From 0e62d7d1ca0e80b54d6ab28481c6b4fdda9f1818 Mon Sep 17 00:00:00 2001 From: brijesh-elastic Date: Tue, 11 Nov 2025 16:20:45 +0530 Subject: [PATCH 1/2] Initial release --- packages/aws_securityhub/_dev/build/build.yml | 3 + .../aws_securityhub/_dev/build/docs/README.md | 108 + .../_dev/deploy/docker/docker-compose.yml | 17 + .../_dev/deploy/docker/files/certificate.crt | 21 + .../_dev/deploy/docker/files/config.yml | 472 ++ .../_dev/deploy/docker/files/private.key | 28 + packages/aws_securityhub/changelog.yml | 6 + .../_dev/test/pipeline/test-common-config.yml | 7 + .../_dev/test/pipeline/test-findings.log | 10 + .../pipeline/test-findings.log-expected.json | 2412 +++++++++ .../_dev/test/system/test-default-config.yml | 38 + .../finding/agent/stream/cel.yml.hbs | 140 + .../elasticsearch/ingest_pipeline/default.yml | 2072 ++++++++ .../ingest_pipeline/pipeline_object_actor.yml | 287 + .../pipeline_object_attack.yml | 100 + .../pipeline_object_device.yml | 725 +++ .../pipeline_object_evidence.yml | 723 +++ .../pipeline_object_finding.yml | 169 + .../pipeline_object_malware.yml | 422 ++ .../pipeline_object_metadata.yml | 270 + .../ingest_pipeline/pipeline_object_osint.yml | 996 ++++ .../pipeline_object_resources.yml | 342 ++ .../pipeline_object_vulnerabilities.yml | 498 ++ .../finding/fields/base-fields.yml | 16 + .../data_stream/finding/fields/beats.yml | 6 + .../data_stream/finding/fields/ecs.yml | 7 + .../data_stream/finding/fields/fields.yml | 4615 +++++++++++++++++ .../data_stream/finding/fields/package.yml | 6 + .../data_stream/finding/fields/resource.yml | 12 + .../data_stream/finding/fields/result.yml | 6 + .../data_stream/finding/fields/rule.yml | 6 + .../finding/fields/vulnerability.yml | 12 + .../data_stream/finding/manifest.yml | 123 + packages/aws_securityhub/docs/README.md | 1535 ++++++ .../fields/base-fields.yml | 17 + .../fields/beats.yml | 6 + .../latest_cdr_vulnerabilities/fields/ecs.yml | 7 + .../fields/fields.yml | 4378 ++++++++++++++++ .../fields/package.yml | 6 + .../fields/resource.yml | 12 + .../fields/result.yml | 6 + .../fields/rule.yml | 6 + .../fields/vulnerability.yml | 12 + .../latest_cdr_vulnerabilities/manifest.yml | 7 + .../latest_cdr_vulnerabilities/transform.yml | 45 + .../aws_securityhub/img/logo_securityhub.svg | 18 + packages/aws_securityhub/manifest.yml | 131 + 47 files changed, 20861 insertions(+) create mode 100644 packages/aws_securityhub/_dev/build/build.yml create mode 100644 packages/aws_securityhub/_dev/build/docs/README.md create mode 100644 packages/aws_securityhub/_dev/deploy/docker/docker-compose.yml create mode 100644 packages/aws_securityhub/_dev/deploy/docker/files/certificate.crt create mode 100644 packages/aws_securityhub/_dev/deploy/docker/files/config.yml create mode 100644 packages/aws_securityhub/_dev/deploy/docker/files/private.key create mode 100644 packages/aws_securityhub/changelog.yml create mode 100644 packages/aws_securityhub/data_stream/finding/_dev/test/pipeline/test-common-config.yml create mode 100644 packages/aws_securityhub/data_stream/finding/_dev/test/pipeline/test-findings.log create mode 100644 packages/aws_securityhub/data_stream/finding/_dev/test/pipeline/test-findings.log-expected.json create mode 100644 packages/aws_securityhub/data_stream/finding/_dev/test/system/test-default-config.yml create mode 100644 packages/aws_securityhub/data_stream/finding/agent/stream/cel.yml.hbs create mode 100644 packages/aws_securityhub/data_stream/finding/elasticsearch/ingest_pipeline/default.yml create mode 100644 packages/aws_securityhub/data_stream/finding/elasticsearch/ingest_pipeline/pipeline_object_actor.yml create mode 100644 packages/aws_securityhub/data_stream/finding/elasticsearch/ingest_pipeline/pipeline_object_attack.yml create mode 100644 packages/aws_securityhub/data_stream/finding/elasticsearch/ingest_pipeline/pipeline_object_device.yml create mode 100644 packages/aws_securityhub/data_stream/finding/elasticsearch/ingest_pipeline/pipeline_object_evidence.yml create mode 100644 packages/aws_securityhub/data_stream/finding/elasticsearch/ingest_pipeline/pipeline_object_finding.yml create mode 100644 packages/aws_securityhub/data_stream/finding/elasticsearch/ingest_pipeline/pipeline_object_malware.yml create mode 100644 packages/aws_securityhub/data_stream/finding/elasticsearch/ingest_pipeline/pipeline_object_metadata.yml create mode 100644 packages/aws_securityhub/data_stream/finding/elasticsearch/ingest_pipeline/pipeline_object_osint.yml create mode 100644 packages/aws_securityhub/data_stream/finding/elasticsearch/ingest_pipeline/pipeline_object_resources.yml create mode 100644 packages/aws_securityhub/data_stream/finding/elasticsearch/ingest_pipeline/pipeline_object_vulnerabilities.yml create mode 100644 packages/aws_securityhub/data_stream/finding/fields/base-fields.yml create mode 100644 packages/aws_securityhub/data_stream/finding/fields/beats.yml create mode 100644 packages/aws_securityhub/data_stream/finding/fields/ecs.yml create mode 100644 packages/aws_securityhub/data_stream/finding/fields/fields.yml create mode 100644 packages/aws_securityhub/data_stream/finding/fields/package.yml create mode 100644 packages/aws_securityhub/data_stream/finding/fields/resource.yml create mode 100644 packages/aws_securityhub/data_stream/finding/fields/result.yml create mode 100644 packages/aws_securityhub/data_stream/finding/fields/rule.yml create mode 100644 packages/aws_securityhub/data_stream/finding/fields/vulnerability.yml create mode 100644 packages/aws_securityhub/data_stream/finding/manifest.yml create mode 100644 packages/aws_securityhub/docs/README.md create mode 100644 packages/aws_securityhub/elasticsearch/transform/latest_cdr_vulnerabilities/fields/base-fields.yml create mode 100644 packages/aws_securityhub/elasticsearch/transform/latest_cdr_vulnerabilities/fields/beats.yml create mode 100644 packages/aws_securityhub/elasticsearch/transform/latest_cdr_vulnerabilities/fields/ecs.yml create mode 100644 packages/aws_securityhub/elasticsearch/transform/latest_cdr_vulnerabilities/fields/fields.yml create mode 100644 packages/aws_securityhub/elasticsearch/transform/latest_cdr_vulnerabilities/fields/package.yml create mode 100644 packages/aws_securityhub/elasticsearch/transform/latest_cdr_vulnerabilities/fields/resource.yml create mode 100644 packages/aws_securityhub/elasticsearch/transform/latest_cdr_vulnerabilities/fields/result.yml create mode 100644 packages/aws_securityhub/elasticsearch/transform/latest_cdr_vulnerabilities/fields/rule.yml create mode 100644 packages/aws_securityhub/elasticsearch/transform/latest_cdr_vulnerabilities/fields/vulnerability.yml create mode 100644 packages/aws_securityhub/elasticsearch/transform/latest_cdr_vulnerabilities/manifest.yml create mode 100644 packages/aws_securityhub/elasticsearch/transform/latest_cdr_vulnerabilities/transform.yml create mode 100644 packages/aws_securityhub/img/logo_securityhub.svg create mode 100644 packages/aws_securityhub/manifest.yml diff --git a/packages/aws_securityhub/_dev/build/build.yml b/packages/aws_securityhub/_dev/build/build.yml new file mode 100644 index 00000000000..b2596b96490 --- /dev/null +++ b/packages/aws_securityhub/_dev/build/build.yml @@ -0,0 +1,3 @@ +dependencies: + ecs: + reference: git@v9.2.0 diff --git a/packages/aws_securityhub/_dev/build/docs/README.md b/packages/aws_securityhub/_dev/build/docs/README.md new file mode 100644 index 00000000000..27ae0fe05e1 --- /dev/null +++ b/packages/aws_securityhub/_dev/build/docs/README.md @@ -0,0 +1,108 @@ +# AWS Security Hub Integration for Elastic + +## Overview +The AWS Security Hub integration with Elastic enables the collection of findings for monitoring and analysis. This valuable data can be leveraged within Elastic to analyze security signals from multiple sources, such as posture management, vulnerability management (Amazon Inspector), sensitive data identification (Amazon Macie), and threat detection (Amazon GuardDuty). + +This integration utilizes the AWS Security Hub API to collect Findings in the OCSF format. + +### Compatibility + +The AWS Security Hub integration uses the REST API. It uses the `GetFindingsV2` to collect findings in OCSF format. + +### How it works + +The **finding** data stream uses the `/findingsv2` endpoint to gather all findings starting from the configured initial interval. Subsequently, it fetches the recent findings available at each specified interval. + +## What data does this integration collect? + +The AWS Security Hub integration collects log messages of the following types: + +- `Finding`: Returns a list of findings in OCSF format. Refer to the [GetFindingsV2 API Reference](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_GetFindingsV2.html). + +### Supported use cases +Integrating AWS Security Hub with Elastic SIEM provides a comprehensive view of the security state of your AWS resources. Leveraging AWS Security Hub integration helps you analyze security trends to identify and prioritize security issues across your AWS environment. + +## What do I need to use this integration? + +### From Elastic + +AWS Security Hub integration adds [Elastic latest transforms](https://www.elastic.co/docs/explore-analyze/transforms/transform-overview#latest-transform-overview). For more details, check the [Transform](https://www.elastic.co/docs/explore-analyze/transforms/transform-setup) setup and requirements. + +### From AWS Security Hub + +Enable AWS Security Hub in your environment. For more detail, refer to the link [here](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-v2-enable.html). + +#### Collecting data from AWS Security Hub API + +Users can authenticate using permanent security credentials, as well as temporary security credentials. They can also select `shared_credential_file`, `credential_profile_name` to retrieve credentials. Additionally, they can use `role_arn` to specify which AWS IAM role to assume for generating temporary credentials. An `external_id` can also be provided when assuming a role in another account. + +The credentials must have permission to perform the **securityhub:GetFindings** action. + +## How do I deploy this integration? + +### Agent-based deployment + +Elastic Agent must be installed. For more details, check the Elastic Agent [installation instructions](docs-content://reference/fleet/install-elastic-agents.md). You can install only one Elastic Agent per host. + +Elastic Agent is required to stream data from the syslog or log file receiver and ship the data to Elastic, where the events will then be processed via the integration's ingest pipelines. + +### Agentless deployment + +Agentless deployments are only supported in Elastic Serverless and Elastic Cloud environments. Agentless deployments provide a means to ingest data while avoiding the orchestration, management, and maintenance needs associated with standard ingest infrastructure. Using an agentless deployment makes manual agent deployment unnecessary, allowing you to focus on your data instead of the agent that collects it. + +For more information, refer to [Agentless integrations](https://www.elastic.co/guide/en/serverless/current/security-agentless-integrations.html) and [Agentless integrations FAQ](https://www.elastic.co/guide/en/serverless/current/agentless-integration-troubleshooting.html) + +### Onboard / configure + +1. In the top search bar in Kibana, search for **Integrations**. +2. In the search bar, type **AWS Security Hub**. +3. Select the **AWS Security Hub** integration from the search results. +4. Select **Add AWS Security Hubs** to add the integration. +5. Enable and configure **Collect AWS Security Hub logs via API**: + + - Configure AWS Authentication parameters and set the **AWS Region** and **Top Level Domain**. Adjust the integration configuration parameters as needed, including the **Initial Interval**, **Interval**, **Batch Size** etc. to enable data collection. + +6. Select **Save and continue** to save the integration. + +### Validation + +#### Transforms healthy + +1. In the top search bar in Kibana, search for **Transforms**. +2. Select the **Data / Transforms** from the search results. +3. In the search bar, type **aws_securityhub**. +4. All transforms from the search results should indicate **Healthy** under the **Health** column. + +## Troubleshooting + +For help with Elastic ingest tools, check [Common problems](https://www.elastic.co/docs/troubleshoot/ingest/fleet/common-problems). + +## Scaling + +For more information on architectures that can be used for scaling this integration, check the [Ingest Architectures](https://www.elastic.co/docs/manage-data/ingest/ingest-reference-architectures) documentation. + +## Reference + +### ECS field reference + +#### Finding + +{{fields "finding"}} + +### Example event + +#### Finding + +{{/* {{event "finding"}} */}} + +### Inputs used + +These inputs are used in this integration: + +- [cel](https://www.elastic.co/docs/reference/beats/filebeat/filebeat-input-cel) + +### API usage + +This integration dataset uses the following APIs: + +- `Finding`: [AWS Security Hub REST API](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_GetFindingsV2.html). diff --git a/packages/aws_securityhub/_dev/deploy/docker/docker-compose.yml b/packages/aws_securityhub/_dev/deploy/docker/docker-compose.yml new file mode 100644 index 00000000000..f0b06c44fbd --- /dev/null +++ b/packages/aws_securityhub/_dev/deploy/docker/docker-compose.yml @@ -0,0 +1,17 @@ +version: '2.3' +services: + aws_securityhub: + image: docker.elastic.co/observability/stream:v0.20.0 + hostname: securityhub.xxxx.amazonaws.com + ports: + - 443 + volumes: + - ./files:/files:ro + environment: + PORT: "443" + command: + - http-server + - --addr=:443 + - --config=/files/config.yml + - --tls-cert=/files/certificate.crt + - --tls-key=/files/private.key diff --git a/packages/aws_securityhub/_dev/deploy/docker/files/certificate.crt b/packages/aws_securityhub/_dev/deploy/docker/files/certificate.crt new file mode 100644 index 00000000000..e01aa2d8698 --- /dev/null +++ b/packages/aws_securityhub/_dev/deploy/docker/files/certificate.crt @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDYzCCAksCFHjpS63J08Qx8oUw5qhhPAt4b7XqMA0GCSqGSIb3DQEBCwUAMG4x +CzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRl +cm5ldCBXaWRnaXRzIFB0eSBMdGQxJzAlBgNVBAMMHnNlY3VyaXR5aHViLnh4eHgu +YW1hem9uYXdzLmNvbTAeFw0yNTExMTAxNzA3MjdaFw0zNTExMDgxNzA3MjdaMG4x +CzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRl +cm5ldCBXaWRnaXRzIFB0eSBMdGQxJzAlBgNVBAMMHnNlY3VyaXR5aHViLnh4eHgu +YW1hem9uYXdzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOGm +MbmIurgsjJxtFWDDNa0T0h2bRtVCMC+KwdZpZVwp+K1oFxizkWbsbGFA0SJpMMMZ +aHoSlYfbe7T8QgcJE40o5sVRrOyPNcNbh9THvjmFKE+9SFep083A2f6YBRXssTSA +PMd/hXOdD87biWUnSbgsug0LFZHQcPDz3b6ktExzpEbdMIYSlyrtFass4OWduUzX +W2aiP/jBI2O4ndjmTh78oeED6A10twoaz8fNQzaaAcp9KjB+RViBwgSFekp4sNUo +BiEqLalI6o9ZcbpAIV/fH0SQZy9rEBhrD0xzlqOmM3Mv/xTFkwOgc6EEFA1Tx7nb +Btm0afHgCy63XKKZT+0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAFJ+95GV4zx1k +Ljofy3IwkhF5oW1NsYTQIYPvOhVdTsebP/pXj98Co5QK19CL4UwSNVZmL+egm560 +itIqS+Dh9d1JIdrU4JzMuWI7gqA2r2XdwRdbVfR8fKvt9MXoLE6OtrEgRIhQtgPG +7+B5Jarsd85CUSnCk8/Xb1jL3AhMyTtThsUhOaRPInqnodagTz9MI/xFXru7X+mJ +tc5b1/Qzo5s2c0v53VSKRl2dEY1hS0FQ6zpupf/nqxK7XjHqA0bthP7EAJj5dSVh +/18+nnWLm0v8/xRjlJ9Z82QRJrJV96H8bWpAcT0Hk13pi+LcF3XgfYQJSR32z4tt +hPpgCP6KcQ== +-----END CERTIFICATE----- diff --git a/packages/aws_securityhub/_dev/deploy/docker/files/config.yml b/packages/aws_securityhub/_dev/deploy/docker/files/config.yml new file mode 100644 index 00000000000..e7d44d4c120 --- /dev/null +++ b/packages/aws_securityhub/_dev/deploy/docker/files/config.yml @@ -0,0 +1,472 @@ +rules: + - path: /findingsv2 + methods: ['POST'] + request_headers: + Content-Type: + - "application/json" + request_body: /^\{"Filters":\{"CompositeFilters":\[\{"DateFilters":\[\{"FieldName":"finding_info\.modified_time_dt","Filter":\{"End":.*,"Start":.*\}\}\]\}\]\},"MaxResults":2,"NextToken":"next_token_2","SortCriteria":\[\{"Field":"finding_info\.modified_time_dt","SortOrder":"asc"\}\]\}/ + responses: + - status_code: 200 + headers: + Content-Type: + - 'application/json' + body: |- + {{ minify_json ` + { + "Findings": [ + { + "activity_id": 2, + "activity_name": "Update", + "category_name": "Findings", + "category_uid": 2, + "class_name": "Compliance Finding", + "class_uid": 2003, + "cloud": { + "account": { "uid": "123456789012" }, + "provider": "AWS", + "region": "us-east-2" + }, + "compliance": { + "control": "SSM.1", + "standards": [ + "standards/aws-foundational-security-best-practices/v/1.0.0" + ], + "status": "Fail", + "status_id": 3 + }, + "finding_info": { + "analytic": { + "category": "AWS::Config::ConfigRule", + "name": "securityhub-ec2-instance-managed-by-ssm-ab123467", + "type": "Rule", + "type_id": 1 + }, + "created_time": 1748541948106, + "created_time_dt": "2025-05-29T18:05:48.106Z", + "desc": "This AWS control checks whether the Amazon EC2 instances in your account are managed by AWS Systems Manager.", + "first_seen_time": 1748541944226, + "first_seen_time_dt": "2025-05-29T18:05:44.226Z", + "last_seen_time": 1750372015643, + "last_seen_time_dt": "2025-06-19T22:26:55.643Z", + "modified_time": 1758875220981, + "modified_time_dt": "2025-09-26T08:27:00.981Z", + "title": "EC2 instances should be managed by AWS Systems Manager", + "types": [ + "Software and Configuration Checks/Industry and Regulatory Standards", + "Posture Management" + ], + "uid": "arn:aws:securityhub:us-east-2:123456789012:security-control/SSM.1/finding/cabc123e-1235-ef12-abcd-6123456abcd1" + }, + "metadata": { + "product": { + "name": "Security Hub", + "uid": "arn:aws:securityhub:us-east-2::productv2/aws/securityhub", + "vendor_name": "AWS" + }, + "profiles": ["cloud", "datetime"], + "uid": "d1bc4b01234567890123456789abc123456def5bcdefabcdef123456", + "version": "1.6.0" + }, + "remediation": { + "desc": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.", + "references": [ + "https://docs.aws.amazon.com/console/securityhub/SSM.1/remediation" + ] + }, + "resources": [ + { + "cloud_partition": "aws", + "owner": { "account": { "uid": "123456789012" } }, + "region": "us-east-2", + "tags": [ + { + "name": "aws:autoscaling:groupName", + "value": "eks-demo_prod_linux-1123abc1-5678-efab-abcd-701abcdef892" + }, + { + "name": "aws:ec2:fleet-id", + "value": "fleet-babcdefc-5678-abcd-1234-20123456789b" + }, + { "name": "k8s.io/cluster-autoscaler/demo_prod", "value": "owned" }, + { "name": "aws:eks:cluster-name", "value": "demo_prod" }, + { "name": "eks:cluster-name", "value": "demo_prod" }, + { "name": "aws:ec2launchtemplate:version", "value": "6" }, + { "name": "eks:nodegroup-name", "value": "demo_prod_linux" }, + { "name": "k8s.io/cluster-autoscaler/enabled", "value": "true" }, + { "name": "kubernetes.io/cluster/demo_prod", "value": "owned" }, + { + "name": "aws:ec2launchtemplate:id", + "value": "lt-abcdefabcdef123456" + } + ], + "type": "AWS::EC2::Instance", + "uid": "i-abcd1235cdef1234", + "uid_alt": "arn:aws:ec2:us-east-2:123456789012:instance/i-abcd1235cdef1234" + } + ], + "severity": "Medium", + "severity_id": 3, + "status": "New", + "status_id": 1, + "time": 1758875220981, + "time_dt": "2025-09-26T08:27:00.981Z", + "type_name": "Compliance Finding: Update", + "type_uid": 200302, + "vendor_attributes": { "severity": "Medium", "severity_id": 3 } + } + ] + } + `}} + - path: /findingsv2 + methods: ['POST'] + request_headers: + Content-Type: + - "application/json" + request_body: /^\{"Filters":\{"CompositeFilters":\[\{"DateFilters":\[\{"FieldName":"finding_info\.modified_time_dt","Filter":\{"End":.*,"Start":.