Document toolboxDocument toolbox

cloud.aws.securityhub

Introduction

The tags beginning with cloud.aws.securityhub identify events generated by AWS Security Hub.

Valid tags and data tables

The full tag must have four levels. The first 3 are fixed as cloud.aws.securityhub The fourth level identifies the type of events sent.

These are the valid tags and corresponding data tables that will receive the parsers' data:

Product / Service

Tags

Data tables

Product / Service

Tags

Data tables

AWS Security Hub

cloud.aws.securityhub.findings

cloud.aws.securityhub.findings

For more information, read more about Devo tags.

Table structure

These are the fields displayed in this table:

Field

Type

Field transformation

Source field name

Extra fields

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

 

 

 

hostname

str

 

 

 

version

str

 

 

 

id

str

 

 

 

detail_type

str

 

 

 

source

str

 

 

 

account

str

 

 

 

time

timestamp

 

 

 

region

str

 

 

 

resources

str

 

 

 

detail_actionName

str

 

 

 

detail_actionDescription

str

 

 

 

finding_CompanyName

str

ifthenelse(isnull(finding_CompanyName_tmp), findings_CompanyName_str, finding_CompanyName_tmp)

finding_CompanyName_tmp

findings_CompanyName_str

 

findings_FindingProviderFields_Severity_Label_str

str

join(findings_FindingProviderFields_Severity_Label, ',')

findings_FindingProviderFields_Severity_Label

 

finding_FindingProviderFields_Severity_Label

str

ifthenelse(isnull(finding_FindingProviderFields_Severity_Label_tmp), findings_FindingProviderFields_Severity_Label_str, finding_FindingProviderFields_Severity_Label_tmp)

finding_FindingProviderFields_Severity_Label_tmp

findings_FindingProviderFields_Severity_Label_str

 

finding_FindingProviderFields_Severity_Normalized

str

findings_FindingProviderFields_Severity_Normalized_str

finding_FindingProviderFields_Severity_Normalized_tmp

 

finding_FindingProviderFields_Severity_Original

str

findings_FindingProviderFields_Severity_Original_str

finding_FindingProviderFields_Severity_Original_tmp

 

finding_FindingProviderFields_Severity_Product

str

findings_FindingProviderFields_Severity_Product

 

findings_FindingProviderFields_Types_str

str

findings_FindingProviderFields_Types

 

finding_FindingProviderFields_Types

str

finding_FindingProviderFields_Types_str

findings_FindingProviderFields_Types_str

finding_FindingProviderFields_Types_tmp

 

findings_ProductFields_RelatedAWSResources_0_name_str

str

findings_ProductFields_RelatedAWSResources_0_name

 

finding_ProductFields_RelatedAWSResources_0_name

str

findings_ProductFields_RelatedAWSResources_0_name_str

finding_ProductFields_RelatedAWSResources_0_name_tmp

 

findings_ProductFields_RelatedAWSResources_0_type_str

str

findings_ProductFields_RelatedAWSResources_0_type

 

finding_ProductFields_RelatedAWSResources_0_type

str

findings_ProductFields_RelatedAWSResources_0_type_str

finding_ProductFields_RelatedAWSResources_0_type_tmp

 

finding_ProductFields_Resources_0_Id

str

finding_ProductFields_Resources_0_Id_tmp

findings_ProductFields_Resources_0_Id_str

 

finding_ProductFields_StandardsControlArn

str

findings_ProductFields_StandardsControlArn

 

finding_Workflow_Status

str

finding_Workflow_Status_tmp

findings_Workflow_Status_str

 

finding_ProductName

str

finding_ProductName_tmp

findings_ProductName_str

 

finding_Region

str

findings_Region_str

finding_Region_tmp

 

finding_Severity_Label

str

finding_Severity_Label_tmp

findings_Severity_Label_str

 

finding_Severity_Original

str

findings_Severity_Original_str

finding_Severity_Original_tmp

 

finding_Resources_Partition

str

findings_Resources_Partition

 

finding_Resources_Type

str

findings_Resources_Type

 

finding_Resources_Details

str

findings_Resources_Details

 

finding_Resources_Region

str

findings_Resources_Region

 

finding_Resources_Id

str

findings_Resources_Id

 

finding_Severity_Normalized

int8

 

 

 

finding_Severity_Normalized_str

str

finding_Severity_Normalized

findings_Severity_Normalized_tmp

 

finding_Severity_Product

int8

 

 

