/
cloud.aws.securityhub
Document toolboxDocument toolbox

cloud.aws.securityhub

Owned by Former user (Deleted)
Last updated: Feb 06, 2024
2 min read
[ 1 Introduction ] [ 2 Valid tags and data tables ] [ 3 Table structure ]

Introduction

The tags beginning with cloud.aws.securityhub identify events generated by AWS Security Hub.

Valid tags and data tables

The full tag must have four levels. The first 3 are fixed as cloud.aws.securityhub The fourth level identifies the type of events sent.

These are the valid tags and corresponding data tables that will receive the parsers' data:

Product / Service

Tags

Data tables

Product / Service

Tags

Data tables

AWS Security Hub

cloud.aws.securityhub.findings

cloud.aws.securityhub.findings

For more information, read more about Devo tags.

Table structure

These are the fields displayed in this table:

Field

Type

Field transformation

Source field name

Extra fields

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

 

 

 

hostname

str

 

 

 

version

str

 

 

 

id

str

 

 

 

detail_type

str

 

 

 

source

str

 

 

 

account

str

 

 

 

time

timestamp

 

 

 

region

str

 

 

 

resources

str

 

 

 

detail_actionName

str

 

 

 

detail_actionDescription

str

 

 

 

finding_CompanyName

str

ifthenelse(isnull(finding_CompanyName_tmp), findings_CompanyName_str, finding_CompanyName_tmp)

finding_CompanyName_tmp

findings_CompanyName_str

 

findings_FindingProviderFields_Severity_Label_str

str

join(findings_FindingProviderFields_Severity_Label, ',')

findings_FindingProviderFields_Severity_Label

 

finding_FindingProviderFields_Severity_Label

str

ifthenelse(isnull(finding_FindingProviderFields_Severity_Label_tmp), findings_FindingProviderFields_Severity_Label_str, finding_FindingProviderFields_Severity_Label_tmp)

finding_FindingProviderFields_Severity_Label_tmp

findings_FindingProviderFields_Severity_Label_str

 

finding_FindingProviderFields_Severity_Normalized

str

ifthenelse(isnull(finding_FindingProviderFields_Severity_Normalized_tmp), findings_FindingProviderFields_Severity_Normalized_str, str(finding_FindingProviderFields_Severity_Normalized_tmp))

findings_FindingProviderFields_Severity_Normalized_str

finding_FindingProviderFields_Severity_Normalized_tmp

 

finding_FindingProviderFields_Severity_Original

str

ifthenelse(isnull(finding_FindingProviderFields_Severity_Original_tmp), findings_FindingProviderFields_Severity_Original_str, finding_FindingProviderFields_Severity_Original_tmp)

findings_FindingProviderFields_Severity_Original_str

finding_FindingProviderFields_Severity_Original_tmp

 

finding_FindingProviderFields_Severity_Product

str

replace(replace(stringify(json(findings_FindingProviderFields_Severity_Product)), '[', ''), ']', '')

findings_FindingProviderFields_Severity_Product

 

findings_FindingProviderFields_Types_str

str

join(findings_FindingProviderFields_Types, ',')

findings_FindingProviderFields_Types

 

finding_FindingProviderFields_Types

str

ifthenelse(isnull(finding_FindingProviderFields_Types_tmp), findings_FindingProviderFields_Types_str, finding_FindingProviderFields_Types_str)

finding_FindingProviderFields_Types_str

findings_FindingProviderFields_Types_str

finding_FindingProviderFields_Types_tmp

 

findings_ProductFields_RelatedAWSResources_0_name_str

str

join(findings_ProductFields_RelatedAWSResources_0_name, ',')

findings_ProductFields_RelatedAWSResources_0_name

 

finding_ProductFields_RelatedAWSResources_0_name

str

ifthenelse(isnull(finding_ProductFields_RelatedAWSResources_0_name_tmp), findings_ProductFields_RelatedAWSResources_0_name_str, finding_ProductFields_RelatedAWSResources_0_name_tmp)

findings_ProductFields_RelatedAWSResources_0_name_str

finding_ProductFields_RelatedAWSResources_0_name_tmp

 

