cloud.aws.securityhub
Introduction
The tags beginning with cloud.aws.securityhub
identify events generated by AWS Security Hub.
Valid tags and data tables
The full tag must have four levels. The first 3 are fixed as cloud.aws.securityhub
The fourth level identifies the type of events sent.
These are the valid tags and corresponding data tables that will receive the parsers' data:
Product / Service | Tags | Data tables |
---|---|---|
AWS Security Hub |
|
|
For more information, read more about Devo tags.
Table structure
These are the fields displayed in this table:
Field | Type | Field transformation | Source field name | Extra fields |
---|---|---|---|---|
eventdate |
| Â | Â | Â |
hostname |
| Â | Â | Â |
version |
| Â | Â | Â |
id |
| Â | Â | Â |
detail_type |
| Â | Â | Â |
source |
| Â | Â | Â |
account |
| Â | Â | Â |
time |
| Â | Â | Â |
region |
| Â | Â | Â |
resources |
| Â | Â | Â |
detail_actionName |
| Â | Â | Â |
detail_actionDescription |
| Â | Â | Â |
finding_CompanyName |
| ifthenelse(isnull(finding_CompanyName_tmp), findings_CompanyName_str, finding_CompanyName_tmp) | finding_CompanyName_tmp findings_CompanyName_str | Â |
findings_FindingProviderFields_Severity_Label_str |
| join(findings_FindingProviderFields_Severity_Label, ',') | findings_FindingProviderFields_Severity_Label | Â |
finding_FindingProviderFields_Severity_Label |
| ifthenelse(isnull(finding_FindingProviderFields_Severity_Label_tmp), findings_FindingProviderFields_Severity_Label_str, finding_FindingProviderFields_Severity_Label_tmp) | finding_FindingProviderFields_Severity_Label_tmp findings_FindingProviderFields_Severity_Label_str | Â |
finding_FindingProviderFields_Severity_Normalized |
| findings_FindingProviderFields_Severity_Normalized_str finding_FindingProviderFields_Severity_Normalized_tmp | Â | |
finding_FindingProviderFields_Severity_Original |
| findings_FindingProviderFields_Severity_Original_str finding_FindingProviderFields_Severity_Original_tmp | Â | |
finding_FindingProviderFields_Severity_Product |
| findings_FindingProviderFields_Severity_Product | Â | |
findings_FindingProviderFields_Types_str |
| findings_FindingProviderFields_Types | Â | |
finding_FindingProviderFields_Types |
| finding_FindingProviderFields_Types_str findings_FindingProviderFields_Types_str finding_FindingProviderFields_Types_tmp | Â | |
findings_ProductFields_RelatedAWSResources_0_name_str |
| findings_ProductFields_RelatedAWSResources_0_name | Â | |
finding_ProductFields_RelatedAWSResources_0_name |
| findings_ProductFields_RelatedAWSResources_0_name_str finding_ProductFields_RelatedAWSResources_0_name_tmp | Â | |
findings_ProductFields_RelatedAWSResources_0_type_str |
| findings_ProductFields_RelatedAWSResources_0_type | Â | |
finding_ProductFields_RelatedAWSResources_0_type |
| findings_ProductFields_RelatedAWSResources_0_type_str finding_ProductFields_RelatedAWSResources_0_type_tmp | Â | |
finding_ProductFields_Resources_0_Id |
| finding_ProductFields_Resources_0_Id_tmp findings_ProductFields_Resources_0_Id_str | Â | |
finding_ProductFields_StandardsControlArn |
| findings_ProductFields_StandardsControlArn | Â | |
finding_Workflow_Status |
| finding_Workflow_Status_tmp findings_Workflow_Status_str | Â | |
finding_ProductName |
| finding_ProductName_tmp findings_ProductName_str | Â | |
finding_Region |
| findings_Region_str finding_Region_tmp | Â | |
finding_Severity_Label |
| finding_Severity_Label_tmp findings_Severity_Label_str | Â | |
finding_Severity_Original |
| findings_Severity_Original_str finding_Severity_Original_tmp | Â | |
finding_Resources_Partition |
| findings_Resources_Partition | Â | |
finding_Resources_Type |
| findings_Resources_Type | Â | |
finding_Resources_Details |
| findings_Resources_Details | Â | |
finding_Resources_Region |
| findings_Resources_Region | Â | |
finding_Resources_Id |
| findings_Resources_Id | Â | |
finding_Severity_Normalized |
| Â | Â | Â |
