # Create Security Hub custom insight for DB Audit

# Insight: Top database users by finding count
aws securityhub create-insight \
    --name "DB Audit - Top Users by Findings" \
    --filters '{
      "ProductName": [{"Value": "Database Audit", "Comparison": "EQUALS"}],
      "RecordState": [{"Value": "ACTIVE", "Comparison": "EQUALS"}]
    }' \
    --group-by-attribute "ProductFields.dbaudit/User"

# Insight: Findings by database
aws securityhub create-insight \
    --name "DB Audit - Findings by Database" \
    --filters '{
      "ProductName": [{"Value": "Database Audit", "Comparison": "EQUALS"}]
    }' \
    --group-by-attribute "ProductFields.dbaudit/Database"

# Insight: PII access events
aws securityhub create-insight \
    --name "DB Audit - PII Access Events" \
    --filters '{
      "ProductFields": [
        {"Key": "dbaudit/ContainsPII", "Value": "true", "Comparison": "EQUALS"}
      ]
    }' \
    --group-by-attribute "ProductFields.dbaudit/User"

Event Format (ASFF)

Events are formatted as AWS Security Finding Format (ASFF) for native Security Hub integration.

          {
  "SchemaVersion": "2018-10-08",
  "Id": "dbaudit/finding/12345-abcde",
  "ProductArn": "arn:aws:securityhub:us-east-1:123456789012:product/123456789012/default",
  "GeneratorId": "dbaudit-database-audit",
  "AwsAccountId": "123456789012",
  "Types": [
    "Software and Configuration Checks/Database Activity Monitoring"
  ],
  "CreatedAt": "2024-01-15T10:30:45.123Z",
  "UpdatedAt": "2024-01-15T10:30:45.123Z",
  "Severity": {
    "Label": "MEDIUM",
    "Normalized": 50
  },
  "Title": "Large Data Access Detected",
  "Description": "User app_user executed SELECT query returning 1500 rows from customers table containing PII data",
  "ProductFields": {
    "dbaudit/EventType": "audit_event",
    "dbaudit/Database": "production-postgres",
    "dbaudit/DatabaseType": "postgresql",
    "dbaudit/User": "app_user",
    "dbaudit/ClientIP": "10.0.1.50",
    "dbaudit/ActionType": "SELECT",
    "dbaudit/Table": "customers",
    "dbaudit/RowsAffected": "1500",
    "dbaudit/ContainsPII": "true"
  },
  "Resources": [
    {
      "Type": "Other",
      "Id": "arn:aws:rds:us-east-1:123456789012:db:production-postgres",
      "Details": {
        "Other": {
          "DatabaseName": "production-postgres",
          "TableName": "customers",
          "Schema": "public"
        }
      }
    }
  ],
  "RecordState": "ACTIVE",
  "Workflow": {
    "Status": "NEW"
  }
}

Sample Security Hub Queries

Use these AWS CLI commands to query DB Audit findings in Security Hub.

          # AWS CLI queries for Security Hub findings

# Get all DB Audit findings
aws securityhub get-findings \
    --filters '{"ProductName": [{"Value": "Database Audit", "Comparison": "EQUALS"}]}'

# Get critical severity findings
aws securityhub get-findings \
    --filters '{
      "ProductName": [{"Value": "Database Audit", "Comparison": "EQUALS"}],
      "SeverityLabel": [{"Value": "CRITICAL", "Comparison": "EQUALS"}]
    }'

# Get findings for specific database
aws securityhub get-findings \
    --filters '{
      "ProductFields": [
        {"Key": "dbaudit/Database", "Value": "production-postgres", "Comparison": "EQUALS"}
      ]
    }'

# Get findings with PII access
aws securityhub get-findings \
    --filters '{
      "ProductFields": [
        {"Key": "dbaudit/ContainsPII", "Value": "true", "Comparison": "EQUALS"}
      ]
    }'

# Update finding workflow status
aws securityhub batch-update-findings \
    --finding-identifiers '[{"Id": "finding-id", "ProductArn": "product-arn"}]' \
    --workflow '{"Status": "RESOLVED"}'

Troubleshooting

Access denied (403)

Verify the IAM user/role has the securityhub:BatchImportFindings permission. Check the policy is attached correctly.

Invalid product ARN

Ensure the product ARN format is correct. For custom integrations, use: arn:aws:securityhub:REGION:ACCOUNT_ID:product/ACCOUNT_ID/default

Findings not appearing

Check that Security Hub is enabled in the target region. Verify the finding SchemaVersion is "2018-10-08".

Rate limiting errors

Security Hub has a limit of 100 findings per batch. Reduce batch_size if you see throttling errors.

Next Steps

Configure Alerts

Set up alerts in DB Audit to create Security Hub findings.

Other SIEM Integrations

Explore integrations with other SIEM platforms.

Database Connectors

Connect more databases to monitor with DB Audit.

Ready to Integrate with AWS Security Hub?

Start forwarding database audit findings to Security Hub in minutes.

Start Free Trial Contact Sales