AWS Security Hub integration

IBM® QRadar® Cloud Visibility supports integration with Amazon AWS Security Hub. Offenses that are related to AWS log sources in QRadar can be sent to AWS Security Hub so that they can be viewed and analyzed, along with findings that are provided by other services such as Amazon GuardDuty.

The QRadar Cloud Visibility app transforms QRadar offenses into the Amazon Security Finding Format (ASFF) before they are submitted to AWS Security Hub.

QRadar offenses are categorized as TTPs (Tactics, Techniques, and Procedures) and Unusual Behaviors in the Types field of ASFF. For more information, see https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format.html#securityhub-findings-format-type-taxonomy (https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format.html#securityhub-findings-format-type-taxonomy).

The severity of the QRadar offense, which has a scale in the range 0 - 10, is normalized to fit the format of ASFF in the range of 40-69, as suggested in the Security Hub guideline for "Threat detection and unusual behavior type findings" at https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format.html#securityhub-findings-format-attributes (https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format.html#securityhub-findings-format-attributes).