cloud.aws.securityhub
- Juan Tomás Alonso Nieto (Deactivated)
- Former user (Deleted)
Introduction
The tags beginning with cloud.aws.securityhub identify events generated by AWS Security Hub.
Valid tags and data tables
The full tag must have four levels. The first 3 are fixed as cloud.aws.securityhub The fourth level identifies the type of events sent.
These are the valid tags and corresponding data tables that will receive the parsers' data:
Product / Service | Tags | Data tables |
|---|---|---|
AWS Security Hub |
|
|
For more information, read more about Devo tags.
Table structure
These are the fields displayed in this table:
Field | Type | Field transformation | Source field name | Extra fields |
|---|---|---|---|---|
eventdate |
|
|
|
|
hostname |
|
|
|
|
version |
|
|
|
|
id |
|
|
|
|
detail_type |
|
|
|
|
source |
|
|
|
|
account |
|
|
|
|
time |
|
|
|
|
region |
|
|
|
|
resources |
|
|
|
|
detail_actionName |
|
|
|
|
detail_actionDescription |
|
|
|
|
finding_CompanyName |
| ifthenelse(isnull(finding_CompanyName_tmp), findings_CompanyName_str, finding_CompanyName_tmp) | finding_CompanyName_tmp findings_CompanyName_str |
|
findings_FindingProviderFields_Severity_Label_str |
| join(findings_FindingProviderFields_Severity_Label, ',') | findings_FindingProviderFields_Severity_Label |
|
finding_FindingProviderFields_Severity_Label |
| ifthenelse(isnull(finding_FindingProviderFields_Severity_Label_tmp), findings_FindingProviderFields_Severity_Label_str, finding_FindingProviderFields_Severity_Label_tmp) | finding_FindingProviderFields_Severity_Label_tmp findings_FindingProviderFields_Severity_Label_str |
|
finding_FindingProviderFields_Severity_Normalized |
| findings_FindingProviderFields_Severity_Normalized_str finding_FindingProviderFields_Severity_Normalized_tmp |
| |
finding_FindingProviderFields_Severity_Original |
| findings_FindingProviderFields_Severity_Original_str finding_FindingProviderFields_Severity_Original_tmp |
| |
finding_FindingProviderFields_Severity_Product |
| findings_FindingProviderFields_Severity_Product |
| |
findings_FindingProviderFields_Types_str |
| findings_FindingProviderFields_Types |
| |
finding_FindingProviderFields_Types |
| finding_FindingProviderFields_Types_str findings_FindingProviderFields_Types_str finding_FindingProviderFields_Types_tmp |
| |
findings_ProductFields_RelatedAWSResources_0_name_str |
| findings_ProductFields_RelatedAWSResources_0_name |
| |
finding_ProductFields_RelatedAWSResources_0_name |
| findings_ProductFields_RelatedAWSResources_0_name_str finding_ProductFields_RelatedAWSResources_0_name_tmp |
| |
findings_ProductFields_RelatedAWSResources_0_type_str |
| findings_ProductFields_RelatedAWSResources_0_type |
| |
finding_ProductFields_RelatedAWSResources_0_type |
| findings_ProductFields_RelatedAWSResources_0_type_str finding_ProductFields_RelatedAWSResources_0_type_tmp |
| |
finding_ProductFields_Resources_0_Id |
| finding_ProductFields_Resources_0_Id_tmp findings_ProductFields_Resources_0_Id_str |
| |
finding_ProductFields_StandardsControlArn |
| findings_ProductFields_StandardsControlArn |
| |
finding_Workflow_Status |
| finding_Workflow_Status_tmp findings_Workflow_Status_str |
| |
finding_ProductName |
| finding_ProductName_tmp findings_ProductName_str |
| |
finding_Region |
| findings_Region_str finding_Region_tmp |
| |
finding_Severity_Label |
| finding_Severity_Label_tmp findings_Severity_Label_str |
| |
finding_Severity_Original |
| findings_Severity_Original_str finding_Severity_Original_tmp |
| |
finding_Resources_Partition |
| findings_Resources_Partition |
| |
finding_Resources_Type |
| findings_Resources_Type |
| |
finding_Resources_Details |
| findings_Resources_Details |
| |
finding_Resources_Region |
| findings_Resources_Region |
| |
finding_Resources_Id |
| findings_Resources_Id |
| |