*\}\}\]\}\]\},"MaxResults":2,"NextToken":"next_token_1","SortCriteria":\[\{"Field":"finding_info\.modified_time_dt","SortOrder":"asc"\}\]\}/ + responses: + - status_code: 200 + headers: + Content-Type: + - 'application/json' + body: |- + {{ minify_json ` + { + "Findings": [ + { + "activity_id": 1, + "activity_name": "Create", + "category_name": "Findings", + "category_uid": 2, + "class_name": "Compliance Finding", + "class_uid": 2003, + "cloud": { + "account": { "uid": "123456789012" }, + "provider": "AWS", + "region": "us-east-2" + }, + "compliance": { + "control": "IAM.1", + "requirements": ["CIS AWS Foundations Benchmark v1.2.0/1.22"], + "standards": [ + "ruleset/cis-aws-foundations-benchmark/v/1.2.0", + "standards/aws-foundational-security-best-practices/v/1.0.0" + ], + "status": "Pass", + "status_id": 1 + }, + "finding_info": { + "analytic": { + "category": "AWS::Config::ConfigRule", + "name": "securityhub-iam-policy-no-statements-with-admin-access-babcdefe", + "type": "Rule", + "type_id": 1 + }, + "created_time": 1758273558940, + "created_time_dt": "2025-09-19T09:19:18.940Z", + "desc": "This AWS control checks whether the default version of AWS Identity and Access Management (IAM) policies (also known as customer managed policies) do not have administrator access with a statement that has \"Effect\": \"Allow\" with \"Action\": \"*\" over \"Resource\": \"*\". It only checks for the Customer Managed Policies that you created, but not inline and AWS Managed Policies.", + "first_seen_time": 1758273549612, + "first_seen_time_dt": "2025-09-19T09:19:09.612Z", + "last_seen_time": 1758273549612, + "last_seen_time_dt": "2025-09-19T09:19:09.612Z", + "modified_time": 1758273558940, + "modified_time_dt": "2025-09-19T09:19:18.940Z", + "title": "IAM policies should not allow full \"*\" administrative privileges", + "types": [ + "Software and Configuration Checks/Industry and Regulatory Standards", + "Posture Management" + ], + "uid": "arn:aws:securityhub:us-east-2:123456789012:security-control/IAM.1/finding/11233211-1234-efab-abcd-701234567892" + }, + "metadata": { + "product": { + "name": "Security Hub", + "uid": "arn:aws:securityhub:us-east-2::productv2/aws/securityhub", + "vendor_name": "AWS" + }, + "profiles": ["cloud", "datetime"], + "uid": "d1bc4b01234567890123456789abcdefefabcdefabcdef123451234566", + "version": "1.6.0" + }, + "remediation": { + "desc": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.", + "references": [ + "https://docs.aws.amazon.com/console/securityhub/IAM.1/remediation" + ] + }, + "resources": [ + { + "cloud_partition": "aws", + "owner": { "account": { "uid": "123456789012" } }, + "region": "global", + "type": "AWS::IAM::Policy", + "uid": "AJKSDBVKJJKVBJDSVBWKURGBFWK", + "uid_alt": "arn:aws:iam::123456789012:policy/service-role/Amazon_EventBridge_Invoke_Sqs_1412345678" + } + ], + "severity": "Informational", + "severity_id": 1, + "status": "Resolved", + "status_id": 4, + "time": 1758273558940, + "time_dt": "2025-09-19T09:19:18.940Z", + "type_name": "Compliance Finding: Create", + "type_uid": 200301, + "vendor_attributes": { "severity": "Informational", "severity_id": 1 } + }, + { + "activity_id": 1, + "activity_name": "Create", + "category_name": "Findings", + "category_uid": 2, + "class_name": "Compliance Finding", + "class_uid": 2003, + "cloud": { + "account": { "uid": "123456789012" }, + "provider": "AWS", + "region": "us-east-2" + }, + "compliance": { + "control": "KMS.1", + "standards": [ + "standards/aws-foundational-security-best-practices/v/1.0.0" + ], + "status": "Pass", + "status_id": 1 + }, + "finding_info": { + "analytic": { + "category": "AWS::Config::ConfigRule", + "name": "securityhub-iam-customer-policy-blocked-kms-actions-0abcdefe", + "type": "Rule", + "type_id": 1 + }, + "created_time": 1758273553640, + "created_time_dt": "2025-09-19T09:19:13.640Z", + "desc": "Checks whether the default version of IAM customer managed policies allow principals to use the AWS Key Management Service (KMS) decryption actions on all resources. This control fails if kms:Decrypt or kms:ReEncryptFrom actions are allowed on all KMS keys. The control evaluates both attached and unattached customer managed policies. It does not check inline policies or AWS managed policies.", + "first_seen_time": 1758273549591, + "first_seen_time_dt": "2025-09-19T09:19:09.591Z", + "last_seen_time": 1758273549591, + "last_seen_time_dt": "2025-09-19T09:19:09.591Z", + "modified_time": 1758273553640, + "modified_time_dt": "2025-09-19T09:19:13.640Z", + "title": "IAM customer managed policies should not allow decryption actions on all KMS keys", + "types": [ + "Software and Configuration Checks/Industry and Regulatory Standards", + "Posture Management" + ], + "uid": "arn:aws:securityhub:us-east-2:123456789012:security-control/KMS.1/finding/11233211-5678-efab-abcd-701234567892" + }, + "metadata": { + "product": { + "name": "Security Hub", + "uid": "arn:aws:securityhub:us-east-2::productv2/aws/securityhub", + "vendor_name": "AWS" + }, + "profiles": ["cloud", "datetime"], + "uid": "d1234b01234567890123456789abcde1234defabcdefabcdef123456", + "version": "1.6.0" + }, + "remediation": { + "desc": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.", + "references": [ + "https://docs.aws.amazon.com/console/securityhub/KMS.1/remediation" + ] + }, + "resources": [ + { + "cloud_partition": "aws", + "owner": { "account": { "uid": "123456789012" } }, + "region": "global", + "type": "AWS::IAM::Policy", + "uid": "AVSHDBVJBSKVBSDVSDB", + "uid_alt": "arn:aws:iam::123456789012:policy/service-role/Amazon_EventBridge_Invoke_Sqs_1451083178" + } + ], + "severity": "Informational", + "severity_id": 1, + "status": "Resolved", + "status_id": 4, + "time": 1758273553640, + "time_dt": "2025-09-19T09:19:13.640Z", + "type_name": "Compliance Finding: Create", + "type_uid": 200301, + "vendor_attributes": { "severity": "Informational", "severity_id": 1 } + } + ], + "NextToken": "next_token_2" + } + `}} + - path: /findingsv2 + methods: ['POST'] + request_body: /^\{"Filters":\{"CompositeFilters":\[\{"DateFilters":\[\{"FieldName":"finding_info\.modified_time_dt","Filter":\{"End":.*,"Start":.*\}\}\]\}\]\},"MaxResults":2,"SortCriteria":\[\{"Field":"finding_info\.modified_time_dt","SortOrder":"asc"\}\]\}/ + responses: + - status_code: 200 + headers: + Content-Type: + - 'application/json' + body: |- + {{ minify_json ` + { + "Findings": [ + { + "activity_id": 1, + "activity_name": "Create", + "category_name": "Findings", + "category_uid": 2, + "class_name": "Compliance Finding", + "class_uid": 2003, + "cloud": { + "account": { "uid": "123456789012" }, + "provider": "AWS", + "region": "us-east-2" + }, + "compliance": { + "control": "SQS.3", + "standards": [ + "standards/aws-foundational-security-best-practices/v/1.0.0" + ], + "status": "Pass", + "status_id": 1 + }, + "finding_info": { + "analytic": { + "category": "AWS::Config::ConfigRule", + "name": "securityhub-sqs-queue-no-public-access-abcdef12", + "type": "Rule", + "type_id": 1 + }, + "created_time": 1758273439594, + "created_time_dt": "2025-09-19T09:17:19.594Z", + "desc": "This controls checks whether an Amazon SQS access policy allows public access to an SQS queue. The control fails if an SQS access policy allows public access to the queue.", + "first_seen_time": 1758273437503, + "first_seen_time_dt": "2025-09-19T09:17:17.503Z", + "last_seen_time": 1758273437503, + "last_seen_time_dt": "2025-09-19T09:17:17.503Z", + "modified_time": 1758273439594, + "modified_time_dt": "2025-09-19T09:17:19.594Z", + "title": "SQS queue access policies should not allow public access", + "types": [ + "Software and Configuration Checks/Industry and Regulatory Standards", + "Posture Management" + ], + "uid": "arn:aws:securityhub:us-east-2:123456789012:security-control/SQS.3/finding/7abcdef4-abcd-1234-5678-501234567894" + }, + "metadata": { + "product": { + "name": "Security Hub", + "uid": "arn:aws:securityhub:us-east-2::productv2/aws/securityhub", + "vendor_name": "AWS" + }, + "profiles": ["cloud", "datetime"], + "uid": "d1bc4b01234567890123456789abcdefabcdefabcdefabcdef123456", + "version": "1.6.0" + }, + "remediation": { + "desc": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.", + "references": [ + "https://docs.aws.amazon.com/console/securityhub/SQS.3/remediation" + ] + }, + "resources": [ + { + "cloud_partition": "aws", + "owner": { "account": { "uid": "123456789012" } }, + "region": "us-east-2", + "type": "AWS::SQS::Queue", + "uid": "https://sqs.us-east-2.amazonaws.com/123456789012/securityhubfinding", + "uid_alt": "arn:aws:sqs:us-east-2:123456789012:securityhubfinding" + } + ], + "severity": "Informational", + "severity_id": 1, + "status": "Resolved", + "status_id": 4, + "time": 1758273439594, + "time_dt": "2025-09-19T09:17:19.594Z", + "type_name": "Compliance Finding: Create", + "type_uid": 200301, + "vendor_attributes": { "severity": "Informational", "severity_id": 1 } + }, + { + "activity_id": 1, + "activity_name": "Create", + "category_name": "Findings", + "category_uid": 2, + "class_name": "Compliance Finding", + "class_uid": 2003, + "cloud": { + "account": { "uid": "123456789012" }, + "provider": "AWS", + "region": "us-east-2" + }, + "compliance": { + "control": "SQS.1", + "standards": [ + "standards/aws-foundational-security-best-practices/v/1.0.0" + ], + "status": "Fail", + "status_id": 3 + }, + "finding_info": { + "analytic": { + "category": "AWS::Config::ConfigRule", + "name": "securityhub-sqs-queue-encrypted-12345678", + "type": "Rule", + "type_id": 1 + }, + "created_time": 1758273447903, + "created_time_dt": "2025-09-19T09:17:27.903Z", + "desc": "This control checks whether Amazon SQS queues are encrypted at rest.", + "first_seen_time": 1758273437473, + "first_seen_time_dt": "2025-09-19T09:17:17.473Z", + "last_seen_time": 1758273437473, + "last_seen_time_dt": "2025-09-19T09:17:17.473Z", + "modified_time": 1758273447903, + "modified_time_dt": "2025-09-19T09:17:27.903Z", + "title": "Amazon SQS queues should be encrypted at rest", + "types": [ + "Software and Configuration Checks/Industry and Regulatory Standards", + "Posture Management" + ], + "uid": "arn:aws:securityhub:us-east-2:123456789012:security-control/SQS.1/finding/7dabcdef-1234-8912-5678-5012345678904" + }, + "metadata": { + "product": { + "name": "Security Hub", + "uid": "arn:aws:securityhub:us-east-2::productv2/aws/securityhub", + "vendor_name": "AWS" + }, + "profiles": ["cloud", "datetime"], + "uid": "d1bc4b01234567890123456789abcdefabcd0123456789cdef123456", + "version": "1.6.0" + }, + "remediation": { + "desc": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.", + "references": [ + "https://docs.aws.amazon.com/console/securityhub/SQS.1/remediation" + ] + }, + "resources": [ + { + "cloud_partition": "aws", + "owner": { "account": { "uid": "123456789012" } }, + "region": "us-east-2", + "type": "AWS::SQS::Queue", + "uid": "https://sqs.us-east-2.amazonaws.com/123456789012/securityhubfinding", + "uid_alt": "arn:aws:sqs:us-east-2:123456789012:securityhubfinding" + } + ], + "severity": "Medium", + "severity_id": 3, + "status": "New", + "status_id": 1, + "time": 1758273447903, + "time_dt": "2025-09-19T09:17:27.903Z", + "type_name": "Compliance Finding: Create", + "type_uid": 200301, + "vendor_attributes": { "severity": "Medium", "severity_id": 3 } + } + ], + "NextToken": "next_token_1" + } + `}} diff --git a/packages/aws_securityhub/_dev/deploy/docker/files/private.key b/packages/aws_securityhub/_dev/deploy/docker/files/private.key new file mode 100644 index 00000000000..4ad4624916a --- /dev/null +++ b/packages/aws_securityhub/_dev/deploy/docker/files/private.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDhpjG5iLq4LIyc +bRVgwzWtE9Idm0bVQjAvisHWaWVcKfitaBcYs5Fm7GxhQNEiaTDDGWh6EpWH23u0 +/EIHCRONKObFUazsjzXDW4fUx745hShPvUhXqdPNwNn+mAUV7LE0gDzHf4VznQ/O +24llJ0m4LLoNCxWR0HDw892+pLRMc6RG3TCGEpcq7RWrLODlnblM11tmoj/4wSNj +uJ3Y5k4e/KHhA+gNdLcKGs/HzUM2mgHKfSowfkVYgcIEhXpKeLDVKAYhKi2pSOqP +WXG6QCFf3x9EkGcvaxAYaw9Mc5ajpjNzL/8UxZMDoHOhBBQNU8e52wbZtGnx4Asu +t1yimU/tAgMBAAECggEAXwYcUYv9SZrlGeisBIQgYgMDTFl8Akmtvg+aYl8fAqlg +IjI/67SO6j9swqXHjEys7rQP9bxGwSASH9zNN2ZAmATd7cFf53zFgL/WWypEdreX +CsFkqhoH6lEo3BiLp7h1xWyta7vNaKr/Ibb8zJ63YjpfnSeKTU3wid/AhUyZ6slL +ekgms9vEaFTMZyLraLfqACNY4l3fW3EtbGGHaS2k1byo/bPzLAgyZNCSQhImrHo5 +ul1DIZ1ZJgcFjEFTbNkde5Hay61ZP5HESlZlIs4JrXzkX9MYUoky0STMVzVDO+v7 +zcLHdGXX1sCwYGnzUE73DnVdB6wPL4BPTUt6lIJ0pwKBgQDkq6F8fURRafcWcBni +znemF1NobxnN+LlGcYMvS92/63U31NBuMsKlqjgWKQQmcr0XKspKtxPWbxQVMH20 +CLMH4MHMmPzfU+HDsWOyxEJyOJdrHWlQjKcvXvGasewZkfz1gmLav3W9QoMOsJun +rnM4C4eyX/GboH4g7/6Ub1n5ewKBgQD8niBHgIU2mchK6cSqrQjSUbmJGqdXVW7s +gE+QWtm4tFQ8t7/fPVrbWz9/OjQd0kPBkWjKkU+B8nKXMvE0X66IPKtKGS0NNWC7 +9jIxPztJDvG3vG3zNcYFnIhcqG2dMum+hmpoWM5cOJek9c2tM655Cz4bXlFGeOcA +mU/b9mgbtwKBgBQ/akYmpWT8GAfhlzkxBQEs8ZK+u680RduJ8469jf4PcEqoSmhn +kDqxDtRPf3GUGVAy1sS030nOfh2+NHM7jfa1nRNrvIBd4hC85VIP9L4+apHugcPD +II6ePpBvDrPY7GgkynIKH/fJKuejFbVMSiF9S9+shS09kc2C0qz8CyB/AoGAUWij +/mbshywH4Bx1xIr+zMiJgiWUyBBALvcqrNqaT2vNucN9kfOz0/0T+WxIX1Pjgf3a +R22MsdPwGcnQ8Y/kLwNeMALtAdSx1+D/S9+Uu3aVbyDKThaGOki3qSSeLoq5ySyI +HhiAaDfUptSP88Ez+M4mtasvhgZwa0D8+2XtJwECgYEA1nzZ0lN2BMjzFnWwmP9N +XlBj89WnfiSSttQR2hIDO2nuc5mij7R3/wPFbo9PrWBVR/uqc+Oi57694WEGyBb5 +V/lO6XJHiI4lIWAXJK2poHbJlR5+jLxhXnHSoPluPvmgx2HRJ4WH7Gx+MFV2n+dE +7mz4ZZs5gXk0qU6lhs4hUtw= +-----END PRIVATE KEY----- diff --git a/packages/aws_securityhub/changelog.yml b/packages/aws_securityhub/changelog.yml new file mode 100644 index 00000000000..7ff18e0caed --- /dev/null +++ b/packages/aws_securityhub/changelog.yml @@ -0,0 +1,6 @@ +# newer versions go on top +- version: "0.1.0" + changes: + - description: Initial release. + type: enhancement + link: https://github.com/elastic/integrations/pull/1 diff --git a/packages/aws_securityhub/data_stream/finding/_dev/test/pipeline/test-common-config.yml b/packages/aws_securityhub/data_stream/finding/_dev/test/pipeline/test-common-config.yml new file mode 100644 index 00000000000..b75cf408564 --- /dev/null +++ b/packages/aws_securityhub/data_stream/finding/_dev/test/pipeline/test-common-config.yml @@ -0,0 +1,7 @@ +fields: + tags: + - preserve_duplicate_custom_fields +dynamic_fields: + # This can be removed after ES 8.14 is the minimum version. + # Relates: https://github.com/elastic/elasticsearch/pull/105689 + url.extension: '^.*$' diff --git a/packages/aws_securityhub/data_stream/finding/_dev/test/pipeline/test-findings.log b/packages/aws_securityhub/data_stream/finding/_dev/test/pipeline/test-findings.log new file mode 100644 index 00000000000..f814f79072b --- /dev/null +++ b/packages/aws_securityhub/data_stream/finding/_dev/test/pipeline/test-findings.log @@ -0,0 +1,10 @@ +{"activity_id":1,"activity_name":"Create","category_name":"Findings","category_uid":2,"class_name":"Compliance Finding","class_uid":2003,"cloud":{"account":{"uid":"123456789012"},"provider":"AWS","region":"us-east-2"},"compliance":{"control":"SQS.3","standards":["standards/aws-foundational-security-best-practices/v/1.0.0"],"status":"Pass","status_id":1},"finding_info":{"analytic":{"category":"AWS::Config::ConfigRule","name":"securityhub-sqs-queue-no-public-access-abcdef12","type":"Rule","type_id":1},"created_time":1758273439594,"created_time_dt":"2025-09-19T09:17:19.594Z","desc":"This controls checks whether an Amazon SQS access policy allows public access to an SQS queue. The control fails if an SQS access policy allows public access to the queue.","first_seen_time":1758273437503,"first_seen_time_dt":"2025-09-19T09:17:17.503Z","last_seen_time":1758273437503,"last_seen_time_dt":"2025-09-19T09:17:17.503Z","modified_time":1758273439594,"modified_time_dt":"2025-09-19T09:17:19.594Z","title":"SQS queue access policies should not allow public access","types":["Software and Configuration Checks/Industry and Regulatory Standards","Posture Management"],"uid":"arn:aws:securityhub:us-east-2:123456789012:security-control/SQS.3/finding/7abcdef4-abcd-1234-5678-501234567894"},"metadata":{"product":{"name":"Security Hub","uid":"arn:aws:securityhub:us-east-2::productv2/aws/securityhub","vendor_name":"AWS"},"profiles":["cloud","datetime"],"uid":"d1bc4b01234567890123456789abcdefabcdefabcdefabcdef123456","version":"1.6.0"},"remediation":{"desc":"For information on how to correct this issue, consult the AWS Security Hub controls documentation.","references":["https://docs.aws.amazon.com/console/securityhub/SQS.3/remediation"]},"resources":[{"cloud_partition":"aws","owner":{"account":{"uid":"123456789012"}},"region":"us-east-2","type":"AWS::SQS::Queue","uid":"https://sqs.us-east-2.amazonaws.com/123456789012/securityhubfinding","uid_alt":"arn:aws:sqs:us-east-2:123456789012:securityhubfinding"}],"severity":"Informational","severity_id":1,"status":"Resolved","status_id":4,"time":1758273439594,"time_dt":"2025-09-19T09:17:19.594Z","type_name":"Compliance Finding: Create","type_uid":200301,"vendor_attributes":{"severity":"Informational","severity_id":1}} +{"activity_id":1,"activity_name":"Create","category_name":"Findings","category_uid":2,"class_name":"Compliance Finding","class_uid":2003,"cloud":{"account":{"uid":"123456789012"},"provider":"AWS","region":"us-east-2"},"compliance":{"control":"SQS.1","standards":["standards/aws-foundational-security-best-practices/v/1.0.0"],"status":"Fail","status_id":3},"finding_info":{"analytic":{"category":"AWS::Config::ConfigRule","name":"securityhub-sqs-queue-encrypted-12345678","type":"Rule","type_id":1},"created_time":1758273447903,"created_time_dt":"2025-09-19T09:17:27.903Z","desc":"This control checks whether Amazon SQS queues are encrypted at rest.","first_seen_time":1758273437473,"first_seen_time_dt":"2025-09-19T09:17:17.473Z","last_seen_time":1758273437473,"last_seen_time_dt":"2025-09-19T09:17:17.473Z","modified_time":1758273447903,"modified_time_dt":"2025-09-19T09:17:27.903Z","title":"Amazon SQS queues should be encrypted at rest","types":["Software and Configuration Checks/Industry and Regulatory Standards","Posture Management"],"uid":"arn:aws:securityhub:us-east-2:123456789012:security-control/SQS.1/finding/7dabcdef-1234-8912-5678-5012345678904"},"metadata":{"product":{"name":"Security Hub","uid":"arn:aws:securityhub:us-east-2::productv2/aws/securityhub","vendor_name":"AWS"},"profiles":["cloud","datetime"],"uid":"d1bc4b01234567890123456789abcdefabcd0123456789cdef123456","version":"1.6.0"},"remediation":{"desc":"For information on how to correct this issue, consult the AWS Security Hub controls documentation.","references":["https://docs.aws.amazon.com/console/securityhub/SQS.1/remediation"]},"resources":[{"cloud_partition":"aws","owner":{"account":{"uid":"123456789012"}},"region":"us-east-2","type":"AWS::SQS::Queue","uid":"https://sqs.us-east-2.amazonaws.com/123456789012/securityhubfinding","uid_alt":"arn:aws:sqs:us-east-2:123456789012:securityhubfinding"}],"severity":"Medium","severity_id":3,"status":"New","status_id":1,"time":1758273447903,"time_dt":"2025-09-19T09:17:27.903Z","type_name":"Compliance Finding: Create","type_uid":200301,"vendor_attributes":{"severity":"Medium","severity_id":3}} +{"activity_id":1,"activity_name":"Create","category_name":"Findings","category_uid":2,"class_name":"Compliance Finding","class_uid":2003,"cloud":{"account":{"uid":"123456789012"},"provider":"AWS","region":"us-east-2"},"compliance":{"control":"IAM.1","requirements":["CIS AWS Foundations Benchmark v1.2.0/1.22"],"standards":["ruleset/cis-aws-foundations-benchmark/v/1.2.0","standards/aws-foundational-security-best-practices/v/1.0.0"],"status":"Pass","status_id":1},"finding_info":{"analytic":{"category":"AWS::Config::ConfigRule","name":"securityhub-iam-policy-no-statements-with-admin-access-babcdefe","type":"Rule","type_id":1},"created_time":1758273558940,"created_time_dt":"2025-09-19T09:19:18.940Z","desc":"This AWS control checks whether the default version of AWS Identity and Access Management (IAM) policies (also known as customer managed policies) do not have administrator access with a statement that has \"Effect\": \"Allow\" with \"Action\": \"*\" over \"Resource\": \"*\". It only checks for the Customer Managed Policies that you created, but not inline and AWS Managed Policies.","first_seen_time":1758273549612,"first_seen_time_dt":"2025-09-19T09:19:09.612Z","last_seen_time":1758273549612,"last_seen_time_dt":"2025-09-19T09:19:09.612Z","modified_time":1758273558940,"modified_time_dt":"2025-09-19T09:19:18.940Z","title":"IAM policies should not allow full \"*\" administrative privileges","types":["Software and Configuration Checks/Industry and Regulatory Standards","Posture Management"],"uid":"arn:aws:securityhub:us-east-2:123456789012:security-control/IAM.1/finding/11233211-1234-efab-abcd-701234567892"},"metadata":{"product":{"name":"Security Hub","uid":"arn:aws:securityhub:us-east-2::productv2/aws/securityhub","vendor_name":"AWS"},"profiles":["cloud","datetime"],"uid":"d1bc4b01234567890123456789abcdefefabcdefabcdef123451234566","version":"1.6.0"},"remediation":{"desc":"For information on how to correct this issue, consult the AWS Security Hub controls documentation.","references":["https://docs.aws.amazon.com/console/securityhub/IAM.1/remediation"]},"resources":[{"cloud_partition":"aws","owner":{"account":{"uid":"123456789012"}},"region":"global","type":"AWS::IAM::Policy","uid":"AJKSDBVKJJKVBJDSVBWKURGBFWK","uid_alt":"arn:aws:iam::123456789012:policy/service-role/Amazon_EventBridge_Invoke_Sqs_1412345678"}],"severity":"Informational","severity_id":1,"status":"Resolved","status_id":4,"time":1758273558940,"time_dt":"2025-09-19T09:19:18.940Z","type_name":"Compliance Finding: Create","type_uid":200301,"vendor_attributes":{"severity":"Informational","severity_id":1}} +{"activity_id":1,"activity_name":"Create","category_name":"Findings","category_uid":2,"class_name":"Compliance Finding","class_uid":2003,"cloud":{"account":{"uid":"123456789012"},"provider":"AWS","region":"us-east-2"},"compliance":{"control":"KMS.1","standards":["standards/aws-foundational-security-best-practices/v/1.0.0"],"status":"Pass","status_id":1},"finding_info":{"analytic":{"category":"AWS::Config::ConfigRule","name":"securityhub-iam-customer-policy-blocked-kms-actions-0abcdefe","type":"Rule","type_id":1},"created_time":1758273553640,"created_time_dt":"2025-09-19T09:19:13.640Z","desc":"Checks whether the default version of IAM customer managed policies allow principals to use the AWS Key Management