findings_ProductFields_RelatedAWSResources_0_type_str

str

join(findings_ProductFields_RelatedAWSResources_0_type, ',')

findings_ProductFields_RelatedAWSResources_0_type

 

finding_ProductFields_RelatedAWSResources_0_type

str

ifthenelse(isnull(finding_ProductFields_RelatedAWSResources_0_type_tmp), findings_ProductFields_RelatedAWSResources_0_type_str, finding_ProductFields_RelatedAWSResources_0_type_tmp)

findings_ProductFields_RelatedAWSResources_0_type_str

finding_ProductFields_RelatedAWSResources_0_type_tmp

 

finding_ProductFields_Resources_0_Id

str

ifthenelse(isnull(finding_ProductFields_Resources_0_Id_tmp), findings_ProductFields_Resources_0_Id_str, finding_ProductFields_Resources_0_Id_tmp)

finding_ProductFields_Resources_0_Id_tmp

findings_ProductFields_Resources_0_Id_str

 

finding_ProductFields_StandardsControlArn

str

join(findings_ProductFields_StandardsControlArn, ',')

findings_ProductFields_StandardsControlArn

 

finding_Workflow_Status

str

ifthenelse(isnull(finding_Workflow_Status_tmp), findings_Workflow_Status_str, finding_Workflow_Status_tmp)

finding_Workflow_Status_tmp

findings_Workflow_Status_str

 

finding_ProductName

str

ifthenelse(isnull(finding_ProductName_tmp), findings_ProductName_str, finding_ProductName_tmp)

finding_ProductName_tmp

findings_ProductName_str

 

finding_Region

str

ifthenelse(isnull(finding_Region_tmp), findings_Region_str, finding_Region_tmp)

findings_Region_str

finding_Region_tmp

 

finding_Severity_Label

str

ifthenelse(isnull(finding_Severity_Label_tmp), findings_Severity_Label_str, finding_Severity_Label_tmp)

finding_Severity_Label_tmp

findings_Severity_Label_str

 

finding_Severity_Original

str

ifthenelse(isnull(finding_Severity_Original_tmp), findings_Severity_Original_str, finding_Severity_Original_tmp)

findings_Severity_Original_str

finding_Severity_Original_tmp

 

finding_Resources_Partition

str

join(findings_Resources_Partition, ',')

findings_Resources_Partition

 

finding_Resources_Type

str

join(findings_Resources_Type, ',')

findings_Resources_Type

 

finding_Resources_Details

str

join(findings_Resources_Details, ',')

findings_Resources_Details

 

finding_Resources_Region

str

join(findings_Resources_Region, ',')

findings_Resources_Region

 

finding_Resources_Id

str

join(findings_Resources_Id, ',')

findings_Resources_Id

 

finding_Severity_Normalized

int8

 

 

 

finding_Severity_Normalized_str

str

ifthenelse(isnull(finding_Severity_Normalized), findings_Severity_Normalized_tmp, finding_Severity_Normalized)

finding_Severity_Normalized

findings_Severity_Normalized_tmp

 

finding_Severity_Product

int8

 

 

 

finding_Severity_Product_str

str

ifthenelse(isnull(finding_Severity_Product), findings_Severity_Product_tmp, finding_Severity_Product)

finding_Severity_Product

findings_Severity_Product_tmp

 

finding_RecordState

str

ifthenelse(isnull(finding_RecordState_tmp), findings_RecordState_str, finding_RecordState_tmp)

finding_RecordState_tmp

findings_RecordState_str

 

finding_Title

str

ifthenelse(isnull(finding_Title_tmp), findings_Title_str, finding_Title_tmp)

finding_Title_tmp

findings_Title_str

 

finding_Remediation_Recommendation_Url

str

ifthenelse(isnull(finding_Remediation_Recommendation_Url_tmp), findings_Remediation_Recommendation_Url_str, finding_Remediation_Recommendation_Url_tmp)

finding_Remediation_Recommendation_Url_tmp

findings_Remediation_Recommendation_Url_str

 