finding_Severity_Normalized |
|
|
|
|
finding_Severity_Normalized_str |
| finding_Severity_Normalized findings_Severity_Normalized_tmp |
| |
finding_Severity_Product |
|
|
|
|
finding_Severity_Product_str |
| finding_Severity_Product findings_Severity_Product_tmp |
| |
finding_RecordState |
| finding_RecordState_tmp findings_RecordState_str |
| |
finding_Title |
| finding_Title_tmp findings_Title_str |
| |
finding_Remediation_Recommendation_Url |
| finding_Remediation_Recommendation_Url_tmp findings_Remediation_Recommendation_Url_str |
| |
finding_Types |
| findings_Types_str finding_Types_tmp |
| |
finding_ProductFields_RecommendationUrl |
| findings_ProductFields_RecommendationUrl_str finding_ProductFields_RecommendationUrl_tmp |
| |
finding_Id |
| finding_Id_tmp findings_Id_str |
| |
finding_SchemaVersion |
|
|
|
|
finding_SchemaVersion_str |
| findings_SchemaVersion_tmp finding_SchemaVersion |
| |
finding_FirstObservedAt_str |
| findings_FirstObservedAt_tmp finding_FirstObservedAt_tmp |
| |
finding_FirstObservedAt |
| findings_FirstObservedAt_timestamp finding_FirstObservedAt_tmp |
| |
finding_Compliance_Status |
| findings_Compliance_Status_str finding_Compliance_Status_tmp |
| |
finding_Description |
| findings_Description_str finding_Description_tmp |
| |
finding_GeneratorId |
| findings_GeneratorId_str finding_GeneratorId_tmp |
| |
finding_WorkflowState |
| finding_WorkflowState_tmp findings_WorkflowState_str |
| |
finding_Remediation_Recommendation_Text |
| findings_Remediation_Recommendation_Text_str finding_Remediation_Recommendation_Text_tmp |
| |
finding_ProductFields_aws_securityhub_CompanyName |
| finding_ProductFields_aws_securityhub_CompanyName_tmp findings_ProductFields_aws_securityhub_CompanyName_str |
| |
finding_ProductArn |
| finding_ProductArn_tmp findings_ProductArn_str |
| |
finding_LastObservedAt_str |
| finding_LastObservedAt_tmp findings_LastObservedAt_tmp |
| |
finding_LastObservedAt |
| finding_LastObservedAt_tmp findings_LastObservedAt_timestamp |
| |
finding_ProductFields_aws_securityhub_ProductName |
| finding_ProductFields_aws_securityhub_ProductName_tmp findings_ProductFields_aws_securityhub_ProductName_str |
| |
finding_CreatedAt_str |
| finding_CreatedAt_tmp findings_CreatedAt_tmp |
| |
finding_CreatedAt |
| finding_CreatedAt_tmp findings_CreatedAt_timestamp |
| |
finding_AwsAccountId |
| findings_AwsAccountId_str finding_AwsAccountId_tmp |
| |
finding_Resources |
| finding_Resources_tmp findings_Resources_str |
| |
finding_UpdatedAt_str |
| findings_UpdatedAt_tmp finding_UpdatedAt_tmp |
| |
finding_UpdatedAt |
| findings_UpdatedAt_timestamp finding_UpdatedAt_tmp |
| |
finding_ProductFields_aws_securityhub_FindingId |
| finding_ProductFields_aws_securityhub_FindingId_tmp findings_ProductFields_aws_securityhub_FindingId_str |
| |
finding_ProductFields_RuleId |
| findings_ProductFields_RuleId_str finding_ProductFields_RuleId_tmp |
| |
finding_ProductFields_StandardsGuideArn |
| findings_ProductFields_StandardsGuideArn_str finding_ProductFields_StandardsGuideArn_tmp |
| |
finding_ProductFields_StandardsGuideSubscriptionArn |
| finding_ProductFields_StandardsGuideSubscriptionArn_tmp findings_ProductFields_StandardsGuideSubscriptionArn_str |
| |
finding_ProductFields_RecordState |
|
|
|
|
finding_ProductFields_aws_securityhub_SeverityLabel |
|
|
|
|
finding_ProductFields_rule_arn |
|
|
|
|
finding_ProductFields_tags_0 |
|
|
|
|
finding_ProductFields_tags_1 |
|
|
|
|
finding_ProductFields_themes_0_theme |
|
|
|
|
finding_ProductFields_themes_0_count |
|
|
|
|
finding_ProductFields_dlpRisk_0_risk |
|
|
|
|
finding_ProductFields_dlpRisk_0_count |
|
|
|
|
finding_ProductFields_owner_0_name |
|
|
|
|
finding_ProductFields_owner_0_count |
|
|
|
|
finding_Confidence |
|
|
|
|
hostchain |
|
|
| ✓ |
tag |
|
|
| ✓ |
rawMessage |
|
|
| ✓ |