elastic · brijesh-elastic · Nov 11, 2025 · Nov 11, 2025
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -87,6 +87,7 @@
 /packages/aws_billing @elastic/obs-infraobs-integrations 
 /packages/aws_logs @elastic/obs-ds-hosted-services
 /packages/aws_mq @elastic/obs-infraobs-integrations
+/packages/aws_securityhub @elastic/security-service-integrations
 /packages/aws_vpcflow_otel @elastic/obs-infraobs-integrations
 /packages/awsfargate @elastic/obs-infraobs-integrations
 /packages/awsfirehose @elastic/obs-ds-hosted-services

@@ -0,0 +1,3 @@
+dependencies:
+  ecs:
+    reference: [email protected]
@@ -0,0 +1,108 @@
+# AWS Security Hub Integration for Elastic
+
+## Overview
+The AWS Security Hub integration with Elastic enables the collection of findings for monitoring and analysis. This valuable data can be leveraged within Elastic to analyze security signals from multiple sources, such as posture management, vulnerability management (Amazon Inspector), sensitive data identification (Amazon Macie), and threat detection (Amazon GuardDuty).
+
+This integration utilizes the AWS Security Hub API to collect Findings in the OCSF format.
+
+### Compatibility
+
+The AWS Security Hub integration uses the REST API. It uses the `GetFindingsV2` to collect findings in OCSF format.
+
+### How it works
+
+The **finding** data stream uses the `/findingsv2` endpoint to gather all findings starting from the configured initial interval. Subsequently, it fetches the recent findings available at each specified interval.
+
+## What data does this integration collect?
+
+The AWS Security Hub integration collects log messages of the following types:
+
+- `Finding`: Returns a list of findings in OCSF format. Refer to the [GetFindingsV2 API Reference](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_GetFindingsV2.html).
+
+### Supported use cases
+Integrating AWS Security Hub with Elastic SIEM provides a comprehensive view of the security state of your AWS resources. Leveraging AWS Security Hub integration helps you analyze security trends to identify and prioritize security issues across your AWS environment.
+
+## What do I need to use this integration?
+
+### From Elastic
+
+AWS Security Hub integration adds [Elastic latest transforms](https://www.elastic.co/docs/explore-analyze/transforms/transform-overview#latest-transform-overview). For more details, check the [Transform](https://www.elastic.co/docs/explore-analyze/transforms/transform-setup) setup and requirements.
+
+### From AWS Security Hub
+
+Enable AWS Security Hub in your environment. For more detail, refer to the link [here](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-v2-enable.html).
+
+#### Collecting data from AWS Security Hub API
+
+Users can authenticate using permanent security credentials, as well as temporary security credentials. They can also select `shared_credential_file`, `credential_profile_name` to retrieve credentials. Additionally, they can use `role_arn` to specify which AWS IAM role to assume for generating temporary credentials. An `external_id` can also be provided when assuming a role in another account.
+
+The credentials must have permission to perform the **securityhub:GetFindings** action.
+
+## How do I deploy this integration?
+
+### Agent-based deployment
+
+Elastic Agent must be installed. For more details, check the Elastic Agent [installation instructions](docs-content://reference/fleet/install-elastic-agents.md). You can install only one Elastic Agent per host.
+
+Elastic Agent is required to stream data from the syslog or log file receiver and ship the data to Elastic, where the events will then be processed via the integration's ingest pipelines.
+
+### Agentless deployment
+
+Agentless deployments are only supported in Elastic Serverless and Elastic Cloud environments. Agentless deployments provide a means to ingest data while avoiding the orchestration, management, and maintenance needs associated with standard ingest infrastructure. Using an agentless deployment makes manual agent deployment unnecessary, allowing you to focus on your data instead of the agent that collects it.
+
+For more information, refer to [Agentless integrations](https://www.elastic.co/guide/en/serverless/current/security-agentless-integrations.html) and [Agentless integrations FAQ](https://www.elastic.co/guide/en/serverless/current/agentless-integration-troubleshooting.html) 
+
+### Onboard / configure
+
+1. In the top search bar in Kibana, search for **Integrations**.
+2. In the search bar, type **AWS Security Hub**.
+3. Select the **AWS Security Hub** integration from the search results.
+4. Select **Add AWS Security Hubs** to add the integration.
