Document toolboxDocument toolbox

cloud.aws.securityhub

Owned by Juan Tomás Alonso Nieto (Deactivated)
Last updated: Feb 06, 2024
1 min read
[ 1 Introduction ] [ 2 Valid tags and data tables ] [ 3 Table structure ]

Introduction

The tags beginning with cloud.aws.securityhub identify events generated by AWS Security Hub.

Valid tags and data tables

The full tag must have four levels. The first 3 are fixed as cloud.aws.securityhub The fourth level identifies the type of events sent.

These are the valid tags and corresponding data tables that will receive the parsers' data:

Product / Service

Tags

Data tables

Product / Service

Tags

Data tables

AWS Security Hub

cloud.aws.securityhub.findings

cloud.aws.securityhub.findings

For more information, read more about Devo tags.

Table structure

These are the fields displayed in this table:

Field

Type

Field transformation

Source field name

Extra fields

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

 

 

 

hostname

str

 

 

 

version

str

 

 

 

id

str

 

 

 

detail_type

str

 

 

 

source

str

 

 

 

account

str

 

 

 

time

timestamp

 

 

 

region

str

 

 

 

resources

str

 

 

 

detail_actionName

str

 

 

 

detail_actionDescription

str

 

 

 

finding_CompanyName

str

ifthenelse(isnull(finding_CompanyName_tmp), findings_CompanyName_str, finding_CompanyName_tmp)

finding_CompanyName_tmp

findings_CompanyName_str

 

findings_FindingProviderFields_Severity_Label_str

str

join(findings_FindingProviderFields_Severity_Label, ',')

findings_FindingProviderFields_Severity_Label

 

finding_FindingProviderFields_Severity_Label

str

ifthenelse(isnull(finding_FindingProviderFields_Severity_Label_tmp), findings_FindingProviderFields_Severity_Label_str, finding_FindingProviderFields_Severity_Label_tmp)

finding_FindingProviderFields_Severity_Label_tmp

findings_FindingProviderFields_Severity_Label_str

 

finding_FindingProviderFields_Severity_Normalized

str

findings_FindingProviderFields_Severity_Normalized_str

finding_FindingProviderFields_Severity_Normalized_tmp

 

finding_FindingProviderFields_Severity_Original

str

findings_FindingProviderFields_Severity_Original_str

finding_FindingProviderFields_Severity_Original_tmp

 

finding_FindingProviderFields_Severity_Product

str

findings_FindingProviderFields_Severity_Product

 

findings_FindingProviderFields_Types_str

str

findings_FindingProviderFields_Types

 

finding_FindingProviderFields_Types

str

finding_FindingProviderFields_Types_str

findings_FindingProviderFields_Types_str

finding_FindingProviderFields_Types_tmp

 

findings_ProductFields_RelatedAWSResources_0_name_str

str

findings_ProductFields_RelatedAWSResources_0_name

 

finding_ProductFields_RelatedAWSResources_0_name

str

findings_ProductFields_RelatedAWSResources_0_name_str

finding_ProductFields_RelatedAWSResources_0_name_tmp

 

findings_ProductFields_RelatedAWSResources_0_type_str

str

findings_ProductFields_RelatedAWSResources_0_type

 

finding_ProductFields_RelatedAWSResources_0_type

str

findings_ProductFields_RelatedAWSResources_0_type_str

finding_ProductFields_RelatedAWSResources_0_type_tmp

 

finding_ProductFields_Resources_0_Id

str

finding_ProductFields_Resources_0_Id_tmp

findings_ProductFields_Resources_0_Id_str

 

finding_ProductFields_StandardsControlArn

str

findings_ProductFields_StandardsControlArn

 

finding_Workflow_Status

str

finding_Workflow_Status_tmp

findings_Workflow_Status_str

 

finding_ProductName

str

finding_ProductName_tmp

findings_ProductName_str

 

finding_Region

str

findings_Region_str

finding_Region_tmp

 

finding_Severity_Label

str

finding_Severity_Label_tmp

findings_Severity_Label_str

 

finding_Severity_Original

str

findings_Severity_Original_str

finding_Severity_Original_tmp

 

finding_Resources_Partition

str

findings_Resources_Partition

 

finding_Resources_Type

str

findings_Resources_Type

 

finding_Resources_Details

str

findings_Resources_Details

 

finding_Resources_Region

str

findings_Resources_Region

 

finding_Resources_Id

str

findings_Resources_Id

 

finding_Severity_Normalized

int8

 

 

 

finding_Severity_Normalized_str

str

finding_Severity_Normalized

findings_Severity_Normalized_tmp

 

finding_Severity_Product

int8

 