Service (KMS) decryption actions on all resources. This control fails if kms:Decrypt or kms:ReEncryptFrom actions are allowed on all KMS keys. The control evaluates both attached and unattached customer managed policies. It does not check inline policies or AWS managed policies.","first_seen_time":1758273549591,"first_seen_time_dt":"2025-09-19T09:19:09.591Z","last_seen_time":1758273549591,"last_seen_time_dt":"2025-09-19T09:19:09.591Z","modified_time":1758273553640,"modified_time_dt":"2025-09-19T09:19:13.640Z","title":"IAM customer managed policies should not allow decryption actions on all KMS keys","types":["Software and Configuration Checks/Industry and Regulatory Standards","Posture Management"],"uid":"arn:aws:securityhub:us-east-2:123456789012:security-control/KMS.1/finding/11233211-5678-efab-abcd-701234567892"},"metadata":{"product":{"name":"Security Hub","uid":"arn:aws:securityhub:us-east-2::productv2/aws/securityhub","vendor_name":"AWS"},"profiles":["cloud","datetime"],"uid":"d1234b01234567890123456789abcde1234defabcdefabcdef123456","version":"1.6.0"},"remediation":{"desc":"For information on how to correct this issue, consult the AWS Security Hub controls documentation.","references":["https://docs.aws.amazon.com/console/securityhub/KMS.1/remediation"]},"resources":[{"cloud_partition":"aws","owner":{"account":{"uid":"123456789012"}},"region":"global","type":"AWS::IAM::Policy","uid":"AVSHDBVJBSKVBSDVSDB","uid_alt":"arn:aws:iam::123456789012:policy/service-role/Amazon_EventBridge_Invoke_Sqs_1451083178"}],"severity":"Informational","severity_id":1,"status":"Resolved","status_id":4,"time":1758273553640,"time_dt":"2025-09-19T09:19:13.640Z","type_name":"Compliance Finding: Create","type_uid":200301,"vendor_attributes":{"severity":"Informational","severity_id":1}} +{"activity_id":2,"activity_name":"Update","category_name":"Findings","category_uid":2,"class_name":"Vulnerability Finding","class_uid":2002,"cloud":{"account":{"type":"AWS Account","type_id":10,"uid":"123456789012"},"provider":"AWS","region":"us-east-2"},"finding_info":{"created_time":1758187630345,"created_time_dt":"2025-09-18T09:27:10.345Z","desc":"The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.","first_seen_time":1748539687919,"first_seen_time_dt":"2025-05-29T17:28:07.919Z","last_seen_time":1758904048631,"last_seen_time_dt":"2025-09-26T16:27:28.631Z","modified_time":1758904048631,"modified_time_dt":"2025-09-26T16:27:28.631Z","title":"CVE-2023-44487 - golang.org/x/net, google.golang.org/grpc","types":["Software and Configuration Checks/Vulnerabilities/CVE","Vulnerabilities"],"uid":"arn:aws:inspector2:us-east-2:123456789012:finding/71234567890abcdefabcdefabcdef12e"},"metadata":{"product":{"name":"Inspector","uid":"arn:aws:securityhub:us-east-2::productv2/aws/inspector","vendor_name":"AWS"},"profiles":["cloud","datetime"],"uid":"d1bc4b01234567890abcdef789abcdefabcdefabcdefabcabcdef456","version":"1.6.0"},"resources":[{"cloud_partition":"aws","data":{"awsEc2InstanceDetails":{"iamInstanceProfileArn":"arn:aws:iam::123456789012:instance-profile/eks-1123abc1-5678-efab-abcd-701abcdef892","imageId":"ami-abcdefa123456789","ipV4Addresses":["10.90.1.245","10.90.1.45","10.90.1.168","10.90.1.157","1.128.0.1","10.90.1.103","10.90.1.197","10.90.1.220","10.90.1.86","10.90.1.29","10.90.1.18","10.90.1.181","10.90.1.161","10.90.1.229","10.90.1.108","10.90.1.219","10.90.1.9","10.90.1.106","10.90.1.206"],"launchedAt":"2025-05-29T16:06:08Z","platform":"AMAZON_LINUX_2","subnetId":"subnet-abcdefabcd1267890","type":"t3.medium","vpcId":"vpc-abcdefabcd1abcd90"}},"owner":{"account":{"uid":"123456789012"}},"region":"us-east-2","tags":[{"name":"aws:autoscaling:groupName","value":"eks-demo_prod_linux-1123abc1-5678-efab-abcd-701abcdef892"},{"name":"aws:ec2:fleet-id","value":"fleet-aaaeeaac-ef12-abcd-8490-20123456789b"},{"name":"k8s.io/cluster-autoscaler/demo_prod","value":"owned"},{"name":"aws:eks:cluster-name","value":"demo_prod"},{"name":"eks:cluster-name","value":"demo_prod"},{"name":"aws:ec2launchtemplate:version","value":"6"},{"name":"eks:nodegroup-name","value":"demo_prod_linux"},{"name":"k8s.io/cluster-autoscaler/enabled","value":"true"},{"name":"kubernetes.io/cluster/demo_prod","value":"owned"},{"name":"aws:ec2launchtemplate:id","value":"lt-098dabcdefabcdef2"}],"type":"AWS::EC2::Instance","uid":"i-0abcdef012345678b"}],"severity":"High","severity_id":4,"status":"New","status_id":1,"time":1758904048631,"time_dt":"2025-09-26T16:27:28.631Z","type_name":"Vulnerability Finding: Update","type_uid":200202,"vendor_attributes":{"severity":"High","severity_id":4},"vulnerabilities":[{"affected_packages":[{"epoch":0,"fixed_in_version":"0.17.0","name":"golang.org/x/net","package_manager":"GOBINARY","path":"vol-abcdef0123456789ab:/p1:opt/cni/bin/aws-cni","version":"v0.1.0"},{"epoch":0,"fixed_in_version":"1.58.3","name":"google.golang.org/grpc","package_manager":"GOBINARY","path":"vol-abcdef0123456789ab:/p1:opt/cni/bin/aws-cni","version":"v1.31.0"}],"cve":{"created_time":1696947310000,"created_time_dt":"2023-10-10T14:15:10.000Z","cvss":[{"base_score":7.5,"severity":"HIGH","vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","vendor_name":"NVD","version":"3.1"}],"desc":"The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.","epss":{"score":"0.94422"},"modified_time":1749662994000,"modified_time_dt":"2025-06-11T17:29:54.000Z","uid":"CVE-2023-44487"},"exploit_last_seen_time":1758859157000,"exploit_last_seen_time_dt":"2025-09-26T03:59:17.000Z","fix_coverage":"Complete","fix_coverage_id":1,"is_exploit_available":true,"is_fix_available":true,"references":["https://github.com/microsoft/CBL-Mariner/pull/6381","https://github.com/grpc/grpc/releases/tag/v1.59.2","https://github.com/eclipse/jetty.project/issues/10679","https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/","https://www.debian.org/security/2023/dsa-5522","https://github.com/etcd-io/etcd/issues/16740","https://www.debian.org/security/2023/dsa-5521","https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487","https://github.com/haproxy/haproxy/issues/2312","https://github.com/caddyserver/caddy/issues/5877","https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61","https://github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2","https://github.com/advisories/GHSA-qppj-fm5r-hxr3","https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.14","https://github.com/dotnet/announcements/issues/277","https://github.com/envoyproxy/envoy/pull/30055","https://github.com/openresty/openresty/issues/930","https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG/","https://lists.debian.org/debian-lts-announce/2023/10/msg00047.html","https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q","https://github.com/apache/apisix/issues/10320","https://github.com/projectcontour/contour/pull/5826","https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response/","https://github.com/Kong/kong/discussions/11741","https://github.com/h2o/h2o/pull/3291","https://github.com/advisories/GHSA-vx74-f528-fxqg","https://github.com/oqtane/oqtane.framework/discussions/3367","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZKQSIKIAT5TJ3WSLU3RDBQ35YX4GY4V3/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VSRDIV77HNKUSM7SJC5BKE5JSHLHU2NK/","https://nvd.nist.gov/vuln/detail/CVE-2023-44487","https://github.com/junkurihara/rust-rpxy/issues/97","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JIZSEFC3YKCGABA2BZW6ZJRMDZJMB7PJ/","https://github.com/nodejs/node/pull/50121","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZB43REMKRQR62NJEI7I5NQ4FSXNLBKRT/","https://www.debian.org/security/2023/dsa-5570","https://github.com/line/armeria/pull/5232","https://github.com/arkrwn/PoC/tree/main/CVE-2023-44487","https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-http2-reset-d8Kf32vZ","https://github.com/nghttp2/nghttp2/pull/1961","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZLU6U2R2IC2K64NDPNMV55AUAO65MAF4/","https://my.f5.com/manage/s/article/K000137106","https://github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c#L1101-L1113","https://github.com/varnishcache/varnish-cache/issues/3996","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JMEXY22BFG5Q64HQCM5CK2Q7KDKVV4TY/","https://github.com/alibaba/tengine/issues/1872","https://lists.debian.org/debian-lts-announce/2023/10/msg00024.html","https://github.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec1ce9ec/release-notes/6.0/6.0.23/6.0.23.md?plain=1#L73","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/","https://bugzilla.redhat.com/show_bug.cgi?id=2242803","https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/","https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo","https://github.com/golang/go/issues/63417","https://lists.debian.org/debian-lts-announce/2023/11/msg00001.html","https://aws.amazon.com/security/security-bulletins/AWS-2023-011/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LNMZJCDHGLJJLXO4OXWJMTVQRNWOC7UL/","https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack","https://netty.io/news/2023/10/10/4-1-100-Final.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VHUHTSXLXGXS7JYKBXTA3VINUPHTNGVU/","https://github.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce14edc7b6df6722a1","https://security.gentoo.org/glsa/202311-09","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ/","https://ubuntu.com/security/CVE-2023-44487","https://github.com/facebook/proxygen/pull/466","https://github.com/kubernetes/kubernetes/pull/121120","https://lists.debian.org/debian-lts-announce/2023/10/msg00023.html","https://bugzilla.suse.com/show_bug.cgi?id=1216123","https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0","https://www.debian.org/security/2023/dsa-5558","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WLPRQ5TWUQQXYWBJM7ECYDAIL2YVKIUH/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WE2I52RHNNU42PX6NZ2RBUHSFFJ2LVZX/","https://github.com/tempesta-tech/tempesta/issues/1986","https://github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqf","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2MBEPPC36UBVOZZNAXFHKLFGSLCMN5LI/","https://github.com/grpc/grpc-go/pull/6703","https://github.com/apache/trafficserver/pull/10564","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/","https://www.debian.org/security/2023/dsa-5540","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/","https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9","https://github.com/advisories/GHSA-xpw8-rcwv-8f8p","https://access.redhat.com/security/cve/cve-2023-44487","https://lists.debian.org/debian-lts-announce/2023/11/msg00012.html","https://www.debian.org/security/2023/dsa-5549","https://github.com/apache/httpd-site/pull/10","https://github.com/opensearch-project/data-prepper/issues/3474","https://github.com/akka/akka-http/issues/4323","https://github.com/linkerd/website/pull/1695/commits/4b9c6836471bc8270ab48aae6fd2181bc73fd632","https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html","https://lists.debian.org/debian-lts-announce/2023/10/msg00045.html","https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/","https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487","https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764","https://github.com/caddyserver/caddy/releases/tag/v2.7.5","https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/","https://github.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd35bcf0a/mod_http2/README.md?plain=1#L239-L244","https://github.com/micrictor/http2-rst-stream","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BFQD3KUEMFBHPAPBGLWQC34L4OWL5HAZ/","https://github.com/bcdannyboy/CVE-2023-44487","https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.html","https://github.com/kazu-yamamoto/http2/issues/93","https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y/","https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU/","https://github.com/Azure/AKS/issues/3947","https://github.com/ninenines/cowboy/issues/1615","https://lists.w3.org/Archives/Public/ietf-http-wg/2023OctDec/0025.html"],"severity":"HIGH"}]} +{"activity_id":2,"activity_name":"Update","category_name":"Findings","category_uid":2,"class_name":"Vulnerability Finding","class_uid":2002,"cloud":{"account":{"type":"AWS Account","type_id":10,"uid":"123456789012"},"provider":"AWS","region":"us-east-2"},"finding_info":{"created_time":1757557651926,"created_time_dt":"2025-09-11T02:27:31.926Z","desc":"There is a defect in the CPython “tarfile” module affecting the “TarFile” extraction and entry enumeration APIs. The tar implementation would process tar archives with negative offsets without error, resulting in an infinite loop and deadlock during the parsing of maliciously crafted tar archives. \n\nThis vulnerability can be mitigated by including the following patch after importing the “tarfile” module:  https://gist.github.com/sethmlarson/abcdef0123456789abcdef0123456789","first_seen_time":1755692788521,"first_seen_time_dt":"2025-08-20T12:26:28.521Z","last_seen_time":1758903843057,"last_seen_time_dt":"2025-09-26T16:24:03.057Z","modified_time":1758903843057,"modified_time_dt":"2025-09-26T16:24:03.057Z","title":"CVE-2025-8194 - python, python-devel and 3 more","types":["Software and Configuration Checks/Vulnerabilities/CVE","Vulnerabilities"],"uid":"arn:aws:inspector2:us-east-2:123456789012:finding/9abcdefabcdef0123456789abcdef121"},"metadata":{"product":{"name":"Inspector","uid":"arn:aws:securityhub:us-east-2::productv2/aws/inspector","vendor_name":"AWS"},"profiles":["cloud","datetime"],"uid":"d1bc4b01234567890123456789abcdefabc0123456789bcdef123456","version":"1.6.0"},"resources":[{"cloud_partition":"aws","data":{"awsEc2InstanceDetails":{"iamInstanceProfileArn":"arn:aws:iam::123456789012:instance-profile/eks-1123abc1-5678-efab-abcd-701abcdef892","imageId":"ami-abcdefa123456789","ipV4Addresses":["10.90.0.87","10.90.0.60","10.90.0.30","10.90.0.74","10.90.0.206","10.90.0.207","10.90.0.37","10.90.0.149","10.90.0.235","175.16.199.1","10.90.0.225","10.90.0.212","10.90.0.199","10.90.0.240","10.90.0.164","10.90.0.160","10.90.0.182","10.90.0.70","10.90.0.180"],"launchedAt":"2025-05-29T16:04:40Z","platform":"AMAZON_LINUX_2","subnetId":"subnet-abcdef12345678901","type":"t3.medium","vpcId":"vpc-abcdefabcd1abcd90"}},"owner":{"account":{"uid":"123456789012"}},"region":"us-east-2","tags":[{"name":"aws:autoscaling:groupName","value":"eks-demo_prod_linux-1123abc1-5678-efab-abcd-701abcdef892"},{"name":"aws:ec2:fleet-id","value":"fleet-babcdefc-5678-abcd-1234-20123456789b"},{"name":"k8s.io/cluster-autoscaler/demo_prod","value":"owned"},{"name":"aws:eks:cluster-name","value":"demo_prod"},{"name":"eks:cluster-name","value":"demo_prod"},{"name":"aws:ec2launchtemplate:version","value":"6"},{"name":"eks:nodegroup-name","value":"demo_prod_linux"},{"name":"k8s.io/cluster-autoscaler/enabled","value":"true"},{"name":"kubernetes.io/cluster/demo_prod","value":"owned"},{"name":"aws:ec2launchtemplate:id","value":"lt-abcdefabcdef123456"}],"type":"AWS::EC2::Instance","uid":"i-abcd1235cdef1234"}],"severity":"High","severity_id":4,"status":"New","status_id":1,"time":1758903843057,"time_dt":"2025-09-26T16:24:03.057Z","type_name":"Vulnerability Finding: Update","type_uid":200202,"vendor_attributes":{"severity":"High","severity_id":4},"vulnerabilities":[{"affected_packages":[{"architecture":"X86_64","epoch":0,"fixed_in_version":"0:2.7.18-1.amzn2.0.14","name":"python","package_manager":"OS","release":"1.amzn2.0.12","remediation":{"desc":"yum update python"},"version":"2.7.18"},{"architecture":"X86_64","epoch":0,"fixed_in_version":"0:2.7.18-1.amzn2.0.14","name":"python-devel","package_manager":"OS","release":"1.amzn2.0.12","remediation":{"desc":"yum update python-devel"},"version":"2.7.18"},{"architecture":"X86_64","epoch":0,"fixed_in_version":"0:2.7.18-1.amzn2.0.14","name":"python-libs","package_manager":"OS","release":"1.amzn2.0.12","remediation":{"desc":"yum update python-libs"},"version":"2.7.18"},{"architecture":"X86_64","epoch":0,"fixed_in_version":"0:3.7.16-1.amzn2.0.19","name":"python3","package_manager":"OS","release":"1.amzn2.0.17","remediation":{"desc":"yum update python3"},"version":"3.7.16"},{"architecture":"X86_64","epoch":0,"fixed_in_version":"0:3.7.16-1.amzn2.0.19","name":"python3-libs","package_manager":"OS","release":"1.amzn2.0.17","remediation":{"desc":"yum update python3-libs"},"version":"3.7.16"}],"cve":{"created_time":1753660800000,"created_time_dt":"2025-07-28T00:00:00.000Z","cvss":[{"base_score":7.5,"severity":"HIGH","vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","vendor_name":"AMAZON_CVE","version":"3.1"},{"base_score":7.5,"severity":"HIGH","vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","vendor_name":"NVD","version":"3.1"}],"desc":"There is a defect in the CPython “tarfile” module affecting the “TarFile” extraction and entry enumeration APIs. The tar implementation would process tar archives with negative offsets without error, resulting in an infinite loop and deadlock during the parsing of maliciously crafted tar archives. \n\nThis vulnerability can be mitigated by including the following patch after importing the “tarfile” module:  https://gist.github.com/sethmlarson/abcdef0123456789abcdef0123456789","epss":{"score":"0.00198"},"modified_time":1753833600000,"modified_time_dt":"2025-07-30T00:00:00.000Z","uid":"CVE-2025-8194"},"fix_coverage":"Complete","fix_coverage_id":1,"is_exploit_available":false,"is_fix_available":true,"references":["https://alas.aws.amazon.com/AL2023/ALAS2023-2025-1135.html","https://alas.aws.amazon.com/AL2/ALAS2-2025-2961.html","https://explore.alas.aws.amazon.com/CVE-2025-8194.html","https://alas.aws.amazon.com/AL2023/ALAS2023-2025-1147.html","https://alas.aws.amazon.com/AL2/ALAS2-2025-2962.html","https://alas.aws.amazon.com/AL2023/ALAS2023-2025-1136.html","https://alas.aws.amazon.com/AL2023/ALAS2023-2025-1146.html","https://explore.alas.aws.amazon.com/cve/json/v1/CVE-2025-8194.json"],"related_vulnerabilities":["ALAS2-2025-2962","ALAS2-2025-2961","ALAS2023-2025-1147","ALAS2023-2025-1136","ALAS2023-2025-1135","ALAS2023-2025-1146"],"severity":"Important"}]} +{"activity_id":2,"activity_name":"Update","category_name":"Findings","category_uid":2,"class_name":"Vulnerability Finding","class_uid":2002,"cloud":{"account":{"type":"AWS Account","type_id":10,"uid":"123456789012"},"provider":"AWS","region":"us-east-2"},"finding_info":{"created_time":1758097465573,"created_time_dt":"2025-09-17T08:24:25.573Z","desc":"In the Linux kernel, the following vulnerability has been resolved:\n\nblock: don't call rq_qos_ops->done_bio if the bio isn't tracked","first_seen_time":1758097465573,"first_seen_time_dt":"2025-09-17T08:24:25.573Z","last_seen_time":1758903843057,"last_seen_time_dt":"2025-09-26T16:24:03.057Z","modified_time":1758903843057,"modified_time_dt":"2025-09-26T16:24:03.057Z","title":"CVE-2021-47412 - kernel, kernel-devel and 1 more","types":["Software and Configuration Checks/Vulnerabilities/CVE","Vulnerabilities"],"uid":"arn:aws:inspector2:us-east-2:123456789012:finding/4abcdefabcdef1234567891234567897"},"metadata":{"product":{"name":"Inspector","uid":"arn:aws:securityhub:us-east-2::productv2/aws/inspector","vendor_name":"AWS"},"profiles":["cloud","datetime"],"uid":"d1bc4b01234567890abcdef129abcdefabcdefabcdefabcdef123456","version":"1.6.0"},"resources":[{"cloud_partition":"aws","data":{"awsEc2InstanceDetails":{"iamInstanceProfileArn":"arn:aws:iam::123456789012:instance-profile/eks-1123abc1-5678-efab-abcd-701abcdef892","imageId":"ami-abcdefa123456789","ipV4Addresses":["10.90.0.87","10.90.0.60","10.90.0.30","10.90.0.74","10.90.0.206","10.90.0.207","10.90.0.37","10.90.0.149","10.90.0.235","175.16.199.1","10.90.0.225","10.90.0.212","10.90.0.199","10.90.0.240","10.90.0.164","10.90.0.160","10.90.0.182","10.90.0.70","10.90.0.180"],"launchedAt":"2025-05-29T16:04:40Z","platform":"AMAZON_LINUX_2","subnetId":"subnet-abcdef12345678901","type":"t3.medium","vpcId":"vpc-abcdefabcd1abcd90"}},"owner":{"account":{"uid":"123456789012"}},"region":"us-east-2","tags":[{"name":"aws:autoscaling:groupName","value":"eks-demo_prod_linux-1123abc1-5678-efab-abcd-701abcdef892"},{"name":"aws:ec2:fleet-id","value":"fleet-babcdefc-5678-abcd-1234-20123456789b"},{"name":"k8s.io/cluster-autoscaler/demo_prod","value":"owned"},{"name":"aws:eks:cluster-name","value":"demo_prod"},{"name":"eks:cluster-name","value":"demo_prod"},{"name":"aws:ec2launchtemplate:version","value":"6"},{"name":"eks:nodegroup-name","value":"demo_prod_linux"},{"name":"k8s.io/cluster-autoscaler/enabled","value":"true"},{"name":"kubernetes.io/cluster/demo_prod","value":"owned"},{"name":"aws:ec2launchtemplate:id","value":"lt-abcdefabcdef123456"}],"type":"AWS::EC2::Instance","uid":"i-abcd1235cdef1234"}],"severity":"Medium","severity_id":3,"status":"New","status_id":1,"time":1758903843057,"time_dt":"2025-09-26T16:24:03.057Z","type_name":"Vulnerability Finding: Update","type_uid":200202,"vendor_attributes":{"severity":"Medium","severity_id":3},"vulnerabilities":[{"affected_packages":[{"architecture":"X86_64","epoch":0,"fixed_in_version":"0:5.10.242-239.961.amzn2","name":"kernel","package_manager":"OS","release":"228.935.amzn2","remediation":{"desc":"yum update kernel"},"version":"5.10.236"},{"architecture":"X86_64","epoch":0,"fixed_in_version":"0:5.10.242-239.961.amzn2","name":"kernel-devel","package_manager":"OS","release":"228.935.amzn2","remediation":{"desc":"yum update kernel-devel"},"version":"5.10.236"},{"architecture":"X86_64","epoch":0,"fixed_in_version":"0:5.10.242-239.961.amzn2","name":"kernel-headers","package_manager":"OS","release":"228.935.amzn2","remediation":{"desc":"yum update kernel-headers"},"version":"5.10.236"}],"cve":{"created_time":1716249600000,"created_time_dt":"2024-05-21T00:00:00.000Z","cvss":[{"base_score":4.7,"severity":"MEDIUM","vector_string":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H","vendor_name":"AMAZON_CVE","version":"3.1"},{"base_score":5.5,"severity":"MEDIUM","vector_string":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","vendor_name":"NVD","version":"3.1"}],"desc":"In the Linux kernel, the following vulnerability has been resolved:\n\nblock: don't call rq_qos_ops->done_bio if the bio isn't tracked","epss":{"score":"0.00034"},"modified_time":1732752000000,"modified_time_dt":"2024-11-28T00:00:00.000Z","uid":"CVE-2021-47412"},"fix_coverage":"Complete","fix_coverage_id":1,"is_exploit_available":false,"is_fix_available":true,"references":["https://explore.alas.aws.amazon.com/cve/json/v1/CVE-2021-47412.json","https://explore.alas.aws.amazon.com/CVE-2021-47412.html","https://alas.aws.amazon.com/AL2/ALAS2KERNEL-5.10-2025-104.html"],"related_vulnerabilities":["ALAS2KERNEL-5.10-2025-104"],"severity":"Medium"}]} +{"activity_id":2,"activity_name":"Update","category_name":"Findings","category_uid":2,"class_name":"Compliance Finding","class_uid":2003,"cloud":{"account":{"uid":"123456789012"},"provider":"AWS","region":"us-east-2"},"compliance":{"control":"SSM.1","standards":["standards/aws-foundational-security-best-practices/v/1.0.0"],"status":"Fail","status_id":3},"finding_info":{"analytic":{"category":"AWS::Config::ConfigRule","name":"securityhub-ec2-instance-managed-by-ssm-ab123467","type":"Rule","type_id":1},"created_time":1748541948106,"created_time_dt":"2025-05-29T18:05:48.106Z","desc":"This AWS control checks whether the Amazon EC2 instances in your account are managed by AWS Systems Manager.","first_seen_time":1748541944226,"first_seen_time_dt":"2025-05-29T18:05:44.226Z","last_seen_time":1750372015643,"last_seen_time_dt":"2025-06-19T22:26:55.643Z","modified_time":1758875220981,"modified_time_dt":"2025-09-26T08:27:00.981Z","title":"EC2 instances should be managed by AWS Systems Manager","types":["Software and Configuration Checks/Industry and Regulatory Standards","Posture Management"],"uid":"arn:aws:securityhub:us-east-2:123456789012:security-control/SSM.1/finding/cabc123e-1235-ef12-abcd-6123456abcd1"},"metadata":{"product":{"name":"Security Hub","uid":"arn:aws:securityhub:us-east-2::productv2/aws/securityhub","vendor_name":"AWS"},"profiles":["cloud","datetime"],"uid":"d1bc4b01234567890123456789abc123456def5bcdefabcdef123456","version":"1.6.0"},"remediation":{"desc":"For information on how to correct this issue, consult the AWS Security Hub controls documentation.","references":["https://docs.aws.amazon.com/console/securityhub/SSM.1/remediation"]},"resources":[{"cloud_partition":"aws","owner":{"account":{"uid":"123456789012"}},"region":"us-east-2","tags":[{"name":"aws:autoscaling:groupName","value":"eks-demo_prod_linux-1123abc1-5678-efab-abcd-701abcdef892"},{"name":"aws:ec2:fleet-id","value":"fleet-babcdefc-5678-abcd-1234-20123456789b"},{"name":"k8s.io/cluster-autoscaler/demo_prod","value":"owned"},{"name":"aws:eks:cluster-name","value":"demo_prod"},{"name":"eks:cluster-name","value":"demo_prod"},{"name":"aws:ec2launchtemplate:version","value":"6"},{"name":"eks:nodegroup-name","value":"demo_prod_linux"},{"name":"k8s.io/cluster-autoscaler/enabled","value":"true"},{"name":"kubernetes.io/cluster/demo_prod","value":"owned"},{"name":"aws:ec2launchtemplate:id","value":"lt-abcdefabcdef123456"}],"type":"AWS::EC2::Instance","uid":"i-abcd1235cdef1234","uid_alt":"arn:aws:ec2:us-east-2:123456789012:instance/i-abcd1235cdef1234"}],"severity":"Medium","severity_id":3,"status":"New","status_id":1,"time":1758875220981,"time_dt":"2025-09-26T08:27:00.981Z","type_name":"Compliance Finding: Update","type_uid":200302,"vendor_attributes":{"severity":"Medium","severity_id":3}} +{"activity_id":2,"activity_name":"Update","category_name":"Findings","category_uid":2,"class_name":"Compliance Finding","class_uid":2003,"cloud":{"account":{"uid":"123456789012"},"provider":"AWS","region":"us-east-2"},"compliance":{"assessments":[{"desc":"AWS Config evaluated your resources against the rule. The rule did not apply to the AWS resources in its scope, the specified resources were deleted, or the evaluation results were deleted.","meets_criteria":true,"name":"CONFIG_EVALUATIONS_EMPTY"}],"control":"Redshift.3","standards":["standards/aws-foundational-security-best-practices/v/1.0.0"],"status":"Pass","status_id":1},"finding_info":{"analytic":{"category":"AWS::Config::ConfigRule","name":"securityhub-redshift-backup-enabled-abc12311","type":"Rule","type_id":1},"created_time":1726096120044,"created_time_dt":"2024-09-11T23:08:40.044Z","desc":"This control checks whether an Amazon Redshift cluster has automated snapshots enabled, and a retention period greater than or equal to the specified time frame. The control fails if automated snapshots aren't enabled for the cluster, or if the retention period is less than the specified time frame. Unless you provide a custom parameter value for the retention period, Security Hub uses a default value of 7 days.","first_seen_time":1726096120044,"first_seen_time_dt":"2024-09-11T23:08:40.044Z","last_seen_time":1758886482714,"last_seen_time_dt":"2025-09-26T11:34:42.714Z","modified_time":1758886482714,"modified_time_dt":"2025-09-26T11:34:42.714Z","title":"Amazon Redshift clusters should have automatic snapshots enabled","types":["Software and Configuration Checks/Industry and Regulatory Standards","Posture Management"],"uid":"arn:aws:securityhub:us-east-2:123456789012:security-control/Redshift.3/finding/c3abcd12-3456-7890-abdf-c2123456abcd"},"metadata":{"product":{"name":"Security Hub","uid":"arn:aws:securityhub:us-east-2::productv2/aws/securityhub","vendor_name":"AWS"},"profiles":["cloud","datetime"],"uid":"d1bc4b01abcdef890123456789abcd12345efabcdefabcdef123ab6","version":"1.6.0"},"remediation":{"desc":"For information on how to correct this issue, consult the AWS Security Hub controls documentation.","references":["https://docs.aws.amazon.com/console/securityhub/Redshift.3/remediation"]},"resources":[{"cloud_partition":"aws","owner":{"account":{"uid":"123456789012"}},"region":"us-east-2","type":"AWS::::Account","uid":"123456789012"}],"severity":"Informational","severity_id":1,"status":"Resolved","status_id":4,"time":1758886482714,"time_dt":"2025-09-26T11:34:42.714Z","type_name":"Compliance Finding: Update","type_uid":200302,"vendor_attributes":{"severity":"Informational","severity_id":1}} +{"activity_id":1,"activity_name":"Create","category_name":"Findings","category_uid":2,"class_name":"Vulnerability Finding","class_uid":2002,"cloud":{"account":{"type":"AWS Account","type_id":10,"uid":"123456789012"},"provider":"AWS","region":"us-east-2"},"finding_info":{"created_time":1758662368239,"created_time_dt":"2025-09-23T21:19:28.239Z","desc":"If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath (\"\", \".\", and \"..\"), can result in the binaries listed in the PATH being unexpectedly returned.","first_seen_time":1758662368239,"first_seen_time_dt":"2025-09-23T21:19:28.239Z","last_seen_time":1758662368239,"last_seen_time_dt":"2025-09-23T21:19:28.239Z","modified_time":1758662368239,"modified_time_dt":"2025-09-23T21:19:28.239Z","title":"CVE-2025-47906 - go/stdlib","types":["Software and Configuration Checks/Vulnerabilities/CVE"],"uid":"arn:aws:inspector2:us-east-2:123456789012:finding/2123456789abcdefabcdef12345679"},"metadata":{"product":{"name":"Inspector","uid":"arn:aws:securityhub:us-east-2::productv2/aws/inspector","vendor_name":"AWS"},"profiles":["cloud","datetime"],"uid":"d1bc4b0123456789012345abefabcdefabcdefab123890cdef123456","version":"1.5.0"},"resources":[{"cloud_partition":"aws","data":{"awsLambdaFunctionDetails":{"architectures":["ARM64"],"codeSha256":"OBDFNBKKvsf/dfbSJFBVDKB64v1sJUYVJH/SV5nsdv5svssv=","executionRoleArn":"arn:aws:iam::123456789012:role/cloudtrail-test-ab-LambdaExecutionRole-jVHJUFvbhIHVD6","functionName":"cloudtrail-test-ab-LambdaFunction-jVHJUsdbdkj6","lastModifiedAt":"2025-08-12T08:23:50Z","layers":["arn:aws:lambda:us-east-2:267093732750:layer:test-cloud-forwarder-ver-0-2-0:1"],"packageType":"ZIP","runtime":"PYTHON_3_12","version":"$LATEST"}},"name":"cloudtrail-test-ab-LambdaFunction-jVHJUsdbdkj6","owner":{"account":{"uid":"123456789012"}},"region":"us-east-2","tags":[{"name":"aws:cloudformation:stack-name","value":"cloudtrail-test-ab"},{"name":"aws:cloudformation:stack-id","value":"arn:aws:cloudformation:us-east-2:123456789012:stack/cloudtrail-test-ab/c3abcd12-3456-7890-abdf-c2123456abcd"},{"name":"aws:cloudformation:logical-id","value":"LambdaFunction"}],"type":"AWS::Lambda::Function","uid":"cloudtrail-test-ab-LambdaFunction-jVHJUsdbdkj6","uid_alt":"arn:aws:lambda:us-east-2:123456789012:function:cloudtrail-test-ab-LambdaFunction-jVHJUsdbdkj6"}],"severity":"Medium","severity_id":3,"status":"New","status_id":1,"time":1758662368239,"time_dt":"2025-09-23T21:19:28.239Z","type_name":"Vulnerability Finding: Create","type_uid":200201,"vendor_attributes":{"severity":"Medium","severity_id":3},"vulnerabilities":[{"affected_packages":[{"epoch":0,"fixed_in_version":"1.24.6","name":"go/stdlib","package_manager":"GENERIC","path":"collector","version":"1.24.0"}],"cve":{"created_time":1758222937000,"created_time_dt":"2025-09-18T19:15:37.000Z","cvss":[{"base_score":6.5,"severity":"MEDIUM","vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L","vendor_name":"NVD","version":"3.1"}],"desc":"If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath (\"\", \".\", and \"..\"), can result in the binaries listed in the PATH being unexpectedly returned.","epss":{"score":"0.00017"},"modified_time":1758297627000,"modified_time_dt":"2025-09-19T16:00:27.000Z","uid":"CVE-2025-47906"},"fix_coverage":"Complete","fix_coverage_id":1,"is_exploit_available":false,"is_fix_available":true,"references":["https://groups.google.com/g/golang-announce/c/x5MKroML2yM","https://nvd.nist.gov/vuln/detail/CVE-2025-47906"],"severity":"MEDIUM"}]} diff --git a/packages/aws_securityhub/data_stream/finding/_dev/test/pipeline/test-findings.log-expected.json b/packages/aws_securityhub/data_stream/finding/_dev/test/pipeline/test-findings.log-expected.json new file mode 100644 index 00000000000..50ca4292085 --- /dev/null +++ b/packages/aws_securityhub/data_stream/finding/_dev/test/pipeline/test-findings.log-expected.json @@ -0,0 +1,2412 @@ +{ + "expected": [ + { + "@timestamp": "2025-09-19T09:17:19.594Z", + "aws_securityhub": { + "finding": { + "activity_id": "1", + "activity_name": "Create", + "category_name": "Findings", + "category_uid": "2", + "class_name": "Compliance Finding", + "class_uid": "2003", + "cloud": { + "account": { + "uid": "123456789012" + }, + "provider": "AWS", + "region": "us-east-2" + }, + "compliance": { + "control": "SQS.3", + "standards": [ + "standards/aws-foundational-security-best-practices/v/1.0.0" + ], + "status": "Pass", + "status_id": "1" + }, + "finding_info": { + "analytic": { + "category": "AWS::Config::ConfigRule", + "name": "securityhub-sqs-queue-no-public-access-abcdef12", + "type": "Rule", + "type_id": "1" + }, + "created_time": "2025-09-19T09:17:19.594Z", + "created_time_dt": "2025-09-19T09:17:19.594Z", + "desc": "This controls checks whether an Amazon SQS access policy allows public access to an SQS queue. The control fails if an SQS access policy allows public access to the queue.", + "first_seen_time": "2025-09-19T09:17:17.503Z", + "first_seen_time_dt": "2025-09-19T09:17:17.503Z", + "last_seen_time": "2025-09-19T09:17:17.503Z", + "last_seen_time_dt": "2025-09-19T09:17:17.503Z", + "modified_time": "2025-09-19T09:17:19.594Z", + "modified_time_dt": "2025-09-19T09:17:19.594Z", + "title": "SQS queue access policies should not allow public access", + "types": [ + "Software and Configuration Checks/Industry and Regulatory Standards", + "Posture Management" + ], + "uid": "arn:aws:securityhub:us-east-2:123456789012:security-control/SQS.3/finding/7abcdef4-abcd-1234-5678-501234567894" + }, + "metadata": { + "product": { + "name": "Security Hub", + "uid": "arn:aws:securityhub:us-east-2::productv2/aws/securityhub", + "vendor_name": "AWS" + }, + "profiles": [ + "cloud", + "datetime" + ], + "uid": "d1bc4b01234567890123456789abcdefabcdefabcdefabcdef123456", + "version": "1.6.0" + }, + "remediation": { + "desc": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.", + "references": [ + "https://docs.aws.amazon.com/console/securityhub/SQS.3/remediation" + ] + }, + "resources": [ + { + "cloud_partition": "aws", + "owner": { + "account": { + "uid": "123456789012" + } + }, + "region": "us-east-2", + "type": "AWS::SQS::Queue", + "uid": "https://sqs.us-east-2.amazonaws.com/123456789012/securityhubfinding", + "uid_alt": "arn:aws:sqs:us-east-2:123456789012:securityhubfinding" + } + ], + "severity": "Informational", + "severity_id": "1", + "status": "Resolved", + "status_id": "4", + "time": "2025-09-19T09:17:19.594Z", + "time_dt": "2025-09-19T09:17:19.594Z", + "type_name": "Compliance Finding: Create", + "type_uid": "200301", + "vendor_attributes": { + "severity": "Informational", + "severity_id": "1" + } + } + }, + "cloud": { + "account": { + "id": "123456789012" + }, + "provider": "aws", + "region": "us-east-2", + "service": { + "name": "AWS::SQS::Queue" + } + }, + "ecs": { + "version": "9.2.0" + }, + "event": { + "action": "Create", + "created": "2025-09-19T09:17:19.594Z", + "id": "arn:aws:securityhub:us-east-2:123456789012:security-control/SQS.3/finding/7abcdef4-abcd-1234-5678-501234567894", + "kind": "alert", + "original": "{\"activity_id\":1,\"activity_name\":\"Create\",\"category_name\":\"Findings\",\"category_uid\":2,\"class_name\":\"Compliance Finding\",\"class_uid\":2003,\"cloud\":{\"account\":{\"uid\":\"123456789012\"},\"provider\":\"AWS\",\"region\":\"us-east-2\"},\"compliance\":{\"control\":\"SQS.3\",\"standards\":[\"standards/aws-foundational-security-best-practices/v/1.0.0\"],\"status\":\"Pass\",\"status_id\":1},\"finding_info\":{\"analytic\":{\"category\":\"AWS::Config::ConfigRule\",\"name\":\"securityhub-sqs-queue-no-public-access-abcdef12\",\"type\":\"Rule\",\"type_id\":1},\"created_time\":1758273439594,\"created_time_dt\":\"2025-09-19T09:17:19.594Z\",\"desc\":\"This controls checks whether an Amazon SQS access policy allows public access to an SQS queue. The control fails if an SQS access policy allows public access to the queue.\",\"first_seen_time\":1758273437503,\"first_seen_time_dt\":\"2025-09-19T09:17:17.503Z\",\"last_seen_time\":1758273437503,\"last_seen_time_dt\":\"2025-09-19T09:17:17.503Z\",\"modified_time\":1758273439594,\"modified_time_dt\":\"2025-09-19T09:17:19.594Z\",\"title\":\"SQS queue access policies should not allow public access\",\"types\":[\"Software and Configuration Checks/Industry and Regulatory Standards\",\"Posture Management\"],\"uid\":\"arn:aws:securityhub:us-east-2:123456789012:security-control/SQS.3/finding/7abcdef4-abcd-1234-5678-501234567894\"},\"metadata\":{\"product\":{\"name\":\"Security Hub\",\"uid\":\"arn:aws:securityhub:us-east-2::productv2/aws/securityhub\",\"vendor_name\":\"AWS\"},\"profiles\":[\"cloud\",\"datetime\"],\"uid\":\"d1bc4b01234567890123456789abcdefabcdefabcdefabcdef123456\",\"version\":\"1.6.0\"},\"remediation\":{\"desc\":\"For information on how to correct this issue, consult the AWS Security Hub controls documentation.\",\"references\":[\"https://docs.aws.amazon.com/console/securityhub/SQS.3/remediation\"]},\"resources\":[{\"cloud_partition\":\"aws\",\"owner\":{\"account\":{\"uid\":\"123456789012\"}},\"region\":\"us-east-2\",\"type\":\"AWS::SQS::Queue\",\"uid\":\"https://sqs.us-east-2.amazonaws.com/123456789012/securityhubfinding\",\"uid_alt\":\"arn:aws:sqs:us-east-2:123456789012:securityhubfinding\"}],\"severity\":\"Informational\",\"severity_id\":1,\"status\":\"Resolved\",\"status_id\":4,\"time\":1758273439594,\"time_dt\":\"2025-09-19T09:17:19.594Z\",\"type_name\":\"Compliance Finding: Create\",\"type_uid\":200301,\"vendor_attributes\":{\"severity\":\"Informational\",\"severity_id\":1}}", + "outcome": "success", + "provider": "AWS", + "severity": 21, + "type": [ + "info" + ] + }, + "observer": { + "vendor": "AWS Security Hub" + }, + "organization": { + "name": "AWS" + }, + "resource": { + "id": "https://sqs.us-east-2.amazonaws.com/123456789012/securityhubfinding", + "type": "AWS::SQS::Queue" + }, + "result": { + "evaluation": "passed" + }, + "rule": { + "description": "This controls checks whether an Amazon SQS access policy allows public access to an SQS queue. The control fails if an SQS access policy allows public access to the queue.", + "id": "SQS.3", + "name": "SQS queue access policies should not allow public access", + "reference": [ + "https://docs.aws.amazon.com/console/securityhub/SQS.3/remediation" + ], + "remediation": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.\\r\\nhttps://docs.aws.amazon.com/console/securityhub/SQS.3/remediation" + }, + "tags": [ + "preserve_duplicate_custom_fields" + ] + }, + { + "@timestamp": "2025-09-19T09:17:27.903Z", + "aws_securityhub": { + "finding": { + "activity_id": "1", + "activity_name": "Create", + "category_name": "Findings", + "category_uid": "2", + "class_name": "Compliance Finding", + "class_uid": "2003", + "cloud": { + "account": { + "uid": "123456789012" + }, + "provider": "AWS", + "region": "us-east-2" + }, + "compliance": { + "control": "SQS.1", + "standards": [ + "standards/aws-foundational-security-best-practices/v/1.0.0" + ], + "status": "Fail", + "status_id": "3" + }, + "finding_info": { + "analytic": { + "category": "AWS::Config::ConfigRule", + "name": "securityhub-sqs-queue-encrypted-12345678", + "type": "Rule", + "type_id": "1" + }, + "created_time": "2025-09-19T09:17:27.903Z", + "created_time_dt": "2025-09-19T09:17:27.903Z", + "desc": "This control checks whether Amazon SQS queues are encrypted at rest.", + "first_seen_time": "2025-09-19T09:17:17.473Z", + "first_seen_time_dt": "2025-09-19T09:17:17.473Z", + "last_seen_time": "2025-09-19T09:17:17.473Z", + "last_seen_time_dt": "2025-09-19T09:17:17.473Z", + "modified_time": "2025-09-19T09:17:27.903Z", + "modified_time_dt": "2025-09-19T09:17:27.903Z", + "title": "Amazon SQS queues should be encrypted at rest", + "types": [ + "Software and Configuration Checks/Industry and Regulatory Standards", + "Posture Management" + ], + "uid": "arn:aws:securityhub:us-east-2:123456789012:security-control/SQS.1/finding/7dabcdef-1234-8912-5678-5012345678904" + }, + "metadata": { + "product": { + "name": "Security Hub", + "uid": "arn:aws:securityhub:us-east-2::productv2/aws/securityhub", + "vendor_name": "AWS" + }, + "profiles": [ + "cloud", + "datetime" + ], + "uid": "d1bc4b01234567890123456789abcdefabcd0123456789cdef123456", + "version": "1.6.0" + }, + "remediation": { + "desc": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.", + "references": [ + "https://docs.aws.amazon.com/console/securityhub/SQS.1/remediation" + ] + }, + "resources": [ + { + "cloud_partition": "aws", + "owner": { + "account": { + "uid": "123456789012" + } + }, + "region": "us-east-2", + "type": "AWS::SQS::Queue", + "uid": "https://sqs.us-east-2.amazonaws.com/123456789012/securityhubfinding", + "uid_alt": "arn:aws:sqs:us-east-2:123456789012:securityhubfinding" + } + ], + "severity": "Medium", + "severity_id": "3", + "status": "New", + "status_id": "1", + "time": "2025-09-19T09:17:27.903Z", + "time_dt": "2025-09-19T09:17:27.903Z", + "type_name": "Compliance Finding: Create", + "type_uid": "200301", + "vendor_attributes": { + "severity": "Medium", + "severity_id": "3" + } + } + }, + "cloud": { + "account": { + "id": "123456789012" + }, + "provider": "aws", + "region": "us-east-2", + "service": { + "name": "AWS::SQS::Queue" + } + }, + "ecs": { + "version": "9.2.0" + }, + "event": { + "action": "Create", + "created": "2025-09-19T09:17:27.903Z", + "id": "arn:aws:securityhub:us-east-2:123456789012:security-control/SQS.1/finding/7dabcdef-1234-8912-5678-5012345678904", + "kind": "alert", + "original": "{\"activity_id\":1,\"activity_name\":\"Create\",\"category_name\":\"Findings\",\"category_uid\":2,\"class_name\":\"Compliance Finding\",\"class_uid\":2003,\"cloud\":{\"account\":{\"uid\":\"123456789012\"},\"provider\":\"AWS\",\"region\":\"us-east-2\"},\"compliance\":{\"control\":\"SQS.1\",\"standards\":[\"standards/aws-foundational-security-best-practices/v/1.0.0\"],\"status\":\"Fail\",\"status_id\":3},\"finding_info\":{\"analytic\":{\"category\":\"AWS::Config::ConfigRule\",\"name\":\"securityhub-sqs-queue-encrypted-12345678\",\"type\":\"Rule\",\"type_id\":1},\"created_time\":1758273447903,\"created_time_dt\":\"2025-09-19T09:17:27.903Z\",\"desc\":\"This control checks whether Amazon SQS queues are encrypted at rest.