🚀 How to Upload AWS Findings to Sentinel (Security Hub)

Project: e.g. AWS Compliance Products (Pilot Test):

  • ProductA

  • ProductB

🔄 Automation Flow

Step 1: Maintain Account-to-Product Mapping

  • Create and store a mapping of AWS accounts to products.

    • Example:

      • Account A → ProductA

      • Account B → ProductB

  • Store this mapping in a central source of truth (e.g., SnipeIT, Confluence, CMDB).

  • Purpose: ensures each AWS account’s findings are categorized to the right product.

Step 2: Collect Findings into a Central S3 Bucket

  • Use a special AWS Management Account to pull findings from all AWS accounts.

  • Findings are gathered via AWS Lambda (scheduled run).

  • Store results in an S3 bucket, organized by product (Datalake / ITS).

Step 3: Merge & Format Findings for Sentinel

  • Consolidate findings into one CSV per product.

  • The CSV must follow Sentinel’s required schema (default AWS plugin):

Id,ProductName,Remediation,Remediation_URL,Compliance,WorkflowStatus,RecordState,ProcessedAt,Title,severity,Status,Region,Account_id,Description,Resource_id,Resource_tags

⚠️ Important:

  • Headers must match exactly — if not, Sentinel will reject the upload.

Step 4: Push Findings to Sentinel (via API)

Requirements:

  • API Base URL

  • API Key (for authentication)

  • Plugin Name

  • Correct Product ID (e.g., 1fbfe77b-ed4b-4028-b6aa-029ed4f35116)

Process:

  1. Use Python, Lambda, or another automation script to:

    • Authenticate with Sentinel API using the API key.

    • Call the upload endpoint with the Product ID and Plugin Name.

    • Upload the CSV file (merged findings).

  2. Validate the API response to confirm successful ingestion.

⚠️ Caution:

  • Using the wrong Product ID will place findings under the wrong product in Sentinel.

Step 5: Access Reports in Sentinel

  • Log in to Sentinel Portal → Product View.

  • Uploaded findings are:

    • Searchable

    • Filterable

    • Trackable for remediation

✅ Final Flow Recap

  1. Store account mapping → SnipeIT / Confluence

  2. Extract findings → Lambda → S3 (grouped by product)

  3. Merge findings → Sentinel CSV format

  4. Push findings → Sentinel API (Product ID + API key)

  5. Access findings → Sentinel Portal

PreviousCompliance ManagementNextPlugins

Last updated