DisruptOps Security Hub Support

DisruptOps is excited to announce our integration with AWS Security Hub. As an official Security Hub partner this allows us to extend our capabilities into Amazon’s native centralized security console, while also extending the capabilities of Security Hub with an expanded set of assessments and customer actions.

This page describes our integration and will be updated over time as continue to improve our capabilities and integrate with future Security Hub features.

Supported Capabilities

DisruptOps currently supports:

  • Sending issues into Security Hub as findings.
  • Creating exemptions for issues within Security Hub.
  • Taking a default action on supported issue types in Security Hub.

DisruptOps will also soon support creating issues based on Security Hub fundings generated either by AWS or third-party integrations.

Getting Started

By default DIsruptOps will send our findings to Security Hub. Once you activate Security Hub in AWS our findings will start appearing in the Security Hub console and be accessible via the Security Hub API. Here is how it works:

  • DisruptOps will send all issues for a given Account and Region to Security Hub in that Account/Region. These issues use the standard Security Hub findings format and will appear in the console once you turn on Security Hub and enable integration with DisruptOps.
  • To enable integration, log into your AWS account and region, enable Security Hub, click on Integrations, scroll to DisruptOps, and click “Enable Integration”.

This enables basic integration and sending our findings to Security Hub. The next option is to enable DisruptOps Custom Actions in Security Hub. This creates two actions in Security Hub (in each Region/Account where it is enabled):

  • Run DisruptOps Default Remediation: If supported and enabled this will take the default DisruptOps Remediation action for that Issue Type. If a default remediation is not supported no action will be taken. Security Hub does not allow us to customize actions based on the issue/finding type so this action will always show in Security Hub, even if no action is supported.
  • Exempt with DisruptOps: This creates an exemption in DisruptOps for the given issue. This will, on the next Security Hub update, also clear the issue from Security Hub. This will not effect issues and findings not natively supported by DisruptOps since other tools will not necessarily respect our exemptions.