\",\"first_seen_time\":1758273437473,\"first_seen_time_dt\":\"2025-09-19T09:17:17.473Z\",\"last_seen_time\":1758273437473,\"last_seen_time_dt\":\"2025-09-19T09:17:17.473Z\",\"modified_time\":1758273447903,\"modified_time_dt\":\"2025-09-19T09:17:27.903Z\",\"title\":\"Amazon SQS queues should be encrypted at rest\",\"types\":[\"Software and Configuration Checks/Industry and Regulatory Standards\",\"Posture Management\"],\"uid\":\"arn:aws:securityhub:us-east-2:123456789012:security-control/SQS.1/finding/7dabcdef-1234-8912-5678-5012345678904\"},\"metadata\":{\"product\":{\"name\":\"Security Hub\",\"uid\":\"arn:aws:securityhub:us-east-2::productv2/aws/securityhub\",\"vendor_name\":\"AWS\"},\"profiles\":[\"cloud\",\"datetime\"],\"uid\":\"d1bc4b01234567890123456789abcdefabcd0123456789cdef123456\",\"version\":\"1.6.0\"},\"remediation\":{\"desc\":\"For information on how to correct this issue, consult the AWS Security Hub controls documentation.\",\"references\":[\"https://docs.aws.amazon.com/console/securityhub/SQS.1/remediation\"]},\"resources\":[{\"cloud_partition\":\"aws\",\"owner\":{\"account\":{\"uid\":\"123456789012\"}},\"region\":\"us-east-2\",\"type\":\"AWS::SQS::Queue\",\"uid\":\"https://sqs.us-east-2.amazonaws.com/123456789012/securityhubfinding\",\"uid_alt\":\"arn:aws:sqs:us-east-2:123456789012:securityhubfinding\"}],\"severity\":\"Medium\",\"severity_id\":3,\"status\":\"New\",\"status_id\":1,\"time\":1758273447903,\"time_dt\":\"2025-09-19T09:17:27.903Z\",\"type_name\":\"Compliance Finding: Create\",\"type_uid\":200301,\"vendor_attributes\":{\"severity\":\"Medium\",\"severity_id\":3}}", + "outcome": "unknown", + "provider": "AWS", + "severity": 47, + "type": [ + "info" + ] + }, + "observer": { + "vendor": "AWS Security Hub" + }, + "organization": { + "name": "AWS" + }, + "resource": { + "id": "https://sqs.us-east-2.amazonaws.com/123456789012/securityhubfinding", + "type": "AWS::SQS::Queue" + }, + "result": { + "evaluation": "failed" + }, + "rule": { + "description": "This control checks whether Amazon SQS queues are encrypted at rest.", + "id": "SQS.1", + "name": "Amazon SQS queues should be encrypted at rest", + "reference": [ + "https://docs.aws.amazon.com/console/securityhub/SQS.1/remediation" + ], + "remediation": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.\\r\\nhttps://docs.aws.amazon.com/console/securityhub/SQS.1/remediation" + }, + "tags": [ + "preserve_duplicate_custom_fields" + ] + }, + { + "@timestamp": "2025-09-19T09:19:18.940Z", + "aws_securityhub": { + "finding": { + "activity_id": "1", + "activity_name": "Create", + "category_name": "Findings", + "category_uid": "2", + "class_name": "Compliance Finding", + "class_uid": "2003", + "cloud": { + "account": { + "uid": "123456789012" + }, + "provider": "AWS", + "region": "us-east-2" + }, + "compliance": { + "control": "IAM.1", + "requirements": [ + "CIS AWS Foundations Benchmark v1.2.0/1.22" + ], + "standards": [ + "ruleset/cis-aws-foundations-benchmark/v/1.2.0", + "standards/aws-foundational-security-best-practices/v/1.0.0" + ], + "status": "Pass", + "status_id": "1" + }, + "finding_info": { + "analytic": { + "category": "AWS::Config::ConfigRule", + "name": "securityhub-iam-policy-no-statements-with-admin-access-babcdefe", + "type": "Rule", + "type_id": "1" + }, + "created_time": "2025-09-19T09:19:18.940Z", + "created_time_dt": "2025-09-19T09:19:18.940Z", + "desc": "This AWS control checks whether the default version of AWS Identity and Access Management (IAM) policies (also known as customer managed policies) do not have administrator access with a statement that has \"Effect\": \"Allow\" with \"Action\": \"*\" over \"Resource\": \"*\". It only checks for the Customer Managed Policies that you created, but not inline and AWS Managed Policies.", + "first_seen_time": "2025-09-19T09:19:09.612Z", + "first_seen_time_dt": "2025-09-19T09:19:09.612Z", + "last_seen_time": "2025-09-19T09:19:09.612Z", + "last_seen_time_dt": "2025-09-19T09:19:09.612Z", + "modified_time": "2025-09-19T09:19:18.940Z", + "modified_time_dt": "2025-09-19T09:19:18.940Z", + "title": "IAM policies should not allow full \"*\" administrative privileges", + "types": [ + "Software and Configuration Checks/Industry and Regulatory Standards", + "Posture Management" + ], + "uid": "arn:aws:securityhub:us-east-2:123456789012:security-control/IAM.1/finding/11233211-1234-efab-abcd-701234567892" + }, + "metadata": { + "product": { + "name": "Security Hub", + "uid": "arn:aws:securityhub:us-east-2::productv2/aws/securityhub", + "vendor_name": "AWS" + }, + "profiles": [ + "cloud", + "datetime" + ], + "uid": "d1bc4b01234567890123456789abcdefefabcdefabcdef123451234566", + "version": "1.6.0" + }, + "remediation": { + "desc": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.", + "references": [ + "https://docs.aws.amazon.com/console/securityhub/IAM.1/remediation" + ] + }, + "resources": [ + { + "cloud_partition": "aws", + "owner": { + "account": { + "uid": "123456789012" + } + }, + "region": "global", + "type": "AWS::IAM::Policy", + "uid": "AJKSDBVKJJKVBJDSVBWKURGBFWK", + "uid_alt": "arn:aws:iam::123456789012:policy/service-role/Amazon_EventBridge_Invoke_Sqs_1412345678" + } + ], + "severity": "Informational", + "severity_id": "1", + "status": "Resolved", + "status_id": "4", + "time": "2025-09-19T09:19:18.940Z", + "time_dt": "2025-09-19T09:19:18.940Z", + "type_name": "Compliance Finding: Create", + "type_uid": "200301", + "vendor_attributes": { + "severity": "Informational", + "severity_id": "1" + } + } + }, + "cloud": { + "account": { + "id": "123456789012" + }, + "provider": "aws", + "region": "global", + "service": { + "name": "AWS::IAM::Policy" + } + }, + "ecs": { + "version": "9.2.0" + }, + "event": { + "action": "Create", + "created": "2025-09-19T09:19:18.940Z", + "id": "arn:aws:securityhub:us-east-2:123456789012:security-control/IAM.1/finding/11233211-1234-efab-abcd-701234567892", + "kind": "alert", + "original": "{\"activity_id\":1,\"activity_name\":\"Create\",\"category_name\":\"Findings\",\"category_uid\":2,\"class_name\":\"Compliance Finding\",\"class_uid\":2003,\"cloud\":{\"account\":{\"uid\":\"123456789012\"},\"provider\":\"AWS\",\"region\":\"us-east-2\"},\"compliance\":{\"control\":\"IAM.1\",\"requirements\":[\"CIS AWS Foundations Benchmark v1.2.0/1.22\"],\"standards\":[\"ruleset/cis-aws-foundations-benchmark/v/1.2.0\",\"standards/aws-foundational-security-best-practices/v/1.0.0\"],\"status\":\"Pass\",\"status_id\":1},\"finding_info\":{\"analytic\":{\"category\":\"AWS::Config::ConfigRule\",\"name\":\"securityhub-iam-policy-no-statements-with-admin-access-babcdefe\",\"type\":\"Rule\",\"type_id\":1},\"created_time\":1758273558940,\"created_time_dt\":\"2025-09-19T09:19:18.940Z\",\"desc\":\"This AWS control checks whether the default version of AWS Identity and Access Management (IAM) policies (also known as customer managed policies) do not have administrator access with a statement that has \\\"Effect\\\": \\\"Allow\\\" with \\\"Action\\\": \\\"*\\\" over \\\"Resource\\\": \\\"*\\\". It only checks for the Customer Managed Policies that you created, but not inline and AWS Managed Policies.\",\"first_seen_time\":1758273549612,\"first_seen_time_dt\":\"2025-09-19T09:19:09.612Z\",\"last_seen_time\":1758273549612,\"last_seen_time_dt\":\"2025-09-19T09:19:09.612Z\",\"modified_time\":1758273558940,\"modified_time_dt\":\"2025-09-19T09:19:18.940Z\",\"title\":\"IAM policies should not allow full \\\"*\\\" administrative privileges\",\"types\":[\"Software and Configuration Checks/Industry and Regulatory Standards\",\"Posture Management\"],\"uid\":\"arn:aws:securityhub:us-east-2:123456789012:security-control/IAM.1/finding/11233211-1234-efab-abcd-701234567892\"},\"metadata\":{\"product\":{\"name\":\"Security Hub\",\"uid\":\"arn:aws:securityhub:us-east-2::productv2/aws/securityhub\",\"vendor_name\":\"AWS\"},\"profiles\":[\"cloud\",\"datetime\"],\"uid\":\"d1bc4b01234567890123456789abcdefefabcdefabcdef123451234566\",\"version\":\"1.6.0\"},\"remediation\":{\"desc\":\"For information on how to correct this issue, consult the AWS Security Hub controls documentation.\",\"references\":[\"https://docs.aws.amazon.com/console/securityhub/IAM.1/remediation\"]},\"resources\":[{\"cloud_partition\":\"aws\",\"owner\":{\"account\":{\"uid\":\"123456789012\"}},\"region\":\"global\",\"type\":\"AWS::IAM::Policy\",\"uid\":\"AJKSDBVKJJKVBJDSVBWKURGBFWK\",\"uid_alt\":\"arn:aws:iam::123456789012:policy/service-role/Amazon_EventBridge_Invoke_Sqs_1412345678\"}],\"severity\":\"Informational\",\"severity_id\":1,\"status\":\"Resolved\",\"status_id\":4,\"time\":1758273558940,\"time_dt\":\"2025-09-19T09:19:18.940Z\",\"type_name\":\"Compliance Finding: Create\",\"type_uid\":200301,\"vendor_attributes\":{\"severity\":\"Informational\",\"severity_id\":1}}", + "outcome": "success", + "provider": "AWS", + "severity": 21, + "type": [ + "info" + ] + }, + "observer": { + "vendor": "AWS Security Hub" + }, + "organization": { + "name": "AWS" + }, + "resource": { + "id": "AJKSDBVKJJKVBJDSVBWKURGBFWK", + "type": "AWS::IAM::Policy" + }, + "result": { + "evaluation": "passed" + }, + "rule": { + "description": "This AWS control checks whether the default version of AWS Identity and Access Management (IAM) policies (also known as customer managed policies) do not have administrator access with a statement that has \"Effect\": \"Allow\" with \"Action\": \"*\" over \"Resource\": \"*\". It only checks for the Customer Managed Policies that you created, but not inline and AWS Managed Policies.", + "id": "IAM.1", + "name": "IAM policies should not allow full \"*\" administrative privileges", + "reference": [ + "https://docs.aws.amazon.com/console/securityhub/IAM.1/remediation" + ], + "remediation": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.\\r\\nhttps://docs.aws.amazon.com/console/securityhub/IAM.1/remediation", + "ruleset": [ + "CIS AWS Foundations Benchmark v1.2.0/1.22" + ] + }, + "tags": [ + "preserve_duplicate_custom_fields" + ] + }, + { + "@timestamp": "2025-09-19T09:19:13.640Z", + "aws_securityhub": { + "finding": { + "activity_id": "1", + "activity_name": "Create", + "category_name": "Findings", + "category_uid": "2", + "class_name": "Compliance Finding", + "class_uid": "2003", + "cloud": { + "account": { + "uid": "123456789012" + }, + "provider": "AWS", + "region": "us-east-2" + }, + "compliance": { + "control": "KMS.1", + "standards": [ + "standards/aws-foundational-security-best-practices/v/1.0.0" + ], + "status": "Pass", + "status_id": "1" + }, + "finding_info": { + "analytic": { + "category": "AWS::Config::ConfigRule", + "name": "securityhub-iam-customer-policy-blocked-kms-actions-0abcdefe", + "type": "Rule", + "type_id": "1" + }, + "created_time": "2025-09-19T09:19:13.640Z", + "created_time_dt": "2025-09-19T09:19:13.640Z", + "desc": "Checks whether the default version of IAM customer managed policies allow principals to use the AWS Key Management Service (KMS) decryption actions on all resources. This control fails if kms:Decrypt or kms:ReEncryptFrom actions are allowed on all KMS keys. The control evaluates both attached and unattached customer managed policies. It does not check inline policies or AWS managed policies.", + "first_seen_time": "2025-09-19T09:19:09.591Z", + "first_seen_time_dt": "2025-09-19T09:19:09.591Z", + "last_seen_time": "2025-09-19T09:19:09.591Z", + "last_seen_time_dt": "2025-09-19T09:19:09.591Z", + "modified_time": "2025-09-19T09:19:13.640Z", + "modified_time_dt": "2025-09-19T09:19:13.640Z", + "title": "IAM customer managed policies should not allow decryption actions on all KMS keys", + "types": [ + "Software and Configuration Checks/Industry and Regulatory Standards", + "Posture Management" + ], + "uid": "arn:aws:securityhub:us-east-2:123456789012:security-control/KMS.1/finding/11233211-5678-efab-abcd-701234567892" + }, + "metadata": { + "product": { + "name": "Security Hub", + "uid": "arn:aws:securityhub:us-east-2::productv2/aws/securityhub", + "vendor_name": "AWS" + }, + "profiles": [ + "cloud", + "datetime" + ], + "uid": "d1234b01234567890123456789abcde1234defabcdefabcdef123456", + "version": "1.6.0" + }, + "remediation": { + "desc": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.", + "references": [ + "https://docs.aws.amazon.com/console/securityhub/KMS.1/remediation" + ] + }, + "resources": [ + { + "cloud_partition": "aws", + "owner": { + "account": { + "uid": "123456789012" + } + }, + "region": "global", + "type": "AWS::IAM::Policy", + "uid": "AVSHDBVJBSKVBSDVSDB", + "uid_alt": "arn:aws:iam::123456789012:policy/service-role/Amazon_EventBridge_Invoke_Sqs_1451083178" + } + ], + "severity": "Informational", + "severity_id": "1", + "status": "Resolved", + "status_id": "4", + "time": "2025-09-19T09:19:13.640Z", + "time_dt": "2025-09-19T09:19:13.640Z", + "type_name": "Compliance Finding: Create", + "type_uid": "200301", + "vendor_attributes": { + "severity": "Informational", + "severity_id": "1" + } + } + }, + "cloud": { + "account": { + "id": "123456789012" + }, + "provider": "aws", + "region": "global", + "service": { + "name": "AWS::IAM::Policy" + } + }, + "ecs": { + "version": "9.2.0" + }, + "event": { + "action": "Create", + "created": "2025-09-19T09:19:13.640Z", + "id": "arn:aws:securityhub:us-east-2:123456789012:security-control/KMS.1/finding/11233211-5678-efab-abcd-701234567892", + "kind": "alert", + "original": "{\"activity_id\":1,\"activity_name\":\"Create\",\"category_name\":\"Findings\",\"category_uid\":2,\"class_name\":\"Compliance Finding\",\"class_uid\":2003,\"cloud\":{\"account\":{\"uid\":\"123456789012\"},\"provider\":\"AWS\",\"region\":\"us-east-2\"},\"compliance\":{\"control\":\"KMS.1\",\"standards\":[\"standards/aws-foundational-security-best-practices/v/1.0.0\"],\"status\":\"Pass\",\"status_id\":1},\"finding_info\":{\"analytic\":{\"category\":\"AWS::Config::ConfigRule\",\"name\":\"securityhub-iam-customer-policy-blocked-kms-actions-0abcdefe\",\"type\":\"Rule\",\"type_id\":1},\"created_time\":1758273553640,\"created_time_dt\":\"2025-09-19T09:19:13.640Z\",\"desc\":\"Checks whether the default version of IAM customer managed policies allow principals to use the AWS Key Management Service (KMS) decryption actions on all resources. This control fails if kms:Decrypt or kms:ReEncryptFrom actions are allowed on all KMS keys. The control evaluates both attached and unattached customer managed policies. It does not check inline policies or AWS managed policies.\",\"first_seen_time\":1758273549591,\"first_seen_time_dt\":\"2025-09-19T09:19:09.591Z\",\"last_seen_time\":1758273549591,\"last_seen_time_dt\":\"2025-09-19T09:19:09.591Z\",\"modified_time\":1758273553640,\"modified_time_dt\":\"2025-09-19T09:19:13.640Z\",\"title\":\"IAM customer managed policies should not allow decryption actions on all KMS keys\",\"types\":[\"Software and Configuration Checks/Industry and Regulatory Standards\",\"Posture Management\"],\"uid\":\"arn:aws:securityhub:us-east-2:123456789012:security-control/KMS.1/finding/11233211-5678-efab-abcd-701234567892\"},\"metadata\":{\"product\":{\"name\":\"Security Hub\",\"uid\":\"arn:aws:securityhub:us-east-2::productv2/aws/securityhub\",\"vendor_name\":\"AWS\"},\"profiles\":[\"cloud\",\"datetime\"],\"uid\":\"d1234b01234567890123456789abcde1234defabcdefabcdef123456\",\"version\":\"1.6.0\"},\"remediation\":{\"desc\":\"For information on how to correct this issue, consult the AWS Security Hub controls documentation.\",\"references\":[\"https://docs.aws.amazon.com/console/securityhub/KMS.1/remediation\"]},\"resources\":[{\"cloud_partition\":\"aws\",\"owner\":{\"account\":{\"uid\":\"123456789012\"}},\"region\":\"global\",\"type\":\"AWS::IAM::Policy\",\"uid\":\"AVSHDBVJBSKVBSDVSDB\",\"uid_alt\":\"arn:aws:iam::123456789012:policy/service-role/Amazon_EventBridge_Invoke_Sqs_1451083178\"}],\"severity\":\"Informational\",\"severity_id\":1,\"status\":\"Resolved\",\"status_id\":4,\"time\":1758273553640,\"time_dt\":\"2025-09-19T09:19:13.640Z\",\"type_name\":\"Compliance Finding: Create\",\"type_uid\":200301,\"vendor_attributes\":{\"severity\":\"Informational\",\"severity_id\":1}}", + "outcome": "success", + "provider": "AWS", + "severity": 21, + "type": [ + "info" + ] + }, + "observer": { + "vendor": "AWS Security Hub" + }, + "organization": { + "name": "AWS" + }, + "resource": { + "id": "AVSHDBVJBSKVBSDVSDB", + "type": "AWS::IAM::Policy" + }, + "result": { + "evaluation": "passed" + }, + "rule": { + "description": "Checks whether the default version of IAM customer managed policies allow principals to use the AWS Key Management Service (KMS) decryption actions on all resources. This control fails if kms:Decrypt or kms:ReEncryptFrom actions are allowed on all KMS keys. The control evaluates both attached and unattached customer managed policies. It does not check inline policies or AWS managed policies.", + "id": "KMS.1", + "name": "IAM customer managed policies should not allow decryption actions on all KMS keys", + "reference": [ + "https://docs.aws.amazon.com/console/securityhub/KMS.1/remediation" + ], + "remediation": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.\\r\\nhttps://docs.aws.amazon.com/console/securityhub/KMS.1/remediation" + }, + "tags": [ + "preserve_duplicate_custom_fields" + ] + }, + { + "@timestamp": "2025-09-26T16:27:28.631Z", + "aws_securityhub": { + "finding": { + "activity_id": "2", + "activity_name": "Update", + "category_name": "Findings", + "category_uid": "2", + "class_name": "Vulnerability Finding", + "class_uid": "2002", + "cloud": { + "account": { + "type": "AWS Account", + "type_id": "10", + "uid": "123456789012" + }, + "provider": "AWS", + "region": "us-east-2" + }, + "finding_info": { + "created_time": "2025-09-18T09:27:10.345Z", + "created_time_dt": "2025-09-18T09:27:10.345Z", + "desc": "The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.", + "first_seen_time": "2025-05-29T17:28:07.919Z", + "first_seen_time_dt": "2025-05-29T17:28:07.919Z", + "last_seen_time": "2025-09-26T16:27:28.631Z", + "last_seen_time_dt": "2025-09-26T16:27:28.631Z", + "modified_time": "2025-09-26T16:27:28.631Z", + "modified_time_dt": "2025-09-26T16:27:28.631Z", + "title": "CVE-2023-44487 - golang.org/x/net, google.golang.org/grpc", + "types": [ + "Software and Configuration Checks/Vulnerabilities/CVE", + "Vulnerabilities" + ], + "uid": "arn:aws:inspector2:us-east-2:123456789012:finding/71234567890abcdefabcdefabcdef12e" + }, + "metadata": { + "product": { + "name": "Inspector", + "uid": "arn:aws:securityhub:us-east-2::productv2/aws/inspector", + "vendor_name": "AWS" + }, + "profiles": [ + "cloud", + "datetime" + ], + "uid": "d1bc4b01234567890abcdef789abcdefabcdefabcdefabcabcdef456", + "version": "1.6.0" + }, + "resources": [ + { + "cloud_partition": "aws", + "data": { + "awsEc2InstanceDetails": { + "iamInstanceProfileArn": "arn:aws:iam::123456789012:instance-profile/eks-1123abc1-5678-efab-abcd-701abcdef892", + "imageId": "ami-abcdefa123456789", + "ipV4Addresses": [ + "10.90.1.245", + "10.90.1.45", + "10.90.1.168", + "10.90.1.157", + "1.128.0.1", + "10.90.1.103", + "10.90.1.197", + "10.90.1.220", + "10.90.1.86", + "10.90.1.29", + "10.90.1.18", + "10.90.1.181", + "10.90.1.161", + "10.90.1.229", + "10.90.1.108", + "10.90.1.219", + "10.90.1.9", + "10.90.1.106", + "10.90.1.206" + ], + "launchedAt": "2025-05-29T16:06:08.000Z", + "platform": "AMAZON_LINUX_2", + "subnetId": "subnet-abcdefabcd1267890", + "type": "t3.medium", + "vpcId": "vpc-abcdefabcd1abcd90" + } + }, + "owner": { + "account": { + "uid": "123456789012" + } + }, + "region": "us-east-2", + "tags": { + "aws:autoscaling:groupName": "eks-demo_prod_linux-1123abc1-5678-efab-abcd-701abcdef892", + "aws:ec2:fleet-id": "fleet-aaaeeaac-ef12-abcd-8490-20123456789b", + "aws:ec2launchtemplate:id": "lt-098dabcdefabcdef2", + "aws:ec2launchtemplate:version": "6", + "aws:eks:cluster-name": "demo_prod", + "eks:cluster-name": "demo_prod", + "eks:nodegroup-name": "demo_prod_linux", + "k8s.io/cluster-autoscaler/demo_prod": "owned", + "k8s.io/cluster-autoscaler/enabled": "true", + "kubernetes.io/cluster/demo_prod": "owned" + }, + "type": "AWS::EC2::Instance", + "uid": "i-0abcdef012345678b" + } + ], + "severity": "High", + "severity_id": "4", + "status": "New", + "status_id": "1", + "time": "2025-09-26T16:27:28.631Z", + "time_dt": "2025-09-26T16:27:28.631Z", + "type_name": "Vulnerability Finding: Update", + "type_uid": "200202", + "vendor_attributes": { + "severity": "High", + "severity_id": "4" + }, + "vulnerabilities": [ + { + "affected_packages": [ + { + "epoch": 