Security Hub

Through the use and configuration of the Tenable.io to AWS Security Hub Transformer, Tenable.io can send vulnerabilities to AWS Security Hub. This tool consumes Tenable.io asset and vulnerability data, transforms that data into the AWS Security Hub Finding format, and then uploads the resulting data into AWS Security Hub.

Note: The script does not need to be run in AWS.

The tool can be run either as a one-shot docker container or as a command-line tool:

  • To run as a docker image, you must build the image and then pass the necessary secrets on to the container.

  • To run as a command-line tool, you must install the required python modules and then run the tool using either environment variables or by passing the required parameters as run-time parameters.

Requirements

  • Tenable.io account
  • Tenable.io AWS connector enabled and configured
  • AWS Security Hub
  • Tenable.io Provider enabled and configured in Security Hub

Installation

To build the Docker image, run the following script:

docker build -t tio2sechub:latest .

To install python requirements, run the following script:

pip install -r requirements.txt

Enable Script in Security Hub

To enable the script in Security Hub:

  1. Log in to Security Hub.
  2. If you have not yet enabled Security Hub, click Enable Security Hub.
  3. Navigate to Settings > Providers.
  4. In the Search box, type Tenable.
  5. Click Configure.

    Your account subscribes to accept events from the script.

Configuration

The following lists the command-line arguments as well as the equivalent environment variables:

usage: sechubingest.py [-h] [--tio-access-key TIO_ACCESS_KEY]

[--tio-secret-key TIO_SECRET_KEY]

[--batch-size BATCH_SIZE] [--aws-region AWS_REGION]

[--aws-account-id AWS_ACCOUNT_ID]

[--aws-access-id AWS_ACCESS_ID]

[--aws-secret-key AWS_SECRET_KEY]

[--log-level LOG_LEVEL] [--since OBSERVED_SINCE]

[--run-every RUN_EVERY]

 

optional arguments:

-h, --help show this help message and exit

--tio-access-key TIO_ACCESS_KEY

Tenable.io Access Key

--tio-secret-key TIO_SECRET_KEY

Tenable.io Secret Key

--batch-size BATCH_SIZE

Size of the batches to populate into Security Hub

--aws-region AWS_REGION

AWS region for Security Hub

--aws-account-id AWS_ACCOUNT_ID

AWS Account ID

--aws-access-id AWS_ACCESS_ID

AWS Access ID

--aws-secret-key AWS_SECRET_KEY

AWS Secret Key

--log-level LOG_LEVEL

Log level: available levels are debug, info, warn,

error, crit

--since OBSERVED_SINCE

The unix timestamp of the age threshold

--run-every RUN_EVERY

How many hours between recurring imports

To run the import once, run the following script:

./sechubingest.py \

--tio-access-key {TIO_ACCESS_KEY} \

--tio-secret-key {TIO_SECRET_KEY} \

--aws-region us-east-1 \

--aws-account-id {AWS_ACCOUNT_ID} \

--aws-access-id {AWS_ACCESS_ID} \

--aws-secret-key {AWS_SECRET_KEY} \

To run the import once an hour, run the following script:

./sechubingest.py \

--tio-access-key {TIO_ACCESS_KEY} \

--tio-secret-key {TIO_SECRET_KEY} \

--aws-region us-east-1 \

--aws-account-id {AWS_ACCOUNT_ID} \

--aws-access-id {AWS_ACCESS_ID} \

--aws-secret-key {AWS_SECRET_KEY} \

--run-every 1

To run the same import using environment vars, run the following script:

export TIO_ACCESS_KEY="{TIO_ACCESS_KEY}"

export TIO_SECRET_KEY="{TIO_SECRET_KEY}"

export AWS_REGION="us-east-1"

export AWS_ACCOUNT_ID="{AWS_ACCOUNT_ID}"

export AWS_ACCESS_ID="{AWS_ACCESS_ID}"

export AWS_SECRET_KEY="{AWS_SECRET_KEY}"

export RUN_EVERY=1

./sechubingest.py