Forums

Articles
Create
cancel
Showing results for 
Search instead for 
Did you mean: 

Security Hub integration stopped working

Dan Williams
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
May 12, 2025

My integration with Security Hub appears to have stopped working and is not creating alerts.

I can see in the logs that it is receiving them, but it doesn't appear to create any alerts.

I have received the "Subscription confirmed" alert and get them when publishing messages directly from the SNS topic, but not when using custom actions from Security Hub.

Here are the logs

```

[AmazonSecurityHub-Custom] Processed incomingData

2025/05/12 16:52:47.708

JSONRaw
{ "_incomingData": { "_parsedData": { "noteText": "null", "awsAccountId": "425876167853", "TopicArn": "arn:aws:sns:eu-west-2:000922654503:OpsgenieSHFindingTopic", "workflowStatus": "NEW", "severityProduct": "null", "description": "This control checks to see if Amazon EC2 instance uses multiple ENI/EFA. This control will pass if single network adapters is used.", "actionDescription": "DevOps", "title": "EC2 instances should not use multiple ENIs", "noteUpdatedAt": "null", "Source": "aws.securityhub", "detailType": "Security Hub Findings - Custom Action", "createdAt": "2025-05-12T15:50:39.264Z", "generatorId": "security-control/EC2.17", "noteUpdatedBy": "null", "productArn": "arn:aws:securityhub:eu-west-2::product/aws/securityhub", "delayIfDoesNotExists": "true", "id": "arn:aws:securityhub:eu-west-2:425876167853:security-control/EC2.17/finding/8a2b3500-bff7-4f25-a141-29404e72c737", "relatedFindings": "null", "updatedAt": "2025-05-12T15:50:39.264Z", "severity": "LOW", "-findings": [ { "ProductArn": "arn:aws:securityhub:eu-west-2::product/aws/securityhub", "ProcessedAt": "2025-05-12T15:51:00.379Z", "Description": "This control checks to see if Amazon EC2 instance uses multiple ENI/EFA. This control will pass if single network adapters is used.", "ProductName": "Security Hub", "FirstObservedAt": "2025-05-12T15:50:25.958Z", "_Compliance": { "Status": "FAILED", "SecurityControlId": "EC2.17", "-RelatedRequirements": [ "NIST.800-53.r5 AC-4(21)" ], "-AssociatedStandards": [ { "StandardsId": "standards/aws-foundational-security-best-practices/v/1.0.0" }, { "StandardsId": "standards/nist-800-53/v/5.0.0" } ] }, "CreatedAt": "2025-05-12T15:50:39.264Z", "LastObservedAt": "2025-05-12T15:50:25.958Z", "_Remediation": { "_Recommendation": { "Text": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.", "Url": "https://docs.aws.amazon.com/console/securityhub/EC2.17/remediation" } }, "CompanyName": "AWS", "-Resources": [ { "Partition": "aws", "Type": "AwsEc2Instance", "_Details": { "_AwsEc2Instance": { "_Monitoring": { "State": "disabled" }, "VpcId": "vpc-08c696bb8fff24140", "VirtualizationType": "hvm", "ImageId": "ami-0f5dedbf89b7642b4", "SubnetId": "subnet-0079e926719c8ab79", "_MetadataOptions": { "HttpPutResponseHopLimit": "1", "HttpProtocolIpv6": "disabled", "HttpTokens": "required", "InstanceMetadataTags": "disabled", "HttpEndpoint": "enabled" }, "LaunchedAt": "2025-05-12T15:47:20.000Z", "-NetworkInterfaces": [ { "NetworkInterfaceId": "eni-08849cfa2aa2b157d" }, { "NetworkInterfaceId": "eni-0d79953ed2ce78762" } ], "IamInstanceProfileArn": "arn:aws:iam::425876167853:instance-profile/prod-blue-app-centre_13232958558963605362" } }, "Region": "eu-west-2", "_Tags": { "kubernetes.io/cluster/prod-blue-app-centre": "owned", "aws:ec2:fleet-id": "fleet-42bd7004-1f2d-6694-ac10-852242c53e0d", "karpenter.sh/discovery": "prod-blue-app-centre", "aws:eks:cluster-name": "prod-blue-app-centre", "karpenter.sh/nodepool": "nodepool", "Environment": "prod-blue-blue", "karpenter.k8s.aws/ec2nodeclass": "ec2nodeclass", "eks:eks-cluster-name": "prod-blue-app-centre", "aws:ec2launchtemplate:version": "1", "aws:ec2launchtemplate:id": "lt-02b247d2f87b52bc4", "karpenter.sh/nodeclaim": "nodepool-66qz8", "Name": "ip-10-2-73-116.eu-west-2.compute.internal" }, "Id": "arn:aws:ec2:eu-west-2:425876167853:instance/i-0200bcbfbdb1fdedc" } ], "_Severity": { "Normalized": "1", "Label": "LOW", "Original": "LOW" }, "_ProductFields": { "RelatedAWSResources:0/type": "AWS::Config::ConfigRule", "Resources:0/Id": "arn:aws:ec2:eu-west-2:425876167853:instance/i-0200bcbfbdb1fdedc", "aws/securityhub/ProductName": "Security