0, + "fixed_in_version": "0.17.0", + "name": "golang.org/x/net", + "package_manager": "GOBINARY", + "path": "vol-abcdef0123456789ab:/p1:opt/cni/bin/aws-cni", + "version": "v0.1.0" + }, + { + "epoch": 0, + "fixed_in_version": "1.58.3", + "name": "google.golang.org/grpc", + "package_manager": "GOBINARY", + "path": "vol-abcdef0123456789ab:/p1:opt/cni/bin/aws-cni", + "version": "v1.31.0" + } + ], + "cve": { + "created_time": "2023-10-10T14:15:10.000Z", + "created_time_dt": "2023-10-10T14:15:10.000Z", + "cvss": [ + { + "base_score": 7.5, + "severity": "HIGH", + "vector_string": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "vendor_name": "NVD", + "version": "3.1" + } + ], + "desc": "The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.", + "epss": { + "score": "0.94422" + }, + "modified_time": "2025-06-11T17:29:54.000Z", + "modified_time_dt": "2025-06-11T17:29:54.000Z", + "uid": "CVE-2023-44487" + }, + "exploit_last_seen_time": "2025-09-26T03:59:17.000Z", + "exploit_last_seen_time_dt": "2025-09-26T03:59:17.000Z", + "fix_coverage": "Complete", + "fix_coverage_id": "1", + "is_exploit_available": true, + "is_fix_available": true, + "references": [ + "https://github.com/microsoft/CBL-Mariner/pull/6381", + "https://github.com/grpc/grpc/releases/tag/v1.59.2", + "https://github.com/eclipse/jetty.project/issues/10679", + "https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/", + "https://www.debian.org/security/2023/dsa-5522", + "https://github.com/etcd-io/etcd/issues/16740", + "https://www.debian.org/security/2023/dsa-5521", + "https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487", + "https://github.com/haproxy/haproxy/issues/2312", + "https://github.com/caddyserver/caddy/issues/5877", + "https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61", + "https://github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2", + "https://github.com/advisories/GHSA-qppj-fm5r-hxr3", + "https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.14", + "https://github.com/dotnet/announcements/issues/277", + "https://github.com/envoyproxy/envoy/pull/30055", + "https://github.com/openresty/openresty/issues/930", + "https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG/", + "https://lists.debian.org/debian-lts-announce/2023/10/msg00047.html", + "https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q", + "https://github.com/apache/apisix/issues/10320", + "https://github.com/projectcontour/contour/pull/5826", + "https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response/", + "https://github.com/Kong/kong/discussions/11741", + "https://github.com/h2o/h2o/pull/3291", + "https://github.com/advisories/GHSA-vx74-f528-fxqg", + "https://github.com/oqtane/oqtane.framework/discussions/3367", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZKQSIKIAT5TJ3WSLU3RDBQ35YX4GY4V3/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VSRDIV77HNKUSM7SJC5BKE5JSHLHU2NK/", + "https://nvd.nist.gov/vuln/detail/CVE-2023-44487", + "https://github.com/junkurihara/rust-rpxy/issues/97", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JIZSEFC3YKCGABA2BZW6ZJRMDZJMB7PJ/", + "https://github.com/nodejs/node/pull/50121", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZB43REMKRQR62NJEI7I5NQ4FSXNLBKRT/", + "https://www.debian.org/security/2023/dsa-5570", + "https://github.com/line/armeria/pull/5232", + "https://github.com/arkrwn/PoC/tree/main/CVE-2023-44487", + "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-http2-reset-d8Kf32vZ", + "https://github.com/nghttp2/nghttp2/pull/1961", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZLU6U2R2IC2K64NDPNMV55AUAO65MAF4/", + "https://my.f5.com/manage/s/article/K000137106", + "https://github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c#L1101-L1113", + "https://github.com/varnishcache/varnish-cache/issues/3996", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JMEXY22BFG5Q64HQCM5CK2Q7KDKVV4TY/", + "https://github.com/alibaba/tengine/issues/1872", + "https://lists.debian.org/debian-lts-announce/2023/10/msg00024.html", + "https://github.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec1ce9ec/release-notes/6.0/6.0.23/6.0.23.md?plain=1#L73", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/", + "https://bugzilla.redhat.com/show_bug.cgi?id=2242803", + "https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/", + "https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo", + "https://github.com/golang/go/issues/63417", + "https://lists.debian.org/debian-lts-announce/2023/11/msg00001.html", + "https://aws.amazon.com/security/security-bulletins/AWS-2023-011/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LNMZJCDHGLJJLXO4OXWJMTVQRNWOC7UL/", + "https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack", + "https://netty.io/news/2023/10/10/4-1-100-Final.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VHUHTSXLXGXS7JYKBXTA3VINUPHTNGVU/", + "https://github.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce14edc7b6df6722a1", + "https://security.gentoo.org/glsa/202311-09", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ/", + "https://ubuntu.com/security/CVE-2023-44487", + "https://github.com/facebook/proxygen/pull/466", + "https://github.com/kubernetes/kubernetes/pull/121120", + "https://lists.debian.org/debian-lts-announce/2023/10/msg00023.html", + "https://bugzilla.suse.com/show_bug.cgi?id=1216123", + "https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0", + "https://www.debian.org/security/2023/dsa-5558", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WLPRQ5TWUQQXYWBJM7ECYDAIL2YVKIUH/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WE2I52RHNNU42PX6NZ2RBUHSFFJ2LVZX/", + "https://github.com/tempesta-tech/tempesta/issues/1986", + "https://github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqf", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2MBEPPC36UBVOZZNAXFHKLFGSLCMN5LI/", + "https://github.com/grpc/grpc-go/pull/6703", + "https://github.com/apache/trafficserver/pull/10564", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/", + "https://www.debian.org/security/2023/dsa-5540", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/", + "https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9", + "https://github.com/advisories/GHSA-xpw8-rcwv-8f8p", + "https://access.redhat.com/security/cve/cve-2023-44487", + "https://lists.debian.org/debian-lts-announce/2023/11/msg00012.html", + "https://www.debian.org/security/2023/dsa-5549", + "https://github.com/apache/httpd-site/pull/10", + "https://github.com/opensearch-project/data-prepper/issues/3474", + "https://github.com/akka/akka-http/issues/4323", + "https://github.com/linkerd/website/pull/1695/commits/4b9c6836471bc8270ab48aae6fd2181bc73fd632", + "https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html", + "https://lists.debian.org/debian-lts-announce/2023/10/msg00045.html", + "https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487", + "https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764", + "https://github.com/caddyserver/caddy/releases/tag/v2.7.5", + "https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/", + "https://github.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd35bcf0a/mod_http2/README.md?plain=1#L239-L244", + "https://github.com/micrictor/http2-rst-stream", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BFQD3KUEMFBHPAPBGLWQC34L4OWL5HAZ/", + "https://github.com/bcdannyboy/CVE-2023-44487", + "https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.html", + "https://github.com/kazu-yamamoto/http2/issues/93", + "https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y/", + "https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU/", + "https://github.com/Azure/AKS/issues/3947", + "https://github.com/ninenines/cowboy/issues/1615", + "https://lists.w3.org/Archives/Public/ietf-http-wg/2023OctDec/0025.html" + ], + "severity": "HIGH" + } + ] + } + }, + "cloud": { + "account": { + "id": "123456789012" + }, + "instance": { + "id": "i-0abcdef012345678b" + }, + "machine": { + "type": "t3.medium" + }, + "provider": "aws", + "region": "us-east-2", + "service": { + "name": "AWS::EC2::Instance" + } + }, + "ecs": { + "version": "9.2.0" + }, + "event": { + "action": "Update", + "category": [ + "vulnerability" + ], + "created": "2025-09-26T16:27:28.631Z", + "id": "arn:aws:inspector2:us-east-2:123456789012:finding/71234567890abcdefabcdefabcdef12e", + "kind": "alert", + "original": "{\"activity_id\":2,\"activity_name\":\"Update\",\"category_name\":\"Findings\",\"category_uid\":2,\"class_name\":\"Vulnerability Finding\",\"class_uid\":2002,\"cloud\":{\"account\":{\"type\":\"AWS Account\",\"type_id\":10,\"uid\":\"123456789012\"},\"provider\":\"AWS\",\"region\":\"us-east-2\"},\"finding_info\":{\"created_time\":1758187630345,\"created_time_dt\":\"2025-09-18T09:27:10.345Z\",\"desc\":\"The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.\",\"first_seen_time\":1748539687919,\"first_seen_time_dt\":\"2025-05-29T17:28:07.919Z\",\"last_seen_time\":1758904048631,\"last_seen_time_dt\":\"2025-09-26T16:27:28.631Z\",\"modified_time\":1758904048631,\"modified_time_dt\":\"2025-09-26T16:27:28.631Z\",\"title\":\"CVE-2023-44487 - golang.org/x/net, google.golang.org/grpc\",\"types\":[\"Software and Configuration Checks/Vulnerabilities/CVE\",\"Vulnerabilities\"],\"uid\":\"arn:aws:inspector2:us-east-2:123456789012:finding/71234567890abcdefabcdefabcdef12e\"},\"metadata\":{\"product\":{\"name\":\"Inspector\",\"uid\":\"arn:aws:securityhub:us-east-2::productv2/aws/inspector\",\"vendor_name\":\"AWS\"},\"profiles\":[\"cloud\",\"datetime\"],\"uid\":\"d1bc4b01234567890abcdef789abcdefabcdefabcdefabcabcdef456\",\"version\":\"1.6.0\"},\"resources\":[{\"cloud_partition\":\"aws\",\"data\":{\"awsEc2InstanceDetails\":{\"iamInstanceProfileArn\":\"arn:aws:iam::123456789012:instance-profile/eks-1123abc1-5678-efab-abcd-701abcdef892\",\"imageId\":\"ami-abcdefa123456789\",\"ipV4Addresses\":[\"10.90.1.245\",\"10.90.1.45\",\"10.90.1.168\",\"10.90.1.157\",\"1.128.0.1\",\"10.90.1.103\",\"10.90.1.197\",\"10.90.1.220\",\"10.90.1.86\",\"10.90.1.29\",\"10.90.1.18\",\"10.90.1.181\",\"10.90.1.161\",\"10.90.1.229\",\"10.90.1.108\",\"10.90.1.219\",\"10.90.1.9\",\"10.90.1.106\",\"10.90.1.206\"],\"launchedAt\":\"2025-05-29T16:06:08Z\",\"platform\":\"AMAZON_LINUX_2\",\"subnetId\":\"subnet-abcdefabcd1267890\",\"type\":\"t3.medium\",\"vpcId\":\"vpc-abcdefabcd1abcd90\"}},\"owner\":{\"account\":{\"uid\":\"123456789012\"}},\"region\":\"us-east-2\",\"tags\":[{\"name\":\"aws:autoscaling:groupName\",\"value\":\"eks-demo_prod_linux-1123abc1-5678-efab-abcd-701abcdef892\"},{\"name\":\"aws:ec2:fleet-id\",\"value\":\"fleet-aaaeeaac-ef12-abcd-8490-20123456789b\"},{\"name\":\"k8s.io/cluster-autoscaler/demo_prod\",\"value\":\"owned\"},{\"name\":\"aws:eks:cluster-name\",\"value\":\"demo_prod\"},{\"name\":\"eks:cluster-name\",\"value\":\"demo_prod\"},{\"name\":\"aws:ec2launchtemplate:version\",\"value\":\"6\"},{\"name\":\"eks:nodegroup-name\",\"value\":\"demo_prod_linux\"},{\"name\":\"k8s.io/cluster-autoscaler/enabled\",\"value\":\"true\"},{\"name\":\"kubernetes.io/cluster/demo_prod\",\"value\":\"owned\"},{\"name\":\"aws:ec2launchtemplate:id\",\"value\":\"lt-098dabcdefabcdef2\"}],\"type\":\"AWS::EC2::Instance\",\"uid\":\"i-0abcdef012345678b\"}],\"severity\":\"High\",\"severity_id\":4,\"status\":\"New\",\"status_id\":1,\"time\":1758904048631,\"time_dt\":\"2025-09-26T16:27:28.631Z\",\"type_name\":\"Vulnerability Finding: Update\",\"type_uid\":200202,\"vendor_attributes\":{\"severity\":\"High\",\"severity_id\":4},\"vulnerabilities\":[{\"affected_packages\":[{\"epoch\":0,\"fixed_in_version\":\"0.17.0\",\"name\":\"golang.org/x/net\",\"package_manager\":\"GOBINARY\",\"path\":\"vol-abcdef0123456789ab:/p1:opt/cni/bin/aws-cni\",\"version\":\"v0.1.0\"},{\"epoch\":0,\"fixed_in_version\":\"1.58.3\",\"name\":\"google.golang.org/grpc\",\"package_manager\":\"GOBINARY\",\"path\":\"vol-abcdef0123456789ab:/p1:opt/cni/bin/aws-cni\",\"version\":\"v1.31.0\"}],\"cve\":{\"created_time\":1696947310000,\"created_time_dt\":\"2023-10-10T14:15:10.000Z\",\"cvss\":[{\"base_score\":7.5,\"severity\":\"HIGH\",\"vector_string\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"vendor_name\":\"NVD\",\"version\":\"3.1\"}],\"desc\":\"The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.\",\"epss\":{\"score\":\"0.94422\"},\"modified_time\":1749662994000,\"modified_time_dt\":\"2025-06-11T17:29:54.000Z\",\"uid\":\"CVE-2023-44487\"},\"exploit_last_seen_time\":1758859157000,\"exploit_last_seen_time_dt\":\"2025-09-26T03:59:17.000Z\",\"fix_coverage\":\"Complete\",\"fix_coverage_id\":1,\"is_exploit_available\":true,\"is_fix_available\":true,\"references\":[\"https://github.com/microsoft/CBL-Mariner/pull/6381\",\"https://github.com/grpc/grpc/releases/tag/v1.59.2\",\"https://github.com/eclipse/jetty.project/issues/10679\",\"https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/\",\"https://www.debian.org/security/2023/dsa-5522\",\"https://github.com/etcd-io/etcd/issues/16740\",\"https://www.debian.org/security/2023/dsa-5521\",\"https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487\",\"https://github.com/haproxy/haproxy/issues/2312\",\"https://github.com/caddyserver/caddy/issues/5877\",\"https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61\",\"https://github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2\",\"https://github.com/advisories/GHSA-qppj-fm5r-hxr3\",\"https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.14\",\"https://github.com/dotnet/announcements/issues/277\",\"https://github.com/envoyproxy/envoy/pull/30055\",\"https://github.com/openresty/openresty/issues/930\",\"https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html\",\"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG/\",\"https://lists.debian.org/debian-lts-announce/2023/10/msg00047.html\",\"https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q\",\"https://github.com/apache/apisix/issues/10320\",\"https://github.com/projectcontour/contour/pull/5826\",\"https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response/\",\"https://github.com/Kong/kong/discussions/11741\",\"https://github.com/h2o/h2o/pull/3291\",\"https://github.com/advisories/GHSA-vx74-f528-fxqg\",\"https://github.com/oqtane/oqtane.framework/discussions/3367\",\"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZKQSIKIAT5TJ3WSLU3RDBQ35YX4GY4V3/\",\"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VSRDIV77HNKUSM7SJC5BKE5JSHLHU2NK/\",\"https://nvd.nist.gov/vuln/detail/CVE-2023-44487\",\"https://github.com/junkurihara/rust-rpxy/issues/97\",\"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JIZSEFC3YKCGABA2BZW6ZJRMDZJMB7PJ/\",\"https://github.com/nodejs/node/pull/50121\",\"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZB43REMKRQR62NJEI7I5NQ4FSXNLBKRT/\",\"https://www.debian.org/security/2023/dsa-5570\",\"https://github.com/line/armeria/pull/5232\",\"https://github.com/arkrwn/PoC/tree/main/CVE-2023-44487\",\"https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-http2-reset-d8Kf32vZ\",\"https://github.com/nghttp2/nghttp2/pull/1961\",\"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZLU6U2R2IC2K64NDPNMV55AUAO65MAF4/\",\"https://my.f5.com/manage/s/article/K000137106\",\"https://github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c#L1101-L1113\",\"https://github.com/varnishcache/varnish-cache/issues/3996\",\"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JMEXY22BFG5Q64HQCM5CK2Q7KDKVV4TY/\",\"https://github.com/alibaba/tengine/issues/1872\",\"https://lists.debian.org/debian-lts-announce/2023/10/msg00024.html\",\"https://github.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec1ce9ec/release-notes/6.0/6.0.23/6.0.23.md?plain=1#L73\",\"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/\",\"https://bugzilla.redhat.com/show_bug.cgi?id=2242803\",\"https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/\",\"https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo\",\"https://github.com/golang/go/issues/63417\",\"https://lists.debian.org/debian-lts-announce/2023/11/msg00001.html\",\"https://aws.amazon.com/security/security-bulletins/AWS-2023-011/\",\"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LNMZJCDHGLJJLXO4OXWJMTVQRNWOC7UL/\",\"https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack\",\"https://netty.io/news/2023/10/10/4-1-100-Final.html\",\"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VHUHTSXLXGXS7JYKBXTA3VINUPHTNGVU/\",\"https://github.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce14edc7b6df6722a1\",\"https://security.gentoo.org/glsa/202311-09\",\"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ/\",\"https://ubuntu.com/security/CVE-2023-44487\",\"https://github.com/facebook/proxygen/pull/466\",\"https://github.com/kubernetes/kubernetes/pull/121120\",\"https://lists.debian.org/debian-lts-announce/2023/10/msg00023.html\",\"https://bugzilla.suse.com/show_bug.cgi?id=1216123\",\"https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0\",\"https://www.debian.org/security/2023/dsa-5558\",\"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WLPRQ5TWUQQXYWBJM7ECYDAIL2YVKIUH/\",\"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WE2I52RHNNU42PX6NZ2RBUHSFFJ2LVZX/\",\"https://github.com/tempesta-tech/tempesta/issues/1986\",\"https://github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqf\",\"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2MBEPPC36UBVOZZNAXFHKLFGSLCMN5LI/\",\"https://github.com/grpc/grpc-go/pull/6703\",\"https://github.com/apache/trafficserver/pull/10564\",\"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/\",\"https://www.debian.org/security/2023/dsa-5540\",\"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/\",\"https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9\",\"https://github.com/advisories/GHSA-xpw8-rcwv-8f8p\",\"https://access.redhat.com/security/cve/cve-2023-44487\",\"https://lists.debian.org/debian-lts-announce/2023/11/msg00012.html\",\"https://www.debian.org/security/2023/dsa-5549\",\"https://github.com/apache/httpd-site/pull/10\",\"https://github.com/opensearch-project/data-prepper/issues/3474\",\"https://github.com/akka/akka-http/issues/4323\",\"https://github.com/linkerd/website/pull/1695/commits/4b9c6836471bc8270ab48aae6fd2181bc73fd632\",\"https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html\",\"https://lists.debian.org/debian-lts-announce/2023/10/msg00045.html\",\"https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088\",\"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5/\",\"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/\",\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487\",\"https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764\",\"https://github.com/caddyserver/caddy/releases/tag/v2.7.5\",\"https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/\",\"https://github.