finding_Types

str

ifthenelse(isnull(finding_Types_tmp), findings_Types_str, finding_Types_tmp)

findings_Types_str

finding_Types_tmp

 

finding_ProductFields_RecommendationUrl

str

ifthenelse(isnull(finding_ProductFields_RecommendationUrl_tmp), findings_ProductFields_RecommendationUrl_str, finding_ProductFields_RecommendationUrl_tmp)

findings_ProductFields_RecommendationUrl_str

finding_ProductFields_RecommendationUrl_tmp

 

finding_Id

str

ifthenelse(isnull(finding_Id_tmp), findings_Id_str, finding_Id_tmp)

finding_Id_tmp

findings_Id_str

 

finding_SchemaVersion

timestamp

 

 

 

finding_SchemaVersion_str

str

ifthenelse(isnull(finding_SchemaVersion), findings_SchemaVersion_tmp, finding_SchemaVersion)

findings_SchemaVersion_tmp

finding_SchemaVersion

 

finding_FirstObservedAt_str

str

ifthenelse(isnull(finding_FirstObservedAt_tmp), findings_FirstObservedAt_tmp, finding_FirstObservedAt_tmp)

findings_FirstObservedAt_tmp

finding_FirstObservedAt_tmp

 

finding_FirstObservedAt

timestamp

ifthenelse(isnull(finding_FirstObservedAt_tmp), findings_FirstObservedAt_timestamp, finding_FirstObservedAt_tmp)

findings_FirstObservedAt_timestamp

finding_FirstObservedAt_tmp

 

finding_Compliance_Status

str

ifthenelse(isnull(finding_Compliance_Status_tmp), findings_Compliance_Status_str, finding_Compliance_Status_tmp)

findings_Compliance_Status_str

finding_Compliance_Status_tmp

 

finding_Description

str

ifthenelse(isnull(finding_Description_tmp), findings_Description_str, finding_Description_tmp)

findings_Description_str

finding_Description_tmp

 

finding_GeneratorId

str

ifthenelse(isnull(finding_GeneratorId_tmp), findings_GeneratorId_str, finding_GeneratorId_tmp)

findings_GeneratorId_str

finding_GeneratorId_tmp

 

finding_WorkflowState

str

ifthenelse(isnull(finding_WorkflowState_tmp), findings_WorkflowState_str, finding_WorkflowState_tmp)

finding_WorkflowState_tmp

findings_WorkflowState_str

 

finding_Remediation_Recommendation_Text

str

ifthenelse(isnull(finding_Remediation_Recommendation_Text_tmp), findings_Remediation_Recommendation_Text_str, finding_Remediation_Recommendation_Text_tmp)

findings_Remediation_Recommendation_Text_str

finding_Remediation_Recommendation_Text_tmp

 

finding_ProductFields_aws_securityhub_CompanyName

str

ifthenelse(isnull(finding_ProductFields_aws_securityhub_CompanyName_tmp), findings_ProductFields_aws_securityhub_CompanyName_str, finding_ProductFields_aws_securityhub_CompanyName_tmp)

finding_ProductFields_aws_securityhub_CompanyName_tmp

findings_ProductFields_aws_securityhub_CompanyName_str

 

finding_ProductArn

str

ifthenelse(isnull(finding_ProductArn_tmp), findings_ProductArn_str, finding_ProductArn_tmp)

finding_ProductArn_tmp

findings_ProductArn_str

 

finding_LastObservedAt_str

str

ifthenelse(isnull(finding_LastObservedAt_tmp), findings_LastObservedAt_tmp, finding_LastObservedAt_tmp)

finding_LastObservedAt_tmp

findings_LastObservedAt_tmp

 

finding_LastObservedAt

timestamp

ifthenelse(isnull(finding_LastObservedAt_tmp), findings_LastObservedAt_timestamp, finding_LastObservedAt_tmp)

finding_LastObservedAt_tmp

findings_LastObservedAt_timestamp

 

finding_ProductFields_aws_securityhub_ProductName

str

ifthenelse(isnull(finding_ProductFields_aws_securityhub_ProductName_tmp), findings_ProductFields_aws_securityhub_ProductName_str, finding_ProductFields_aws_securityhub_ProductName_tmp)