+5. Enable and configure **Collect AWS Security Hub logs via API**:
+
+    - Configure AWS Authentication parameters and set the **AWS Region** and **Top Level Domain**. Adjust the integration configuration parameters as needed, including the **Initial Interval**, **Interval**, **Batch Size** etc. to enable data collection.
+
+6. Select **Save and continue** to save the integration.
+
+### Validation
+
+#### Transforms healthy
+
+1. In the top search bar in Kibana, search for **Transforms**.
+2. Select the **Data / Transforms** from the search results.
+3. In the search bar, type **aws_securityhub**.
+4. All transforms from the search results should indicate **Healthy** under the **Health** column.
+
+## Troubleshooting
+
+For help with Elastic ingest tools, check [Common problems](https://www.elastic.co/docs/troubleshoot/ingest/fleet/common-problems).
+
+## Scaling
+
+For more information on architectures that can be used for scaling this integration, check the [Ingest Architectures](https://www.elastic.co/docs/manage-data/ingest/ingest-reference-architectures) documentation.
+
+## Reference
+
+### ECS field reference
+
+#### Finding
+
+{{fields "finding"}}
+
+### Example event
+
+#### Finding
+
+{{/* {{event "finding"}} */}}
+
+### Inputs used
+
+These inputs are used in this integration:
+
+- [cel](https://www.elastic.co/docs/reference/beats/filebeat/filebeat-input-cel)
+
+### API usage
+
+This integration dataset uses the following APIs:
+
+- `Finding`: [AWS Security Hub REST API](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_GetFindingsV2.html).
@@ -0,0 +1,17 @@
+version: '2.3'
+services:
+  aws_securityhub:
+    image: docker.elastic.co/observability/stream:v0.20.0
+    hostname: securityhub.xxxx.amazonaws.com
+    ports:
+      - 443
+    volumes:
+      - ./files:/files:ro
+    environment:
+      PORT: "443"
+    command:
+      - http-server
+      - --addr=:443
+      - --config=/files/config.yml
+      - --tls-cert=/files/certificate.crt
+      - --tls-key=/files/private.key
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDYzCCAksCFHjpS63J08Qx8oUw5qhhPAt4b7XqMA0GCSqGSIb3DQEBCwUAMG4x
+CzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRl
+cm5ldCBXaWRnaXRzIFB0eSBMdGQxJzAlBgNVBAMMHnNlY3VyaXR5aHViLnh4eHgu
+YW1hem9uYXdzLmNvbTAeFw0yNTExMTAxNzA3MjdaFw0zNTExMDgxNzA3MjdaMG4x
+CzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRl
+cm5ldCBXaWRnaXRzIFB0eSBMdGQxJzAlBgNVBAMMHnNlY3VyaXR5aHViLnh4eHgu
+YW1hem9uYXdzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOGm
+MbmIurgsjJxtFWDDNa0T0h2bRtVCMC+KwdZpZVwp+K1oFxizkWbsbGFA0SJpMMMZ
+aHoSlYfbe7T8QgcJE40o5sVRrOyPNcNbh9THvjmFKE+9SFep083A2f6YBRXssTSA
+PMd/hXOdD87biWUnSbgsug0LFZHQcPDz3b6ktExzpEbdMIYSlyrtFass4OWduUzX
+W2aiP/jBI2O4ndjmTh78oeED6A10twoaz8fNQzaaAcp9KjB+RViBwgSFekp4sNUo
+BiEqLalI6o9ZcbpAIV/fH0SQZy9rEBhrD0xzlqOmM3Mv/xTFkwOgc6EEFA1Tx7nb
+Btm0afHgCy63XKKZT+0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAFJ+95GV4zx1k
+Ljofy3IwkhF5oW1NsYTQIYPvOhVdTsebP/pXj98Co5QK19CL4UwSNVZmL+egm560
+itIqS+Dh9d1JIdrU4JzMuWI7gqA2r2XdwRdbVfR8fKvt9MXoLE6OtrEgRIhQtgPG
+7+B5Jarsd85CUSnCk8/Xb1jL3AhMyTtThsUhOaRPInqnodagTz9MI/xFXru7X+mJ
+tc5b1/Qzo5s2c0v53VSKRl2dEY1hS0FQ6zpupf/nqxK7XjHqA0bthP7EAJj5dSVh
+/18+nnWLm0v8/xRjlJ9Z82QRJrJV96H8bWpAcT0Hk13pi+LcF3XgfYQJSR32z4tt
+hPpgCP6KcQ==
+-----END CERTIFICATE-----