finding_Severity_Normalized_str |
| finding_Severity_Normalized findings_Severity_Normalized_tmp | Â | |
finding_Severity_Product |
| Â | Â | Â |
finding_Severity_Product_str |
| finding_Severity_Product findings_Severity_Product_tmp | Â | |
finding_RecordState |
| finding_RecordState_tmp findings_RecordState_str | Â | |
finding_Title |
| finding_Title_tmp findings_Title_str | Â | |
finding_Remediation_Recommendation_Url |
| finding_Remediation_Recommendation_Url_tmp findings_Remediation_Recommendation_Url_str | Â | |
finding_Types |
| findings_Types_str finding_Types_tmp | Â | |
finding_ProductFields_RecommendationUrl |
| findings_ProductFields_RecommendationUrl_str finding_ProductFields_RecommendationUrl_tmp | Â | |
finding_Id |
| finding_Id_tmp findings_Id_str | Â | |
finding_SchemaVersion |
| Â | Â | Â |
finding_SchemaVersion_str |
| findings_SchemaVersion_tmp finding_SchemaVersion | Â | |
finding_FirstObservedAt_str |
| findings_FirstObservedAt_tmp finding_FirstObservedAt_tmp | Â | |
finding_FirstObservedAt |
| findings_FirstObservedAt_timestamp finding_FirstObservedAt_tmp | Â | |
finding_Compliance_Status |
| findings_Compliance_Status_str finding_Compliance_Status_tmp | Â | |
finding_Description |
| findings_Description_str finding_Description_tmp | Â | |
finding_GeneratorId |
| findings_GeneratorId_str finding_GeneratorId_tmp | Â | |
finding_WorkflowState |
| finding_WorkflowState_tmp findings_WorkflowState_str | Â | |
finding_Remediation_Recommendation_Text |
| findings_Remediation_Recommendation_Text_str finding_Remediation_Recommendation_Text_tmp | Â | |
finding_ProductFields_aws_securityhub_CompanyName |
| finding_ProductFields_aws_securityhub_CompanyName_tmp findings_ProductFields_aws_securityhub_CompanyName_str | Â | |
finding_ProductArn |
| finding_ProductArn_tmp findings_ProductArn_str | Â | |
finding_LastObservedAt_str |
| finding_LastObservedAt_tmp findings_LastObservedAt_tmp | Â | |
finding_LastObservedAt |
| finding_LastObservedAt_tmp findings_LastObservedAt_timestamp | Â | |
finding_ProductFields_aws_securityhub_ProductName |
| finding_ProductFields_aws_securityhub_ProductName_tmp findings_ProductFields_aws_securityhub_ProductName_str | Â | |
finding_CreatedAt_str |
| finding_CreatedAt_tmp findings_CreatedAt_tmp | Â | |
finding_CreatedAt |
| finding_CreatedAt_tmp findings_CreatedAt_timestamp | Â | |
finding_AwsAccountId |
| findings_AwsAccountId_str finding_AwsAccountId_tmp | Â | |
finding_Resources |
| finding_Resources_tmp findings_Resources_str | Â | |
finding_UpdatedAt_str |
| findings_UpdatedAt_tmp finding_UpdatedAt_tmp | Â | |
finding_UpdatedAt |
| findings_UpdatedAt_timestamp finding_UpdatedAt_tmp | Â | |
finding_ProductFields_aws_securityhub_FindingId |
| finding_ProductFields_aws_securityhub_FindingId_tmp findings_ProductFields_aws_securityhub_FindingId_str | Â | |
finding_ProductFields_RuleId |
| findings_ProductFields_RuleId_str finding_ProductFields_RuleId_tmp | Â | |
finding_ProductFields_StandardsGuideArn |
| findings_ProductFields_StandardsGuideArn_str finding_ProductFields_StandardsGuideArn_tmp | Â | |
finding_ProductFields_StandardsGuideSubscriptionArn |
| finding_ProductFields_StandardsGuideSubscriptionArn_tmp findings_ProductFields_StandardsGuideSubscriptionArn_str | Â | |
finding_ProductFields_RecordState |
| Â | Â | Â |
finding_ProductFields_aws_securityhub_SeverityLabel |
| Â | Â | Â |
finding_ProductFields_rule_arn |
| Â | Â | Â |
finding_ProductFields_tags_0 |
| Â | Â | Â |
finding_ProductFields_tags_1 |
| Â | Â | Â |
finding_ProductFields_themes_0_theme |
| Â | Â | Â |
finding_ProductFields_themes_0_count |
| Â | Â | Â |
finding_ProductFields_dlpRisk_0_risk |
| Â | Â | Â |
finding_ProductFields_dlpRisk_0_count |
| Â | Â | Â |
finding_ProductFields_owner_0_name |
| Â | Â | Â |
finding_ProductFields_owner_0_count |
| Â | Â | Â |
finding_Confidence |
| Â | Â | Â |
hostchain |
|  |  | ✓ |
tag |
|  |  | ✓ |
rawMessage |
|  |  | ✓ |