Hub", "aws/securityhub/CompanyName": "AWS", "RelatedAWSResources:0/name": "securityhub-ec2-instance-multiple-eni-check-c7bbcc9d", "aws/securityhub/FindingId": "arn:aws:securityhub:eu-west-2::product/aws/securityhub/arn:aws:securityhub:eu-west-2:425876167853:security-control/EC2.17/finding/8a2b3500-bff7-4f25-a141-29404e72c737" }, "SchemaVersion": "2018-10-08", "_Workflow": { "Status": "NEW" }, "GeneratorId": "security-control/EC2.17", "RecordState": "ACTIVE", "Title": "EC2 instances should not use multiple ENIs", "UpdatedAt": "2025-05-12T15:50:39.264Z", "-Types": [ "Software and Configuration Checks/Industry and Regulatory Standards" ], "WorkflowState": "NEW", "_FindingProviderFields": { "_Severity": { "Normalized": "1", "Label": "LOW", "Original": "LOW" }, "-Types": [ "Software and Configuration Checks/Industry and Regulatory Standards" ] }, "AwsAccountId": "425876167853", "Region": "eu-west-2", "Id": "arn:aws:securityhub:eu-west-2:425876167853:security-control/EC2.17/finding/8a2b3500-bff7-4f25-a141-29404e72c737" } ], "types": "[Software and Configuration Checks/Industry and Regulatory Standards]", "malware": "null", "schemaVersion": "2018-10-08", "alertSource": "com.opsgenie.client.model.dto.ActionSourceCustomDto@5e0977b2[domain=integration,sourceType=AmazonSecurityHub,sourceName=Custom,incomingDataId=ff2e010b-2a58-4597-ba58-cec7c6306339,sourceSubName=Create Alert,customSourceName=<null>,actorUserId=<null>]", "findingId": "arn:aws:securityhub:eu-west-2:425876167853:security-control/EC2.17/finding/8a2b3500-bff7-4f25-a141-29404e72c737", "priority": "4", "Subject": "null", "Type": "Notification", "time": "2025-05-12T15:52:47Z", "region": "eu-west-2", "account": "000922654503", "actionName": "DevOps" }, "integrationType": "AmazonSecurityHub", "integrationName": "Custom", "integrationId": "30df31af-38f8-4b73-8fbb-1d8588acce7e", "incomingDataId": "ff2e010b-2a58-4597-ba58-cec7c6306339" }, "_result": { "alertAction": "create", "integrationName": "Custom", "integrationActionName": "Create Alert" } }
```
```

[AmazonSecurityHub-Custom] Started to execute action: Create Alert

2025/05/12 16:52:47.698

JSONRaw
{ "_incomingData": { "_parsedData": { "noteText": "null", "awsAccountId": "425876167853", "TopicArn": "arn:aws:sns:eu-west-2:000922654503:OpsgenieSHFindingTopic", "workflowStatus": "NEW", "severityProduct": "null", "description": "This control checks to see if Amazon EC2 instance uses multiple ENI/EFA. This control will pass if single network adapters is used.", "actionDescription": "DevOps", "title": "EC2 instances should not use multiple ENIs", "noteUpdatedAt": "null", "Source": "aws.securityhub", "detailType": "Security Hub Findings - Custom Action", "createdAt": "2025-05-12T15:50:39.264Z", "generatorId": "security-control/EC2.17", "noteUpdatedBy": "null", "productArn": "arn:aws:securityhub:eu-west-2::product/aws/securityhub", "delayIfDoesNotExists": "true", "id": "arn:aws:securityhub:eu-west-2:425876167853:security-control/EC2.17/finding/8a2b3500-bff7-4f25-a141-29404e72c737", "relatedFindings": "null", "updatedAt": "2025-05-12T15:50:39.264Z", "severity": "LOW", "-findings": [ { "ProductArn": "arn:aws:securityhub:eu-west-2::product/aws/securityhub", "ProcessedAt": "2025-05-12T15:51:00.379Z", "Description": "This control checks to see if Amazon EC2 instance uses multiple ENI/EFA. This control will pass if single network adapters is used.", "ProductName": "Security Hub", "FirstObservedAt": "2025-05-12T15:50:25.958Z", "_Compliance": { "Status": "FAILED", "SecurityControlId": "EC2.17", "-RelatedRequirements": [ "NIST.800-53.r5 AC-4(21)" ], "-AssociatedStandards": [ { "StandardsId": "standards/aws-foundational-security-best-practices/v/1.0.0" }, { "StandardsId": "standards/nist-800-53/v/5.0.0" } ] }, "CreatedAt": "2025-05-12T15:50:39.264Z", "LastObservedAt": "2025-05-12T15:50:25.958Z", "_Remediation": { "_Recommendation": { "Text": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.", "Url": "https://docs.aws.amazon.com/console/securityhub/EC2.17/remediation" } }, "CompanyName": "AWS", "-Resources": [ { "Partition": "aws", "Type": "AwsEc2Instance", "_Details": { "_AwsEc2Instance": { "_Monitoring": { "State": "disabled" }, "VpcId": "vpc-08c696bb8fff24140", "VirtualizationType": "hvm", "ImageId": "ami-0f5dedbf89b7642b4", "SubnetId": "subnet-0079e926719c8ab79", "_MetadataOptions": { "HttpPutResponseHopLimit": "1", "HttpProtocolIpv6": "disabled", "HttpTokens": "required", "InstanceMetadataTags": "disabled", "HttpEndpoint": "enabled" }, "LaunchedAt": "2025-05-12T15:47:20.000Z", "-NetworkInterfaces": [ { "NetworkInterfaceId": "eni-08849cfa2aa2b157d" }, { "NetworkInterfaceId": "eni-0d79953ed2ce78762" } ], "IamInstanceProfileArn": "arn:aws:iam::425876167853:instance-profile/prod-blue-app-centre_13232958558963605362" } }, "Region": "eu-west-2", "_Tags": { "kubernetes.io/cluster/prod-blue-app-centre": "owned", "aws:ec2:fleet-id": "fleet-42bd7004-1f2d-6694-ac10-852242c53e0d", "karpenter.sh/discovery": "prod-blue-app-centre", "aws:eks:cluster-name": "prod-blue-app-centre", "karpenter.sh/nodepool": "nodepool", "Environment": "prod-blue-blue", "karpenter.k8s.aws/ec2nodeclass": "ec2nodeclass", "eks:eks-cluster-name": "prod-blue-app-centre", "aws:ec2launchtemplate:version": "1", "aws:ec2launchtemplate:id": "lt-02b247d2f87b52bc4", "karpenter.sh/nodeclaim": "nodepool-66qz8", "Name": "ip-10-2-73-116.eu-west-2.compute.internal" }, "Id": "arn:aws:ec2:eu-west-2:425876167853:instance/i-0200bcbfbdb1fdedc" } ], "_Severity": { "Normalized": "1", "Label": "LOW", "Original": "LOW" }, "_ProductFields": { "RelatedAWSResources:0/type": "AWS::Config::ConfigRule", "Resources:0/Id": "arn:aws:ec2:eu-west-2:425876167853:instance/i-0200bcbfbdb1fdedc", "aws/securityhub/ProductName": "Security Hub", "aws/securityhub/CompanyName": "AWS", "RelatedAWSResources:0/name": "securityhub-ec2-instance-multiple-eni-check-c7bbcc9d", "aws/securityhub/FindingId": "arn:aws:securityhub:eu-west-2::product/aws/securityhub/arn:aws:securityhub:eu-west-2:425876167853:security-control/EC2.17/finding/8a2b3500-bff7-4f25-a141-29404e72c737" }, "SchemaVersion": "2018-10-08", "_Workflow": { "Status": "NEW" }, "GeneratorId": "security-control/EC2.17", "RecordState": "ACTIVE", "Title": "EC2 instances should not use multiple ENIs", "UpdatedAt": "2025-05-12T15:50:39.264Z", "-Types": [ "Software and Configuration Checks/Industry and Regulatory Standards" ], "WorkflowState": "NEW", "_FindingProviderFields": { "_Severity": { "Normalized": "1", "Label": "LOW", "Original": "LOW" }, "-Types": [ "Software and Configuration Checks/Industry and Regulatory Standards" ] }, "AwsAccountId": "425876167853", "Region": "eu-west-2", "Id": "arn:aws:securityhub:eu-west-2:425876167853:security-control/EC2.17/finding/8a2b3500-bff7-4f25-a141-29404e72c737" } ], "types": "[Software and Configuration Checks/Industry and Regulatory Standards]", "malware": "null", "schemaVersion": "2018-10-08", "findingId": "arn:aws:securityhub:eu-west-2:425876167853:security-control/EC2.17/finding/8a2b3500-bff7-4f25-a141-29404e72c737", "priority": "4", "Subject": "null", "Type": "Notification", "time": "2025-05-12T15:52:47Z", "region": "eu-west-2", "account": "000922654503", "actionName": "DevOps" }, "integrationType": "AmazonSecurityHub", "integrationName": "Custom", "integrationId": "30df31af-38f8-4b73-8fbb-1d8588acce7e", "incomingDataId": "ff2e010b-2a58-4597-ba58-cec7c6306339" } }
```