 

finding_Severity_Product_str

str

finding_Severity_Product

findings_Severity_Product_tmp

 

finding_RecordState

str

finding_RecordState_tmp

findings_RecordState_str

 

finding_Title

str

finding_Title_tmp

findings_Title_str

 

finding_Remediation_Recommendation_Url

str

finding_Remediation_Recommendation_Url_tmp

findings_Remediation_Recommendation_Url_str

 

finding_Types

str

findings_Types_str

finding_Types_tmp

 

finding_ProductFields_RecommendationUrl

str

findings_ProductFields_RecommendationUrl_str

finding_ProductFields_RecommendationUrl_tmp

 

finding_Id

str

finding_Id_tmp

findings_Id_str

 

finding_SchemaVersion

timestamp

 

 

 

finding_SchemaVersion_str

str

findings_SchemaVersion_tmp

finding_SchemaVersion

 

finding_FirstObservedAt_str

str

findings_FirstObservedAt_tmp

finding_FirstObservedAt_tmp

 

finding_FirstObservedAt

timestamp

findings_FirstObservedAt_timestamp

finding_FirstObservedAt_tmp

 

finding_Compliance_Status

str

findings_Compliance_Status_str

finding_Compliance_Status_tmp

 

finding_Description

str

findings_Description_str

finding_Description_tmp

 

finding_GeneratorId

str

findings_GeneratorId_str

finding_GeneratorId_tmp

 

finding_WorkflowState

str

finding_WorkflowState_tmp

findings_WorkflowState_str

 

finding_Remediation_Recommendation_Text

str

findings_Remediation_Recommendation_Text_str

finding_Remediation_Recommendation_Text_tmp

 

finding_ProductFields_aws_securityhub_CompanyName

str

finding_ProductFields_aws_securityhub_CompanyName_tmp

findings_ProductFields_aws_securityhub_CompanyName_str

 

finding_ProductArn

str

finding_ProductArn_tmp

findings_ProductArn_str

 

finding_LastObservedAt_str

str

finding_LastObservedAt_tmp

findings_LastObservedAt_tmp

 

finding_LastObservedAt

timestamp

finding_LastObservedAt_tmp

findings_LastObservedAt_timestamp

 

finding_ProductFields_aws_securityhub_ProductName

str

finding_ProductFields_aws_securityhub_ProductName_tmp

findings_ProductFields_aws_securityhub_ProductName_str

 

finding_CreatedAt_str

str

finding_CreatedAt_tmp

findings_CreatedAt_tmp

 

finding_CreatedAt

timestamp

finding_CreatedAt_tmp

findings_CreatedAt_timestamp

 

finding_AwsAccountId

str

findings_AwsAccountId_str

finding_AwsAccountId_tmp

 

finding_Resources

str

finding_Resources_tmp

findings_Resources_str

 

finding_UpdatedAt_str

str

findings_UpdatedAt_tmp

finding_UpdatedAt_tmp

 

finding_UpdatedAt

timestamp

findings_UpdatedAt_timestamp

finding_UpdatedAt_tmp

 

finding_ProductFields_aws_securityhub_FindingId

str

finding_ProductFields_aws_securityhub_FindingId_tmp

findings_ProductFields_aws_securityhub_FindingId_str

 

finding_ProductFields_RuleId

str

findings_ProductFields_RuleId_str

finding_ProductFields_RuleId_tmp

 

finding_ProductFields_StandardsGuideArn

str

findings_ProductFields_StandardsGuideArn_str

finding_ProductFields_StandardsGuideArn_tmp

 

finding_ProductFields_StandardsGuideSubscriptionArn

str

finding_ProductFields_StandardsGuideSubscriptionArn_tmp

findings_ProductFields_StandardsGuideSubscriptionArn_str

 

finding_ProductFields_RecordState

str

 

 

 

finding_ProductFields_aws_securityhub_SeverityLabel

str

 

 

 

finding_ProductFields_rule_arn

str

 

 

 

finding_ProductFields_tags_0

str

 

 

 

finding_ProductFields_tags_1

str

 

 

 

finding_ProductFields_themes_0_theme

str

 

 

 

finding_ProductFields_themes_0_count

str

 

 

 

finding_ProductFields_dlpRisk_0_risk

str

 

 

 

finding_ProductFields_dlpRisk_0_count

str

 

 

 

finding_ProductFields_owner_0_name

str

 

 

 

finding_ProductFields_owner_0_count

str

 

 

 

finding_Confidence

int8

 

 

 

hostchain

str

 

 

✓

tag

str

 

 

✓

rawMessage

str

 

 

✓