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd35bcf0a/mod_http2/README.md?plain=1#L239-L244\",\"https://github.com/micrictor/http2-rst-stream\",\"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BFQD3KUEMFBHPAPBGLWQC34L4OWL5HAZ/\",\"https://github.com/bcdannyboy/CVE-2023-44487\",\"https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.html\",\"https://github.com/kazu-yamamoto/http2/issues/93\",\"https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack\",\"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y/\",\"https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/\",\"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU/\",\"https://github.com/Azure/AKS/issues/3947\",\"https://github.com/ninenines/cowboy/issues/1615\",\"https://lists.w3.org/Archives/Public/ietf-http-wg/2023OctDec/0025.html\"],\"severity\":\"HIGH\"}]}", + "outcome": "unknown", + "provider": "AWS", + "severity": 73, + "type": [ + "info" + ] + }, + "host": { + "id": "i-0abcdef012345678b", + "ip": [ + "10.90.1.245", + "10.90.1.45", + "10.90.1.168", + "10.90.1.157", + "1.128.0.1", + "10.90.1.103", + "10.90.1.197", + "10.90.1.220", + "10.90.1.86", + "10.90.1.29", + "10.90.1.18", + "10.90.1.181", + "10.90.1.161", + "10.90.1.229", + "10.90.1.108", + "10.90.1.219", + "10.90.1.9", + "10.90.1.106", + "10.90.1.206" + ], + "type": "t3.medium" + }, + "observer": { + "vendor": "AWS Security Hub" + }, + "orchestrator": { + "cluster": { + "name": "demo_prod" + } + }, + "organization": { + "name": "AWS" + }, + "package": { + "fixed_version": [ + "0.17.0", + "1.58.3" + ], + "name": [ + "golang.org/x/net", + "google.golang.org/grpc" + ], + "version": [ + "v0.1.0", + "v1.31.0" + ] + }, + "related": { + "ip": [ + "10.90.1.245", + "10.90.1.45", + "10.90.1.168", + "10.90.1.157", + "1.128.0.1", + "10.90.1.103", + "10.90.1.197", + "10.90.1.220", + "10.90.1.86", + "10.90.1.29", + "10.90.1.18", + "10.90.1.181", + "10.90.1.161", + "10.90.1.229", + "10.90.1.108", + "10.90.1.219", + "10.90.1.9", + "10.90.1.106", + "10.90.1.206" + ] + }, + "resource": { + "id": "i-0abcdef012345678b", + "type": "AWS::EC2::Instance" + }, + "rule": { + "description": "The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.", + "name": "CVE-2023-44487 - golang.org/x/net, google.golang.org/grpc" + }, + "tags": [ + "preserve_duplicate_custom_fields" + ], + "vulnerability": { + "classification": "CVSS", + "cve": "CVE-2023-44487", + "description": "The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.", + "enumeration": "CVE", + "id": "CVE-2023-44487", + "published_date": "2023-10-10T14:15:10.000Z", + "reference": [ + "https://github.com/microsoft/CBL-Mariner/pull/6381", + "https://github.com/grpc/grpc/releases/tag/v1.59.2", + "https://github.com/eclipse/jetty.project/issues/10679", + "https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/", + "https://www.debian.org/security/2023/dsa-5522", + "https://github.com/etcd-io/etcd/issues/16740", + "https://www.debian.org/security/2023/dsa-5521", + "https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487", + "https://github.com/haproxy/haproxy/issues/2312", + "https://github.com/caddyserver/caddy/issues/5877", + "https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61", + "https://github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2", + "https://github.com/advisories/GHSA-qppj-fm5r-hxr3", + "https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.14", + "https://github.com/dotnet/announcements/issues/277", + "https://github.com/envoyproxy/envoy/pull/30055", + "https://github.com/openresty/openresty/issues/930", + "https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG/", + "https://lists.debian.org/debian-lts-announce/2023/10/msg00047.html", + "https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q", + "https://github.com/apache/apisix/issues/10320", + "https://github.com/projectcontour/contour/pull/5826", + "https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response/", + "https://github.com/Kong/kong/discussions/11741", + "https://github.com/h2o/h2o/pull/3291", + "https://github.com/advisories/GHSA-vx74-f528-fxqg", + "https://github.com/oqtane/oqtane.framework/discussions/3367", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZKQSIKIAT5TJ3WSLU3RDBQ35YX4GY4V3/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VSRDIV77HNKUSM7SJC5BKE5JSHLHU2NK/", + "https://nvd.nist.gov/vuln/detail/CVE-2023-44487", + "https://github.com/junkurihara/rust-rpxy/issues/97", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JIZSEFC3YKCGABA2BZW6ZJRMDZJMB7PJ/", + "https://github.com/nodejs/node/pull/50121", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZB43REMKRQR62NJEI7I5NQ4FSXNLBKRT/", + "https://www.debian.org/security/2023/dsa-5570", + "https://github.com/line/armeria/pull/5232", + "https://github.com/arkrwn/PoC/tree/main/CVE-2023-44487", + "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-http2-reset-d8Kf32vZ", + "https://github.com/nghttp2/nghttp2/pull/1961", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZLU6U2R2IC2K64NDPNMV55AUAO65MAF4/", + "https://my.f5.com/manage/s/article/K000137106", + "https://github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c#L1101-L1113", + "https://github.com/varnishcache/varnish-cache/issues/3996", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JMEXY22BFG5Q64HQCM5CK2Q7KDKVV4TY/", + "https://github.com/alibaba/tengine/issues/1872", + "https://lists.debian.org/debian-lts-announce/2023/10/msg00024.html", + "https://github.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec1ce9ec/release-notes/6.0/6.0.23/6.0.23.md?plain=1#L73", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/", + "https://bugzilla.redhat.com/show_bug.cgi?id=2242803", + "https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/", + "https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo", + "https://github.com/golang/go/issues/63417", + "https://lists.debian.org/debian-lts-announce/2023/11/msg00001.html", + "https://aws.amazon.com/security/security-bulletins/AWS-2023-011/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LNMZJCDHGLJJLXO4OXWJMTVQRNWOC7UL/", + "https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack", + "https://netty.io/news/2023/10/10/4-1-100-Final.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VHUHTSXLXGXS7JYKBXTA3VINUPHTNGVU/", + "https://github.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce14edc7b6df6722a1", + "https://security.gentoo.org/glsa/202311-09", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ/", + "https://ubuntu.com/security/CVE-2023-44487", + "https://github.com/facebook/proxygen/pull/466", + "https://github.com/kubernetes/kubernetes/pull/121120", + "https://lists.debian.org/debian-lts-announce/2023/10/msg00023.html", + "https://bugzilla.suse.com/show_bug.cgi?id=1216123", + "https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0", + "https://www.debian.org/security/2023/dsa-5558", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WLPRQ5TWUQQXYWBJM7ECYDAIL2YVKIUH/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WE2I52RHNNU42PX6NZ2RBUHSFFJ2LVZX/", + "https://github.com/tempesta-tech/tempesta/issues/1986", + "https://github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqf", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2MBEPPC36UBVOZZNAXFHKLFGSLCMN5LI/", + "https://github.com/grpc/grpc-go/pull/6703", + "https://github.com/apache/trafficserver/pull/10564", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/", + "https://www.debian.org/security/2023/dsa-5540", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/", + "https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9", + "https://github.com/advisories/GHSA-xpw8-rcwv-8f8p", + "https://access.redhat.com/security/cve/cve-2023-44487", + "https://lists.debian.org/debian-lts-announce/2023/11/msg00012.html", + "https://www.debian.org/security/2023/dsa-5549", + "https://github.com/apache/httpd-site/pull/10", + "https://github.com/opensearch-project/data-prepper/issues/3474", + "https://github.com/akka/akka-http/issues/4323", + "https://github.com/linkerd/website/pull/1695/commits/4b9c6836471bc8270ab48aae6fd2181bc73fd632", + "https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html", + "https://lists.debian.org/debian-lts-announce/2023/10/msg00045.html", + "https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487", + "https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764", + "https://github.com/caddyserver/caddy/releases/tag/v2.7.5", + "https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/", + "https://github.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd35bcf0a/mod_http2/README.md?plain=1#L239-L244", + "https://github.com/micrictor/http2-rst-stream", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BFQD3KUEMFBHPAPBGLWQC34L4OWL5HAZ/", + "https://github.com/bcdannyboy/CVE-2023-44487", + "https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.html", + "https://github.com/kazu-yamamoto/http2/issues/93", + "https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y/", + "https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU/", + "https://github.com/Azure/AKS/issues/3947", + "https://github.com/ninenines/cowboy/issues/1615", + "https://lists.w3.org/Archives/Public/ietf-http-wg/2023OctDec/0025.html" + ], + "scanner": { + "vendor": "Inspector" + }, + "score": { + "base": 7.5, + "version": "3.1" + }, + "severity": "High", + "title": "CVE-2023-44487 - golang.org/x/net, google.golang.org/grpc" + } + }, + { + "@timestamp": "2025-09-26T16:24:03.057Z", + "aws_securityhub": { + "finding": { + "activity_id": "2", + "activity_name": "Update", + "category_name": "Findings", + "category_uid": "2", + "class_name": "Vulnerability Finding", + "class_uid": "2002", + "cloud": { + "account": { + "type": "AWS Account", + "type_id": "10", + "uid": "123456789012" + }, + "provider": "AWS", + "region": "us-east-2" + }, + "finding_info": { + "created_time": "2025-09-11T02:27:31.926Z", + "created_time_dt": "2025-09-11T02:27:31.926Z", + "desc": "There is a defect in the CPython “tarfile” module affecting the “TarFile” extraction and entry enumeration APIs. The tar implementation would process tar archives with negative offsets without error, resulting in an infinite loop and deadlock during the parsing of maliciously crafted tar archives. \n\nThis vulnerability can be mitigated by including the following patch after importing the “tarfile” module:  https://gist.github.com/sethmlarson/abcdef0123456789abcdef0123456789", + "first_seen_time": "2025-08-20T12:26:28.521Z", + "first_seen_time_dt": "2025-08-20T12:26:28.521Z", + "last_seen_time": "2025-09-26T16:24:03.057Z", + "last_seen_time_dt": "2025-09-26T16:24:03.057Z", + "modified_time": "2025-09-26T16:24:03.057Z", + "modified_time_dt": "2025-09-26T16:24:03.057Z", + "title": "CVE-2025-8194 - python, python-devel and 3 more", + "types": [ + "Software and Configuration Checks/Vulnerabilities/CVE", + "Vulnerabilities" + ], + "uid": "arn:aws:inspector2:us-east-2:123456789012:finding/9abcdefabcdef0123456789abcdef121" + }, + "metadata": { + "product": { + "name": "Inspector", + "uid": "arn:aws:securityhub:us-east-2::productv2/aws/inspector", + "vendor_name": "AWS" + }, + "profiles": [ + "cloud", + "datetime" + ], + "uid": "d1bc4b01234567890123456789abcdefabc0123456789bcdef123456", + "version": "1.6.0" + }, + "resources": [ + { + "cloud_partition": "aws", + "data": { + "awsEc2InstanceDetails": { + "iamInstanceProfileArn": "arn:aws:iam::123456789012:instance-profile/eks-1123abc1-5678-efab-abcd-701abcdef892", + "imageId": "ami-abcdefa123456789", + "ipV4Addresses": [ + "10.90.0.87", + "10.90.0.60", + "10.90.0.30", + "10.90.0.74", + "10.90.0.206", + "10.90.0.207", + "10.90.0.37", + "10.90.0.149", + "10.90.0.235", + "175.16.199.1", + "10.90.0.225", + "10.90.0.212", + "10.90.0.199", + "10.90.0.240", + "10.90.0.164", + "10.90.0.160", + "10.90.0.182", + "10.90.0.70", + "10.90.0.180" + ], + "launchedAt": "2025-05-29T16:04:40.000Z", + "platform": "AMAZON_LINUX_2", + "subnetId": "subnet-abcdef12345678901", + "type": "t3.medium", + "vpcId": "vpc-abcdefabcd1abcd90" + } + }, + "owner": { + "account": { + "uid": "123456789012" + } + }, + "region": "us-east-2", + "tags": { + "aws:autoscaling:groupName": "eks-demo_prod_linux-1123abc1-5678-efab-abcd-701abcdef892", + "aws:ec2:fleet-id": "fleet-babcdefc-5678-abcd-1234-20123456789b", + "aws:ec2launchtemplate:id": "lt-abcdefabcdef123456", + "aws:ec2launchtemplate:version": "6", + "aws:eks:cluster-name": "demo_prod", + "eks:cluster-name": "demo_prod", + "eks:nodegroup-name": "demo_prod_linux", + "k8s.io/cluster-autoscaler/demo_prod": "owned", + "k8s.io/cluster-autoscaler/enabled": "true", + "kubernetes.io/cluster/demo_prod": "owned" + }, + "type": "AWS::EC2::Instance", + "uid": "i-abcd1235cdef1234" + } + ], + "severity": "High", + "severity_id": "4", + "status": "New", + "status_id": "1", + "time": "2025-09-26T16:24:03.057Z", + "time_dt": "2025-09-26T16:24:03.057Z", + "type_name": "Vulnerability Finding: Update", + "type_uid": "200202", + "vendor_attributes": { + "severity": "High", + "severity_id": "4" + }, + "vulnerabilities": [ + { + "affected_packages": [ + { + "architecture": "X86_64", + "epoch": 0, + "fixed_in_version": "0:2.7.18-1.amzn2.0.14", + "name": "python", + "package_manager": "OS", + "release": "1.amzn2.0.12", + "remediation": { + "desc": "yum update python" + }, + "version": "2.7.18" + }, + { + "architecture": "X86_64", + "epoch": 0, + "fixed_in_version": "0:2.7.18-1.amzn2.0.14", + "name": "python-devel", + "package_manager": "OS", + "release": "1.amzn2.0.12", + "remediation": { + "desc": "yum update python-devel" + }, + "version": "2.7.18" + }, + { + "architecture": "X86_64", + "epoch": 0, + "fixed_in_version": "0:2.7.18-1.amzn2.0.14", + "name": "python-libs", + "package_manager": "OS", + "release": "1.amzn2.0.12", + "remediation": { + "desc": "yum update python-libs" + }, + "version": "2.7.18" + }, + { + "architecture": "X86_64", + "epoch": 0, + "fixed_in_version": "0:3.7.16-1.amzn2.0.19", + "name": "python3", + "package_manager": "OS", + "release": "1.amzn2.0.17", + "remediation": { + "desc": "yum update python3" + }, + "version": "3.7.16" + }, + { + "architecture": "X86_64", + "epoch": 0, + "fixed_in_version": "0:3.7.16-1.amzn2.0.19", + "name": "python3-libs", + "package_manager": "OS", + "release": "1.amzn2.0.17", + "remediation": { + "desc": "yum update python3-libs" + }, + "version": "3.7.16" + } + ], + "cve": { + "created_time": "2025-07-28T00:00:00.000Z", + "created_time_dt": "2025-07-28T00:00:00.000Z", + "cvss": [ + { + "base_score": 7.5, + "severity": "HIGH", + "vector_string": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "vendor_name": "AMAZON_CVE", + "version": "3.1" + }, + { + "base_score": 7.5, + "severity": "HIGH", + "vector_string": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "vendor_name": "NVD", + "version": "3.1" + } + ], + "desc": "There is a defect in the CPython “tarfile” module affecting the “TarFile” extraction and entry enumeration APIs. The tar implementation would process tar archives with negative offsets without error, resulting in an infinite loop and deadlock during the parsing of maliciously crafted tar archives. \n\nThis vulnerability can be mitigated by including the following patch after importing the “tarfile” module:  https://gist.github.com/sethmlarson/abcdef0123456789abcdef0123456789", + "epss": { + "score": "0.00198" + }, + "modified_time": "2025-07-30T00:00:00.000Z", + "modified_time_dt": "2025-07-30T00:00:00.000Z", + "uid": "CVE-2025-8194" + }, + "fix_coverage": "Complete", + "fix_coverage_id": "1", + "is_exploit_available": false, + "is_fix_available": true, + "references": [ + "https://alas.aws.amazon.com/AL2023/ALAS2023-2025-1135.html", + "https://alas.aws.amazon.com/AL2/ALAS2-2025-2961.html", + "https://explore.alas.aws.amazon.com/CVE-2025-8194.html", + "https://alas.aws.amazon.com/AL2023/ALAS2023-2025-1147.html", + "https://alas.aws.amazon.com/AL2/ALAS2-2025-2962.html", + "https://alas.aws.amazon.com/AL2023/ALAS2023-2025-1136.html", + "https://alas.aws.amazon.com/AL2023/ALAS2023-2025-1146.html", + "https://explore.alas.aws.amazon.com/cve/json/v1/CVE-2025-8194.json" + ], + "related_vulnerabilities": [ + "ALAS2-2025-2962", + "ALAS2-2025-2961", + "ALAS2023-2025-1147", + "ALAS2023-2025-1136", + "ALAS2023-2025-1135", + "ALAS2023-2025-1146" + ], + "severity": "Important" + } + ] + } + }, + "cloud": { + "account": { + "id": "123456789012" + }, + "instance": { + "id": "i-abcd1235cdef1234" + }, + "machine": { + "type": "t3.medium" + }, + "provider": "aws", + "region": "us-east-2", + "service": { + "name": "AWS::EC2::Instance" + } + }, + "ecs": { + "version": "9.2.0" + }, + "event": { + "action": "Update", + "category": [ + "vulnerability" + ], + "created": "2025-09-26T16:24:03.057Z", + "id": "arn:aws:inspector2:us-east-2:123456789012:finding/9abcdefabcdef0123456789abcdef121", + "kind": "alert", + "original": "{\"activity_id\":2,\"activity_name\":\"Update\",\"category_name\":\"Findings\",\"category_uid\":2,\"class_name\":\"Vulnerability Finding\",\"class_uid\":2002,\"cloud\":{\"account\":{\"type\":\"AWS Account\",\"type_id\":10,\"uid\":\"123456789012\"},\"provider\":\"AWS\",\"region\":\"us-east-2\"},\"finding_info\":{\"created_time\":1757557651926,\"created_time_dt\":\"2025-09-11T02:27:31.926Z\",\"desc\":\"There is a defect in the CPython “tarfile” module affecting the “TarFile” extraction and entry enumeration APIs. The tar implementation would process tar archives with negative offsets without error, resulting in an infinite loop and deadlock during the parsing of maliciously crafted tar archives. \\n\\nThis vulnerability can be mitigated by including the following patch after importing the “tarfile” module:  https://gist.github.com/sethmlarson/abcdef0123456789abcdef0123456789\",\"first_seen_time\":1755692788521,\"first_seen_time_dt\":\"2025-08-20T12:26:28.521Z\",\"last_seen_time\":1758903843057,\"last_seen_time_dt\":\"2025-09-26T16:24:03.057Z\",\"modified_time\":1758903843057,\"modified_time_dt\":\"2025-09-26T16:24:03.057Z\",\"title\":\"CVE-2025-8194 - python, python-devel and 3 more\",\"types\":[\"Software and Configuration Checks/Vulnerabilities/CVE\",\"Vulnerabilities\"],\"uid\":\"arn:aws:inspector2:us-east-2:123456789012:finding/9abcdefabcdef0123456789abcdef121\"},\"metadata\":{\"product\":{\"name\":\"Inspector\",\"uid\":\"arn:aws:securityhub:us-east-2::productv2/aws/inspector\",\"vendor_name\":\"AWS\"},\"profiles\":[\"cloud\",\"datetime\"],\"uid\":\"d1bc4b01234567890123456789abcdefabc0123456789bcdef123456\",\"version\":\"1.6.0\"},\"resources\":[{\"cloud_partition\":\"aws\",\"data\":{\"awsEc2InstanceDetails\":{\"iamInstanceProfileArn\":\"arn:aws:iam::123456789012:instance-profile/eks-1123abc1-5678-efab-abcd-701abcdef892\",\"imageId\":\"ami-abcdefa123456789\",\"ipV4Addresses\":[\"10.90.0.87\",\"10.90.0.60\",\"10.90.0.30\",\"10.90.0.74\",\"10.90.0.206\",\"10.90.0.207\",\"10.90.0.37\",\"10.90.0.149\",\"10.90.0.235\",\"175.16.199.1\",\"10.90.0.225\",\"10.90.0.212\",\"10.90.0.199\",\"10.90.0.240\",\"10.90.0.164\",\"10.90.0.160\",\"10.90.0.182\",\"10.90.0.70\",\"10.90.0.180\"],\"launchedAt\":\"2025-05-29T16:04:40Z\",\"platform\":\"AMAZON_LINUX_2\",\"subnetId\":\"subnet-abcdef12345678901\",\"type\":\"t3.medium\",\"vpcId\":\"vpc-abcdefabcd1abcd90\"}},\"owner\":{\"account\":{\"uid\":\"123456789012\"}},\"region\":\"us-east-2\",\"tags\":[{\"name\":\"aws:autoscaling:groupName\",\"value\":\"eks-demo_prod_linux-1123abc1-5678-efab-abcd-701abcdef892\"},{\"name\":\"aws:ec2:fleet-id\",\"value\":\"fleet-babcdefc-5678-abcd-1234-20123456789b\"},{\"name\":\"k8s.io/cluster-autoscaler/demo_prod\",\"value\":\"owned\"},{\"name\":\"aws:eks:cluster-name\",\"value\":\"demo_prod\"},{\"name\":\"eks:cluster-name\",\"value\":\"demo_prod\"},{\"name\":\"aws:ec2launchtemplate:version\",\"value\":\"6\"},{\"name\":\"eks:nodegroup-name\",\"value\":\"demo_prod_linux\"},{\"name\":\"k8s.io/cluster-autoscaler/enabled\",\"value\":\"true\"},{\"name\":\"kubernetes.io/cluster/demo_prod\",\"value\":\"owned\"},{\"name\":\"aws:ec2launchtemplate:id\",\"value\":\"lt-abcdefabcdef123456\"}],\"type\":\"AWS::EC2::Instance\",\"uid\":\"i-abcd1235cdef1234\"}],\"severity\":\"High\",\"severity_id\":4,\"status\":\"New\",\"status_id\":1,\"time\":1758903843057,\"time_dt\":\"2025-09-26T16:24:03.057Z\",\"type_name\":\"Vulnerability Finding: Update\",\"type_uid\":200202,\"vendor_attributes\":{\"severity\":\"High\",\"severity_id\":4},\"vulnerabilities\":[{\"affected_packages\":[{\"architecture\":\"X86_64\",\"epoch\":0,\"fixed_in_version\":\"0:2.7.18-1.amzn2.0.14\",\"name\":\"python\",\"package_manager\":\"OS\",\"release\":\"1.amzn2.0.12\",\"remediation\":{\"desc\":\"yum update python\"},\"version\":\"2.7.18\"},{\"architecture\":\"X86_64\",\"epoch\":0,\"fixed_in_version\":\"0:2.7.18-1.amzn2.0.14\",\"name\":\"python-devel\",\"package_manager\":\"OS\",\"release\":\"1.amzn2.0.12\",\"remediation\":{\"desc\":\"yum update python-devel\"},\"version\":\"2.7.18\"},{\"architecture\":\"X86_64\",\"epoch\":0,\"fixed_in_version\":\"0:2.7.18-1.amzn2.0.14\",\"name\":\"python-libs\",\"package_manager\":\"OS\",\"release\":\"1.amzn2.0.12\",\"remediation\":{\"desc\":\"yum update python-libs\"},\"version\":\"2.7.18\"},{\"architecture\":\"X86_64\",\"epoch\":0,\"fixed_in_version\":\"0:3.7.16-1.amzn2.0.19\",\"name\":\"python3\",\"package_manager\":\"OS\",\"release\":\"1.amzn2.0.17\",\"remediation\":{\"desc\":\"yum update python3\"},\"version\":\"3.7.16\"},{\"architecture\":\"X86_64\",\"epoch\":0,\"fixed_in_version\":\"0:3.7.16-1.amzn2.0.19\",\"name\":\"python3-libs\",\"package_manager\":\"OS\",\"release\":\"1.amzn2.0.17\",\"remediation\":{\"desc\":\"yum update python3-libs\"},\"version\":\"3.7.16\"}],\"cve\":{\"created_time\":1753660800000,\"created_time_dt\":\"2025-07-28T00:00:00.000Z\",\"cvss\":[{\"base_score\":7.5,\"severity\":\"HIGH\",\"vector_string\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"vendor_name\":\"AMAZON_CVE\",\"version\":\"3.1\"},{\"base_score\":7.5,\"severity\":\"HIGH\",\"vector_string\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"vendor_name\":\"NVD\",\"version\":\"3.1\"}],\"desc\":\"There is a defect in the CPython “tarfile” module affecting the “TarFile” extraction and entry enumeration APIs. The tar implementation would process tar archives with negative offsets without error, resulting in an infinite loop and deadlock during the parsing of maliciously crafted tar archives. \\n\\nThis vulnerability can be mitigated by including the following patch after importing the “tarfile” module:  https://gist.github.com/sethmlarson/abcdef0123456789abcdef0123456789\",\"epss\":{\"score\":\"0.00198\"},\"modified_time\":1753833600000,\"modified_time_dt\":\"2025-07-30T00:00:00.000Z\",\"uid\":\"CVE-2025-8194\"},\"fix_coverage\":\"Complete\",\"fix_coverage_id\":1,\"is_exploit_available\":false,\"is_fix_available\":true,\"references\":[\"https://alas.aws.amazon.com/AL2023/ALAS2023-2025-1135.html\",\"https://alas.aws.amazon.com/AL2/ALAS2-2025-2961.html\",\"https://explore.alas.aws.amazon.com/CVE-2025-8194.html\",\"https://alas.aws.amazon.com/AL2023/ALAS2023-2025-1147.html\",\"https://alas.aws.amazon.com/AL2/ALAS2-2025-2962.html\",\"https://alas.aws.amazon.com/AL2023/ALAS2023-2025-1136.html\",\"https://alas.aws.amazon.com/AL2023/ALAS2023-2025-1146.html\",\"https://explore.alas.aws.amazon.com/cve/json/v1/CVE-2025-8194.json\"],\"related_vulnerabilities\":[\"ALAS2-2025-2962\",\"ALAS2-2025-2961\",\"ALAS2023-2025-1147\",\"ALAS2023-2025-1136\",\"ALAS2023-2025-1135\",\"ALAS2023-2025-1146\"],\"severity\":\"Important\"}]}", + "outcome": "unknown", + "provider": "AWS", + "severity": 