finding_ProductFields_aws_securityhub_ProductName_tmp

findings_ProductFields_aws_securityhub_ProductName_str

 

finding_CreatedAt_str

str

ifthenelse(isnull(finding_CreatedAt_tmp), findings_CreatedAt_tmp, finding_CreatedAt_tmp)

finding_CreatedAt_tmp

findings_CreatedAt_tmp

 

finding_CreatedAt

timestamp

ifthenelse(isnull(finding_CreatedAt_tmp), findings_CreatedAt_timestamp, finding_CreatedAt_tmp)

finding_CreatedAt_tmp

findings_CreatedAt_timestamp

 

finding_AwsAccountId

str

ifthenelse(isnull(finding_AwsAccountId_tmp), findings_AwsAccountId_str, finding_AwsAccountId_tmp)

findings_AwsAccountId_str

finding_AwsAccountId_tmp

 

finding_Resources

str

ifthenelse(isnull(finding_Resources_tmp), findings_Resources_str, finding_Resources_tmp)

finding_Resources_tmp

findings_Resources_str

 

finding_UpdatedAt_str

str

ifthenelse(isnull(finding_UpdatedAt_tmp), findings_UpdatedAt_tmp, finding_UpdatedAt_tmp)

findings_UpdatedAt_tmp

finding_UpdatedAt_tmp

 

finding_UpdatedAt

timestamp

ifthenelse(isnull(finding_UpdatedAt_tmp), findings_UpdatedAt_timestamp, finding_UpdatedAt_tmp)

findings_UpdatedAt_timestamp

finding_UpdatedAt_tmp

 

finding_ProductFields_aws_securityhub_FindingId

str

ifthenelse(isnull(finding_ProductFields_aws_securityhub_FindingId_tmp), findings_ProductFields_aws_securityhub_FindingId_str, finding_ProductFields_aws_securityhub_FindingId_tmp)

finding_ProductFields_aws_securityhub_FindingId_tmp

findings_ProductFields_aws_securityhub_FindingId_str

 

finding_ProductFields_RuleId

str

ifthenelse(isnull(finding_ProductFields_RuleId_tmp), findings_ProductFields_RuleId_str, finding_ProductFields_RuleId_tmp)

findings_ProductFields_RuleId_str

finding_ProductFields_RuleId_tmp

 

finding_ProductFields_StandardsGuideArn

str

ifthenelse(isnull(finding_ProductFields_StandardsGuideArn_tmp), findings_ProductFields_StandardsGuideArn_str, finding_ProductFields_StandardsGuideArn_tmp)

findings_ProductFields_StandardsGuideArn_str

finding_ProductFields_StandardsGuideArn_tmp

 

finding_ProductFields_StandardsGuideSubscriptionArn

str

ifthenelse(isnull(finding_ProductFields_StandardsGuideSubscriptionArn_tmp), findings_ProductFields_StandardsGuideSubscriptionArn_str, finding_ProductFields_StandardsGuideSubscriptionArn_tmp)

finding_ProductFields_StandardsGuideSubscriptionArn_tmp

findings_ProductFields_StandardsGuideSubscriptionArn_str

 

finding_ProductFields_RecordState

str

 

 

 

finding_ProductFields_aws_securityhub_SeverityLabel

str

 

 

 

finding_ProductFields_rule_arn

str

 

 

 

finding_ProductFields_tags_0

str

 

 

 

finding_ProductFields_tags_1

str

 

 

 

finding_ProductFields_themes_0_theme

str

 

 

 

finding_ProductFields_themes_0_count

str

 

 

 

finding_ProductFields_dlpRisk_0_risk

str

 

 

 

finding_ProductFields_dlpRisk_0_count

str

 

 

 

finding_ProductFields_owner_0_name

str

 

 

 

finding_ProductFields_owner_0_count

str

 

 

 

finding_Confidence

int8

 

 

 

hostchain

str

 

 

tag

str

 

 

rawMessage

str

 

 

Related content