AWS Security Hub

You can configure your Check Point Security Management Servers to send Threat Prevention events to the AWS Security Hub.

The AWS Security Hub service gives you a comprehensive view of your security alerts and security posture across your AWS accounts.

For more information, see the AWS Security Hub documentation.

Prerequisites

  • This feature is for Check Point Security Management Server version R80.30 with Jumbo Hotfix Accumulator 226 and higher.

  • CME installed on the Security Management Server with support for AWS Security Hub, see sk157492.

  • Supports only the Security Management Server (or Security Management Server High Availability) with Log Server. There is no support for Multi-Domain Security Management Servers or for a dedicated Log Server.

Note - To use the AWS Security Hub APIs, the Security Management Server must have outbound internet connectivity.

Subscribing to the Check Point CloudGuard Network in AWS Security Hub

  1. Enable Security Hub service in your AWS account and region.

  2. Click Integrations.

  3. Search for: "check point"

  4. Select "Check Point CloudGuard IaaS".

  5. Click Accept findings.

For Check Point Security Management Server to send security logs to the AWS Security Hub service, it is necessary to attach the appropriate permissions to the IAM role attached to the instance profile, or the IAM role of the user credentials.

  • For Security Management Server in AWS - If you want to use the IAM role profile of the management as credentials:

    In the IAM policy of the IAM role attached to the Security Management Server, add a statement to allow action securityhub:BatchImportFindings to any resource.

  • For On-Premises Security Management Server - Use the user's Access&Secret key as credentials:

    In the user's IAM policy, add a statement to allow action securityhub:BatchImportFindings to any resource.

Configuring the Check Point Security Management Server to Send Events to the AWS Security Hub

Use these steps to configure the Check Point Security Management Server to send findings to your AWS Security Hub account.

  1. Install the latest CME version. See Installing and Updating CME.

  2. Connect to the command line on the Security Management Server.

  3. Log in to the Expert mode.

  4. Launch the CME menu:

    cme_menu

  5. Select the Security Hub section:

    1. From the CME menu main page, select AWS.

    2. From the AWS Configuration tab, select Security Hub.

  6. Configure the Security Hub feature:

    1. Select Configure Security Hub.

    2. Enter the requested parameters:

      Parameter

      Example Value

      Description

      account-id

      123456789123

      A 12-digit number that uniquely identifies your AWS account.

      credentials

      IAM

      One of these:

      • IAM - to use the IAM role profile.

      • Path to a text file that contains the AWS credentials in this format:

        AWSAccessKeyId=<AWS-ACCESS-KEY>

        AWSSecretKey=<AWS-SECRET-KEY>

      region

      eu-west-1

      The region name to which you want to send security hub findings.

    3. Optional: Decide if to enable this feature immediately.

Enabling Security Hub on the Security Management Server

You can activate the Security Hub feature only after the configuration is complete.

  1. Connect to the command line on the Security Management Server.

  2. Log in to the Expert mode.

  3. Launch the CME menu:

    cme_menu

  4. Select the Security Hub section:

    1. On the CME menu home page, select AWS.

    2. In the AWS Configuration tab, select Security Hub.

  5. Activate the Security Hub > select Enable Security Hub.

After the Security Hub is configured and enabled on the Security Management Server, it is possible to make sure that the status shows "Security Hub Service is currently enabled and sending logs to AWS". See Displaying the Security Hub Integration Status.

Disabling Security Hub on the Security Management Server

If you disable the feature, it stops the Security Management Server from sending logs to AWS Security Hub service.

  1. Connect to the command line on the Security Management Server.

  2. Log in to the Expert mode.

  3. Launch the CME menu:

    cme_menu

  4. Select the Security Hub section:

    1. On the CME menu home page, select AWS.

    2. In the AWS Configuration tab, select Security Hub.

  5. Disable Security Hub > select Disable Security Hub.

Displaying the Security Hub Integration Status

You can see the status of Security Hub integration on the Security Management Server.

  1. Connect to the command line on the Security Management Server.

  2. Log in to the Expert mode.

  3. Launch the CME menu:

    cme_menu

  4. Select the Security Hub section:

    1. On the CME menu home page, select AWS.

    2. In the AWS Configuration tab, select Security Hub.

  5. To display the Security Hub Status, select Security Hub Status.

Configuring Debug Mode

When Debug mode is activated, detailed logs of the Security Hub internal state are generated and saved to a file.

Note - The Debug mode is disabled by default.

  1. Connect to the command line on the Security Management Server.

  2. Log in to the Expert mode.

  3. Launch the CME menu:

    cme_menu

  4. Select the Security Hub section:

    1. On the CME menu home page, select AWS.

    2. In the AWS Configuration tab, select Security Hub.

  5. Select Configure Security Hub Debug Mode.

    • To activate debug mode, select Enable Security Hub debug mode.

    • To stop debug mode, select Disable Security Hub debug mode.

Additional Information about CloudGuard Network in Security Hub

Only logs from these Software Blades and features are sent to AWS Security Hub:

  • IPS

  • Anti-Bot

  • Anti-Virus

  • Threat Emulation

  • Threat Extraction

  • MTA

For more information about Finding, select the Finding ID and see ProductFields.

Notes:

  • GeneratorId represents the Security Management Server's host name.

  • CreatedAt time is concurrent to the host time.

  • To filter in AWS, use: Product name is "CloudGuard Network" to see all Check Point CloudGuard Network findings.

  • For Security Management Server High Availability:

    • The configuration is synched between the Active and Standby servers.

    • After failover, enable the Security Hub feature in the Active Security Management Server.

Accessing Security Hub Logs for Troubleshooting

These are the log files on the Management Server:

/var/log/CPcme/cme_log_reporter.log*

Log Exporter

As part of the configuration to send security events, the Log Exporter feature is used.

A new Log Exporter instance is added and monitored by the cpwd with the name: EXPORTER.CME_LOG_REPORTER

For more information about the Log Exporter, see sk122323.

Limitations

  • Multi-Domain Security Management Servers or dedicated Log Servers are not supported.

  • Only Active states are reported.

  • The feature does not work with manual modifications. Use the "cme_menu" command for all modifications.

  • AWS limitations:

    • The maximum allowed size for a Finding is 240 kilobytes.

      A Finding larger than 240 kilobytes is dropped.

    • The Findings are uploaded to AWS in bulks.

      A bulk is up to 100 Findings.

    • AWS limits the ProductFields to 50 elements only.

      To view the full log, use SmartConsole.

  • For CME limitations, see sk157492.

  • For Log Exporter limitations, see sk122323.