1 answer

0 votes
Mubeen Mohammed
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
May 14, 2025

Hello @Dan Williams 

Thank you for contacting the Atlassian Community! This is Mubeen, I am here to help!

I can see the logs you shared confirm that the Security Hub integration is able to receive data to the Opsgenie instance. So this confirms this could be a simple issue with alert being deduplicated

After the section where you noticed the processing of incoming data, you can further verify the logs to check if the alert is being deduplicated. Alert deduplication occurs based on the Alias values included in the alert. You may also consider triggering a new alert after closing all existing open alerts generated through the Security Hub integration to rule out the possibility of deduplication.
Screenshot 2025-05-14 at 1.25.51 PM.png

I hope the details provided are helpful!

Regards

Mubeen Mohammed

Cloud Support Engineer

Dan Williams
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
May 14, 2025

Thanks for the reply

I don't believe it's a deduplication issue, as the alert wasn't even created. I can't see anywhere in the logs to suggest it was created.

I gave up in the end with the Security Hub integration and tried it with an Amazon SNS integration instead, and it works fine with that. The only issue being is the message comes through as a JSON object and I wasn't able to parse it into meaningful properties.

One thing to note is that I created the integration using Terraform provider and when I tried to manually edit the incoming alert rule it complained about the region being missing. I tried to add it as a property but it wouldn't work.

I then set up a Jira Service Management trial as I'm aware OpsGenie is being retired and the Security Hub integration works perfectly fine, so I'll probably just stick with that once we fully migrate.

Mubeen Mohammed
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
May 14, 2025

Hello @Dan Williams 

Thank you for following up and providing additional details regarding your integration issue.

It's great to hear that your Amazon SNS integration is working, although I understand the challenge with parsing the JSON object into meaningful properties. Regarding the issue with the Security Hub integration created via the Terraform provider, it sounds like there might have been a configuration issue, especially since you mentioned an error related to the region when attempting to manually edit the incoming alert rule.

Given this, your plan to transition to Jira Service Management seems like a solid approach, especially since you confirmed that the Security Hub integration works seamlessly there. This migration might offer a more streamlined experience, considering Opsgenie's end of life.

If you need further technical assistance or would like to delve deeper into the integration setup, I recommend opening a support request with our team. You can reach out through our support portal here: Atlassian Support. This will allow us to look into your instance details more closely and provide you with tailored support.

I hope the details provided are helpful!

Regards

Mubeen Mohammed

Cloud Support Engineer

Suggest an answer

Log in or Sign up to answer
DEPLOYMENT TYPE
CLOUD
PRODUCT PLAN
STANDARD
TAGS
AUG Leaders

Atlassian Community Events