 

 

finding_Severity_Product_str

str

finding_Severity_Product

findings_Severity_Product_tmp

 

finding_RecordState

str

finding_RecordState_tmp

findings_RecordState_str

 

finding_Title

str

finding_Title_tmp

findings_Title_str

 

finding_Remediation_Recommendation_Url

str

finding_Remediation_Recommendation_Url_tmp

findings_Remediation_Recommendation_Url_str

 

finding_Types

str

findings_Types_str

finding_Types_tmp

 

finding_ProductFields_RecommendationUrl

str

findings_ProductFields_RecommendationUrl_str

finding_ProductFields_RecommendationUrl_tmp

 

finding_Id

str

finding_Id_tmp

findings_Id_str

 

finding_SchemaVersion

timestamp

 

 

 

finding_SchemaVersion_str

str

findings_SchemaVersion_tmp

finding_SchemaVersion

 

finding_FirstObservedAt_str

str

findings_FirstObservedAt_tmp

finding_FirstObservedAt_tmp

 

finding_FirstObservedAt

timestamp

findings_FirstObservedAt_timestamp

finding_FirstObservedAt_tmp

 

finding_Compliance_Status

str

findings_Compliance_Status_str

finding_Compliance_Status_tmp

 

finding_Description

str

findings_Description_str

finding_Description_tmp

 

finding_GeneratorId

str

findings_GeneratorId_str

finding_GeneratorId_tmp

 

finding_WorkflowState

str

finding_WorkflowState_tmp

findings_WorkflowState_str

 

finding_Remediation_Recommendation_Text

str

findings_Remediation_Recommendation_Text_str

finding_Remediation_Recommendation_Text_tmp

 

finding_ProductFields_aws_securityhub_CompanyName

str

finding_ProductFields_aws_securityhub_CompanyName_tmp

findings_ProductFields_aws_securityhub_CompanyName_str

 

finding_ProductArn

str

finding_ProductArn_tmp

findings_ProductArn_str

 

finding_LastObservedAt_str

str

finding_LastObservedAt_tmp

findings_LastObservedAt_tmp

 

finding_LastObservedAt

timestamp

finding_LastObservedAt_tmp

findings_LastObservedAt_timestamp

 

finding_ProductFields_aws_securityhub_ProductName

str

finding_ProductFields_aws_securityhub_ProductName_tmp

findings_ProductFields_aws_securityhub_ProductName_str

 

finding_CreatedAt_str

str

finding_CreatedAt_tmp

findings_CreatedAt_tmp

 

finding_CreatedAt

timestamp

finding_CreatedAt_tmp

findings_CreatedAt_timestamp

 

finding_AwsAccountId

str

findings_AwsAccountId_str

finding_AwsAccountId_tmp

 

finding_Resources

str

finding_Resources_tmp

findings_Resources_str

 

finding_UpdatedAt_str

str

findings_UpdatedAt_tmp

finding_UpdatedAt_tmp

 

finding_UpdatedAt

timestamp

findings_UpdatedAt_timestamp

finding_UpdatedAt_tmp

 

finding_ProductFields_aws_securityhub_FindingId

str

finding_ProductFields_aws_securityhub_FindingId_tmp

findings_ProductFields_aws_securityhub_FindingId_str

 

finding_ProductFields_RuleId

str

findings_ProductFields_RuleId_str

finding_ProductFields_RuleId_tmp

 

finding_ProductFields_StandardsGuideArn

str

findings_ProductFields_StandardsGuideArn_str

finding_ProductFields_StandardsGuideArn_tmp

 

finding_ProductFields_StandardsGuideSubscriptionArn

str

finding_ProductFields_StandardsGuideSubscriptionArn_tmp

findings_ProductFields_StandardsGuideSubscriptionArn_str

 

finding_ProductFields_RecordState

str

 

 

 

finding_ProductFields_aws_securityhub_SeverityLabel

str

 

 

 

finding_ProductFields_rule_arn

str

 

 

 

finding_ProductFields_tags_0

str

 

 

 

finding_ProductFields_tags_1

str

 

 

 

finding_ProductFields_themes_0_theme

str

 

 

 

finding_ProductFields_themes_0_count

str

 

 

 

finding_ProductFields_dlpRisk_0_risk

str

 

 

 

finding_ProductFields_dlpRisk_0_count

str

 

 

 

finding_ProductFields_owner_0_name

str

 

 

 

finding_ProductFields_owner_0_count

str

 

 

 

finding_Confidence

int8

 

 

 

hostchain

str

 

 

✓

tag

str

 

 

✓

rawMessage

str

 

 

✓