Cloud giant Amazon Web Services (AWS) thinks it has the answer to alert fatigue in the form of automated actions.
The new capability, part of AWS Security Hub, aims to prevent potentially dangerous human errors from occurring during the manual sifting through of large numbers of security alerts, where the repetitive nature of the task could lead to analysts downplaying the significance of threats, so AWS argues.
Security alerts, or findings, from all other areas of AWS – as well as from over 65 AWS Partner Network (APN) solutions – are collated within the Security Hub. Automated actions for these findings have been possible to set up before, but involved having to use the Amazon EventBridge, AWS Lambda functions, an AWS Systems Manager Automation runbook, or an AWS Step Functions step.
New rules
The right IAM permissions were also required if these actions were to run across multiple accounts and regions, as well maintaining the Lambda function and EventBridge rule in order for the automation flow to continue running as expected.
Now, however, automated actions are possible out the gate, with the ability to set up rules to update various fields in findings automatically, such as changing their severity and workflow status, adding notes or suppressing them automatically.
AWS claims there is a lot of flexibility in how you can use these rules. For example, users can change the severity of an alert based on the Account ID, and add a note to the person investigating to give them additional information or instructions.
Such an automation rule can be set up via the AWS CLI, the console, the Security Hub API, or the AWS SDK for Python (Boto3). You can even set up multiple rules for the same findings, and assign the order in which Security Hub applies the automated actions. The rule with the highest value is applied last, and so has the ultimate effect on the field in question.
You can also change the severity depending on the resource tag. Another example scenario for using the new automation feature is to suppress a finding that is marked as informational by GuardDuty, which means that there is no threat and has only been flagged to provide information; so you may therefore wish to suppress further findings that are marked as informational.
Templates are also available from which to create new rules, and are updated regularly to reflect the typical use cases that are applicable to many customers. The template you choose can also be modified to suit your specific needs.
And if you operate in multiple regions, you can duplicate rules created in your central Security Hub to work with them.
The announcement came as part of AWS re:Inforce 2023 conference. Automation rules in Security Hub can be used now, and AWS is encouraging customers to post comments in repost or contact support for more information and assistance with the new feature.