73, + "type": [ + "info" + ] + }, + "host": { + "id": "i-abcd1235cdef1234", + "ip": [ + "10.90.0.87", + "10.90.0.60", + "10.90.0.30", + "10.90.0.74", + "10.90.0.206", + "10.90.0.207", + "10.90.0.37", + "10.90.0.149", + "10.90.0.235", + "175.16.199.1", + "10.90.0.225", + "10.90.0.212", + "10.90.0.199", + "10.90.0.240", + "10.90.0.164", + "10.90.0.160", + "10.90.0.182", + "10.90.0.70", + "10.90.0.180" + ], + "type": "t3.medium" + }, + "observer": { + "vendor": "AWS Security Hub" + }, + "orchestrator": { + "cluster": { + "name": "demo_prod" + } + }, + "organization": { + "name": "AWS" + }, + "package": { + "fixed_version": [ + "0:2.7.18-1.amzn2.0.14", + "0:2.7.18-1.amzn2.0.14", + "0:2.7.18-1.amzn2.0.14", + "0:3.7.16-1.amzn2.0.19", + "0:3.7.16-1.amzn2.0.19" + ], + "name": [ + "python", + "python-devel", + "python-libs", + "python3", + "python3-libs" + ], + "version": [ + "2.7.18", + "2.7.18", + "2.7.18", + "3.7.16", + "3.7.16" + ] + }, + "related": { + "ip": [ + "10.90.0.87", + "10.90.0.60", + "10.90.0.30", + "10.90.0.74", + "10.90.0.206", + "10.90.0.207", + "10.90.0.37", + "10.90.0.149", + "10.90.0.235", + "175.16.199.1", + "10.90.0.225", + "10.90.0.212", + "10.90.0.199", + "10.90.0.240", + "10.90.0.164", + "10.90.0.160", + "10.90.0.182", + "10.90.0.70", + "10.90.0.180" + ] + }, + "resource": { + "id": "i-abcd1235cdef1234", + "type": "AWS::EC2::Instance" + }, + "rule": { + "description": "There is a defect in the CPython “tarfile” module affecting the “TarFile” extraction and entry enumeration APIs. The tar implementation would process tar archives with negative offsets without error, resulting in an infinite loop and deadlock during the parsing of maliciously crafted tar archives. \n\nThis vulnerability can be mitigated by including the following patch after importing the “tarfile” module:  https://gist.github.com/sethmlarson/abcdef0123456789abcdef0123456789", + "name": "CVE-2025-8194 - python, python-devel and 3 more" + }, + "tags": [ + "preserve_duplicate_custom_fields" + ], + "vulnerability": { + "classification": "CVSS", + "cve": "CVE-2025-8194", + "description": "There is a defect in the CPython “tarfile” module affecting the “TarFile” extraction and entry enumeration APIs. The tar implementation would process tar archives with negative offsets without error, resulting in an infinite loop and deadlock during the parsing of maliciously crafted tar archives. \n\nThis vulnerability can be mitigated by including the following patch after importing the “tarfile” module:  https://gist.github.com/sethmlarson/abcdef0123456789abcdef0123456789", + "enumeration": "CVE", + "id": "CVE-2025-8194", + "published_date": "2025-07-28T00:00:00.000Z", + "reference": [ + "https://alas.aws.amazon.com/AL2023/ALAS2023-2025-1135.html", + "https://alas.aws.amazon.com/AL2/ALAS2-2025-2961.html", + "https://explore.alas.aws.amazon.com/CVE-2025-8194.html", + "https://alas.aws.amazon.com/AL2023/ALAS2023-2025-1147.html", + "https://alas.aws.amazon.com/AL2/ALAS2-2025-2962.html", + "https://alas.aws.amazon.com/AL2023/ALAS2023-2025-1136.html", + "https://alas.aws.amazon.com/AL2023/ALAS2023-2025-1146.html", + "https://explore.alas.aws.amazon.com/cve/json/v1/CVE-2025-8194.json" + ], + "scanner": { + "vendor": "Inspector" + }, + "score": { + "base": 7.5, + "version": "3.1" + }, + "severity": "High", + "title": "CVE-2025-8194 - python, python-devel and 3 more" + } + }, + { + "@timestamp": "2025-09-26T16:24:03.057Z", + "aws_securityhub": { + "finding": { + "activity_id": "2", + "activity_name": "Update", + "category_name": "Findings", + "category_uid": "2", + "class_name": "Vulnerability Finding", + "class_uid": "2002", + "cloud": { + "account": { + "type": "AWS Account", + "type_id": "10", + "uid": "123456789012" + }, + "provider": "AWS", + "region": "us-east-2" + }, + "finding_info": { + "created_time": "2025-09-17T08:24:25.573Z", + "created_time_dt": "2025-09-17T08:24:25.573Z", + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: don't call rq_qos_ops->done_bio if the bio isn't tracked", + "first_seen_time": "2025-09-17T08:24:25.573Z", + "first_seen_time_dt": "2025-09-17T08:24:25.573Z", + "last_seen_time": "2025-09-26T16:24:03.057Z", + "last_seen_time_dt": "2025-09-26T16:24:03.057Z", + "modified_time": "2025-09-26T16:24:03.057Z", + "modified_time_dt": "2025-09-26T16:24:03.057Z", + "title": "CVE-2021-47412 - kernel, kernel-devel and 1 more", + "types": [ + "Software and Configuration Checks/Vulnerabilities/CVE", + "Vulnerabilities" + ], + "uid": "arn:aws:inspector2:us-east-2:123456789012:finding/4abcdefabcdef1234567891234567897" + }, + "metadata": { + "product": { + "name": "Inspector", + "uid": "arn:aws:securityhub:us-east-2::productv2/aws/inspector", + "vendor_name": "AWS" + }, + "profiles": [ + "cloud", + "datetime" + ], + "uid": "d1bc4b01234567890abcdef129abcdefabcdefabcdefabcdef123456", + "version": "1.6.0" + }, + "resources": [ + { + "cloud_partition": "aws", + "data": { + "awsEc2InstanceDetails": { + "iamInstanceProfileArn": "arn:aws:iam::123456789012:instance-profile/eks-1123abc1-5678-efab-abcd-701abcdef892", + "imageId": "ami-abcdefa123456789", + "ipV4Addresses": [ + "10.90.0.87", + "10.90.0.60", + "10.90.0.30", + "10.90.0.74", + "10.90.0.206", + "10.90.0.207", + "10.90.0.37", + "10.90.0.149", + "10.90.0.235", + "175.16.199.1", + "10.90.0.225", + "10.90.0.212", + "10.90.0.199", + "10.90.0.240", + "10.90.0.164", + "10.90.0.160", + "10.90.0.182", + "10.90.0.70", + "10.90.0.180" + ], + "launchedAt": "2025-05-29T16:04:40.000Z", + "platform": "AMAZON_LINUX_2", + "subnetId": "subnet-abcdef12345678901", + "type": "t3.medium", + "vpcId": "vpc-abcdefabcd1abcd90" + } + }, + "owner": { + "account": { + "uid": "123456789012" + } + }, + "region": "us-east-2", + "tags": { + "aws:autoscaling:groupName": "eks-demo_prod_linux-1123abc1-5678-efab-abcd-701abcdef892", + "aws:ec2:fleet-id": "fleet-babcdefc-5678-abcd-1234-20123456789b", + "aws:ec2launchtemplate:id": "lt-abcdefabcdef123456", + "aws:ec2launchtemplate:version": "6", + "aws:eks:cluster-name": "demo_prod", + "eks:cluster-name": "demo_prod", + "eks:nodegroup-name": "demo_prod_linux", + "k8s.io/cluster-autoscaler/demo_prod": "owned", + "k8s.io/cluster-autoscaler/enabled": "true", + "kubernetes.io/cluster/demo_prod": "owned" + }, + "type": "AWS::EC2::Instance", + "uid": "i-abcd1235cdef1234" + } + ], + "severity": "Medium", + "severity_id": "3", + "status": "New", + "status_id": "1", + "time": "2025-09-26T16:24:03.057Z", + "time_dt": "2025-09-26T16:24:03.057Z", + "type_name": "Vulnerability Finding: Update", + "type_uid": "200202", + "vendor_attributes": { + "severity": "Medium", + "severity_id": "3" + }, + "vulnerabilities": [ + { + "affected_packages": [ + { + "architecture": "X86_64", + "epoch": 0, + "fixed_in_version": "0:5.10.242-239.961.amzn2", + "name": "kernel", + "package_manager": "OS", + "release": "228.935.amzn2", + "remediation": { + "desc": "yum update kernel" + }, + "version": "5.10.236" + }, + { + "architecture": "X86_64", + "epoch": 0, + "fixed_in_version": "0:5.10.242-239.961.amzn2", + "name": "kernel-devel", + "package_manager": "OS", + "release": "228.935.amzn2", + "remediation": { + "desc": "yum update kernel-devel" + }, + "version": "5.10.236" + }, + { + "architecture": "X86_64", + "epoch": 0, + "fixed_in_version": "0:5.10.242-239.961.amzn2", + "name": "kernel-headers", + "package_manager": "OS", + "release": "228.935.amzn2", + "remediation": { + "desc": "yum update kernel-headers" + }, + "version": "5.10.236" + } + ], + "cve": { + "created_time": "2024-05-21T00:00:00.000Z", + "created_time_dt": "2024-05-21T00:00:00.000Z", + "cvss": [ + { + "base_score": 4.7, + "severity": "MEDIUM", + "vector_string": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", + "vendor_name": "AMAZON_CVE", + "version": "3.1" + }, + { + "base_score": 5.5, + "severity": "MEDIUM", + "vector_string": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "vendor_name": "NVD", + "version": "3.1" + } + ], + "desc": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: don't call rq_qos_ops->done_bio if the bio isn't tracked", + "epss": { + "score": "0.00034" + }, + "modified_time": "2024-11-28T00:00:00.000Z", + "modified_time_dt": "2024-11-28T00:00:00.000Z", + "uid": "CVE-2021-47412" + }, + "fix_coverage": "Complete", + "fix_coverage_id": "1", + "is_exploit_available": false, + "is_fix_available": true, + "references": [ + "https://explore.alas.aws.amazon.com/cve/json/v1/CVE-2021-47412.json", + "https://explore.alas.aws.amazon.com/CVE-2021-47412.html", + "https://alas.aws.amazon.com/AL2/ALAS2KERNEL-5.10-2025-104.html" + ], + "related_vulnerabilities": [ + "ALAS2KERNEL-5.10-2025-104" + ], + "severity": "Medium" + } + ] + } + }, + "cloud": { + "account": { + "id": "123456789012" + }, + "instance": { + "id": "i-abcd1235cdef1234" + }, + "machine": { + "type": "t3.medium" + }, + "provider": "aws", + "region": "us-east-2", + "service": { + "name": "AWS::EC2::Instance" + } + }, + "ecs": { + "version": "9.2.0" + }, + "event": { + "action": "Update", + "category": [ + "vulnerability" + ], + "created": "2025-09-26T16:24:03.057Z", + "id": "arn:aws:inspector2:us-east-2:123456789012:finding/4abcdefabcdef1234567891234567897", + "kind": "alert", + "original": "{\"activity_id\":2,\"activity_name\":\"Update\",\"category_name\":\"Findings\",\"category_uid\":2,\"class_name\":\"Vulnerability Finding\",\"class_uid\":2002,\"cloud\":{\"account\":{\"type\":\"AWS Account\",\"type_id\":10,\"uid\":\"123456789012\"},\"provider\":\"AWS\",\"region\":\"us-east-2\"},\"finding_info\":{\"created_time\":1758097465573,\"created_time_dt\":\"2025-09-17T08:24:25.573Z\",\"desc\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nblock: don't call rq_qos_ops->done_bio if the bio isn't tracked\",\"first_seen_time\":1758097465573,\"first_seen_time_dt\":\"2025-09-17T08:24:25.573Z\",\"last_seen_time\":1758903843057,\"last_seen_time_dt\":\"2025-09-26T16:24:03.057Z\",\"modified_time\":1758903843057,\"modified_time_dt\":\"2025-09-26T16:24:03.057Z\",\"title\":\"CVE-2021-47412 - kernel, kernel-devel and 1 more\",\"types\":[\"Software and Configuration Checks/Vulnerabilities/CVE\",\"Vulnerabilities\"],\"uid\":\"arn:aws:inspector2:us-east-2:123456789012:finding/4abcdefabcdef1234567891234567897\"},\"metadata\":{\"product\":{\"name\":\"Inspector\",\"uid\":\"arn:aws:securityhub:us-east-2::productv2/aws/inspector\",\"vendor_name\":\"AWS\"},\"profiles\":[\"cloud\",\"datetime\"],\"uid\":\"d1bc4b01234567890abcdef129abcdefabcdefabcdefabcdef123456\",\"version\":\"1.6.0\"},\"resources\":[{\"cloud_partition\":\"aws\",\"data\":{\"awsEc2InstanceDetails\":{\"iamInstanceProfileArn\":\"arn:aws:iam::123456789012:instance-profile/eks-1123abc1-5678-efab-abcd-701abcdef892\",\"imageId\":\"ami-abcdefa123456789\",\"ipV4Addresses\":[\"10.90.0.87\",\"10.90.0.60\",\"10.90.0.30\",\"10.90.0.74\",\"10.90.0.206\",\"10.90.0.207\",\"10.90.0.37\",\"10.90.0.149\",\"10.90.0.235\",\"175.16.199.1\",\"10.90.0.225\",\"10.90.0.212\",\"10.90.0.199\",\"10.90.0.240\",\"10.90.0.164\",\"10.90.0.160\",\"10.90.0.182\",\"10.90.0.70\",\"10.90.0.180\"],\"launchedAt\":\"2025-05-29T16:04:40Z\",\"platform\":\"AMAZON_LINUX_2\",\"subnetId\":\"subnet-abcdef12345678901\",\"type\":\"t3.medium\",\"vpcId\":\"vpc-abcdefabcd1abcd90\"}},\"owner\":{\"account\":{\"uid\":\"123456789012\"}},\"region\":\"us-east-2\",\"tags\":[{\"name\":\"aws:autoscaling:groupName\",\"value\":\"eks-demo_prod_linux-1123abc1-5678-efab-abcd-701abcdef892\"},{\"name\":\"aws:ec2:fleet-id\",\"value\":\"fleet-babcdefc-5678-abcd-1234-20123456789b\"},{\"name\":\"k8s.io/cluster-autoscaler/demo_prod\",\"value\":\"owned\"},{\"name\":\"aws:eks:cluster-name\",\"value\":\"demo_prod\"},{\"name\":\"eks:cluster-name\",\"value\":\"demo_prod\"},{\"name\":\"aws:ec2launchtemplate:version\",\"value\":\"6\"},{\"name\":\"eks:nodegroup-name\",\"value\":\"demo_prod_linux\"},{\"name\":\"k8s.io/cluster-autoscaler/enabled\",\"value\":\"true\"},{\"name\":\"kubernetes.io/cluster/demo_prod\",\"value\":\"owned\"},{\"name\":\"aws:ec2launchtemplate:id\",\"value\":\"lt-abcdefabcdef123456\"}],\"type\":\"AWS::EC2::Instance\",\"uid\":\"i-abcd1235cdef1234\"}],\"severity\":\"Medium\",\"severity_id\":3,\"status\":\"New\",\"status_id\":1,\"time\":1758903843057,\"time_dt\":\"2025-09-26T16:24:03.057Z\",\"type_name\":\"Vulnerability Finding: Update\",\"type_uid\":200202,\"vendor_attributes\":{\"severity\":\"Medium\",\"severity_id\":3},\"vulnerabilities\":[{\"affected_packages\":[{\"architecture\":\"X86_64\",\"epoch\":0,\"fixed_in_version\":\"0:5.10.242-239.961.amzn2\",\"name\":\"kernel\",\"package_manager\":\"OS\",\"release\":\"228.935.amzn2\",\"remediation\":{\"desc\":\"yum update kernel\"},\"version\":\"5.10.236\"},{\"architecture\":\"X86_64\",\"epoch\":0,\"fixed_in_version\":\"0:5.10.242-239.961.amzn2\",\"name\":\"kernel-devel\",\"package_manager\":\"OS\",\"release\":\"228.935.amzn2\",\"remediation\":{\"desc\":\"yum update kernel-devel\"},\"version\":\"5.10.236\"},{\"architecture\":\"X86_64\",\"epoch\":0,\"fixed_in_version\":\"0:5.10.242-239.961.amzn2\",\"name\":\"kernel-headers\",\"package_manager\":\"OS\",\"release\":\"228.935.amzn2\",\"remediation\":{\"desc\":\"yum update kernel-headers\"},\"version\":\"5.10.236\"}],\"cve\":{\"created_time\":1716249600000,\"created_time_dt\":\"2024-05-21T00:00:00.000Z\",\"cvss\":[{\"base_score\":4.7,\"severity\":\"MEDIUM\",\"vector_string\":\"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"vendor_name\":\"AMAZON_CVE\",\"version\":\"3.1\"},{\"base_score\":5.5,\"severity\":\"MEDIUM\",\"vector_string\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"vendor_name\":\"NVD\",\"version\":\"3.1\"}],\"desc\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nblock: don't call rq_qos_ops->done_bio if the bio isn't tracked\",\"epss\":{\"score\":\"0.00034\"},\"modified_time\":1732752000000,\"modified_time_dt\":\"2024-11-28T00:00:00.000Z\",\"uid\":\"CVE-2021-47412\"},\"fix_coverage\":\"Complete\",\"fix_coverage_id\":1,\"is_exploit_available\":false,\"is_fix_available\":true,\"references\":[\"https://explore.alas.aws.amazon.com/cve/json/v1/CVE-2021-47412.json\",\"https://explore.alas.aws.amazon.com/CVE-2021-47412.html\",\"https://alas.aws.amazon.com/AL2/ALAS2KERNEL-5.10-2025-104.html\"],\"related_vulnerabilities\":[\"ALAS2KERNEL-5.10-2025-104\"],\"severity\":\"Medium\"}]}", + "outcome": "unknown", + "provider": "AWS", + "severity": 47, + "type": [ + "info" + ] + }, + "host": { + "id": "i-abcd1235cdef1234", + "ip": [ + "10.90.0.87", + "10.90.0.60", + "10.90.0.30", + "10.90.0.74", + "10.90.0.206", + "10.90.0.207", + "10.90.0.37", + "10.90.0.149", + "10.90.0.235", + "175.16.199.1", + "10.90.0.225", + "10.90.0.212", + "10.90.0.199", + "10.90.0.240", + "10.90.0.164", + "10.90.0.160", + "10.90.0.182", + "10.90.0.70", + "10.90.0.180" + ], + "type": "t3.medium" + }, + "observer": { + "vendor": "AWS Security Hub" + }, + "orchestrator": { + "cluster": { + "name": "demo_prod" + } + }, + "organization": { + "name": "AWS" + }, + "package": { + "fixed_version": [ + "0:5.10.242-239.961.amzn2", + "0:5.10.242-239.961.amzn2", + "0:5.10.242-239.961.amzn2" + ], + "name": [ + "kernel", + "kernel-devel", + "kernel-headers" + ], + "version": [ + "5.10.236", + "5.10.236", + "5.10.236" + ] + }, + "related": { + "ip": [ + "10.90.0.87", + "10.90.0.60", + "10.90.0.30", + "10.90.0.74", + "10.90.0.206", + "10.90.0.207", + "10.90.0.37", + "10.90.0.149", + "10.90.0.235", + "175.16.199.1", + "10.90.0.225", + "10.90.0.212", + "10.90.0.199", + "10.90.0.240", + "10.90.0.164", + "10.90.0.160", + "10.90.0.182", + "10.90.0.70", + "10.90.0.180" + ] + }, + "resource": { + "id": "i-abcd1235cdef1234", + "type": "AWS::EC2::Instance" + }, + "rule": { + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: don't call rq_qos_ops->done_bio if the bio isn't tracked", + "name": "CVE-2021-47412 - kernel, kernel-devel and 1 more" + }, + "tags": [ + "preserve_duplicate_custom_fields" + ], + "vulnerability": { + "classification": "CVSS", + "cve": "CVE-2021-47412", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: don't call rq_qos_ops->done_bio if the bio isn't tracked", + "enumeration": "CVE", + "id": "CVE-2021-47412", + "published_date": "2024-05-21T00:00:00.000Z", + "reference": [ + "https://explore.alas.aws.amazon.com/cve/json/v1/CVE-2021-47412.json", + "https://explore.alas.aws.amazon.com/CVE-2021-47412.html", + "https://alas.aws.amazon.com/AL2/ALAS2KERNEL-5.10-2025-104.html" + ], + "scanner": { + "vendor": "Inspector" + }, + "score": { + "base": 4.7, + "version": "3.1" + }, + "severity": "Medium", + "title": "CVE-2021-47412 - kernel, kernel-devel and 1 more" + } + }, + { + "@timestamp": "2025-09-26T08:27:00.981Z", + "aws_securityhub": { + "finding": { + "activity_id": "2", + "activity_name": "Update", + "category_name": "Findings", + "category_uid": "2", + "class_name": "Compliance Finding", + "class_uid": "2003", + "cloud": { + "account": { + "uid": "123456789012" + }, + "provider": "AWS", + "region": "us-east-2" + }, + "compliance": { + "control": "SSM.1", + "standards": [ + "standards/aws-foundational-security-best-practices/v/1.0.0" + ], + "status": "Fail", + "status_id": "3" + }, + "finding_info": { + "analytic": { + "category": "AWS::Config::ConfigRule", + "name": "securityhub-ec2-instance-managed-by-ssm-ab123467", + "type": "Rule", + "type_id": "1" + }, + "created_time": "2025-05-29T18:05:48.106Z", + "created_time_dt": "2025-05-29T18:05:48.106Z", + "desc": "This AWS control checks whether the Amazon EC2 instances in your account are managed by AWS Systems Manager.", + "first_seen_time": "2025-05-29T18:05:44.226Z", + "first_seen_time_dt": "2025-05-29T18:05:44.226Z", + "last_seen_time": "2025-06-19T22:26:55.643Z", + "last_seen_time_dt": "2025-06-19T22:26:55.643Z", + "modified_time": "2025-09-26T08:27:00.981Z", + "modified_time_dt": "2025-09-26T08:27:00.981Z", + "title": "EC2 instances should be managed by AWS Systems Manager", + "types": [ + "Software and Configuration Checks/Industry and Regulatory Standards", + "Posture Management" + ], + "uid": "arn:aws:securityhub:us-east-2:123456789012:security-control/SSM.1/finding/cabc123e-1235-ef12-abcd-6123456abcd1" + }, + "metadata": { + "product": { + "name": "Security Hub", + "uid": "arn:aws:securityhub:us-east-2::productv2/aws/securityhub", + "vendor_name": "AWS" + }, + "profiles": [ + "cloud", + "datetime" + ], + "uid": "d1bc4b01234567890123456789abc123456def5bcdefabcdef123456", + "version": "1.6.0" + }, + "remediation": { + "desc": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.", + "references": [ + "https://docs.aws.amazon.com/console/securityhub/SSM.1/remediation" + ] + }, + "resources": [ + { + "cloud_partition": "aws", + "owner": { + "account": { + "uid": "123456789012" + } + }, + "region": "us-east-2", + "tags": { + "aws:autoscaling:groupName": "eks-demo_prod_linux-1123abc1-5678-efab-abcd-701abcdef892", + "aws:ec2:fleet-id": "fleet-babcdefc-5678-abcd-1234-20123456789b", + "aws:ec2launchtemplate:id": "lt-abcdefabcdef123456", + "aws:ec2launchtemplate:version": "6", + "aws:eks:cluster-name": "demo_prod", + "eks:cluster-name": "demo_prod", + "eks:nodegroup-name": "demo_prod_linux", + "k8s.io/cluster-autoscaler/demo_prod": "owned", + "k8s.io/cluster-autoscaler/enabled": "true", + "kubernetes.io/cluster/demo_prod": "owned" + }, + "type": "AWS::EC2::Instance", + "uid": "i-abcd1235cdef1234", + "uid_alt": "arn:aws:ec2:us-east-2:123456789012:instance/i-abcd1235cdef1234" + } + ], + "severity": "Medium", + "severity_id": "3", + "status": "New", + "status_id": "1", + "time": "2025-09-26T08:27:00.981Z", + "time_dt": "2025-09-26T08:27:00.981Z", + "type_name": "Compliance Finding: Update", + "type_uid": "200302", + "vendor_attributes": { + "severity": "Medium", + "severity_id": "3" + } + } + }, + "cloud": { + "account": { + "id": "123456789012" + }, + "instance": { + "id": "i-abcd1235cdef1234" + }, + "provider": "aws", + "region": "us-east-2", + "service": { + "name": "AWS::EC2::Instance" + } + }, + "ecs": { + "version": "9.2.0" + }, + "event": { + "action": "Update", + "created": "2025-09-26T08:27:00.981Z", + "id": "arn:aws:securityhub:us-east-2:123456789012:security-control/SSM.1/finding/cabc123e-1235-ef12-abcd-6123456abcd1", + "kind": "alert", + "original": "{\"activity_id\":2,\"activity_name\":\"Update\",\"category_name\":\"Findings\",\"category_uid\":2,\"class_name\":\"Compliance Finding\",\"class_uid\":2003,\"cloud\":{\"account\":{\"uid\":\"123456789012\"},\"provider\":\"AWS\",\"region\":\"us-east-2\"},\"compliance\":{\"control\":\"SSM.1\",\"standards\":[\"standards/aws-foundational-security-best-practices/v/1.0.0\"],\"status\":\"Fail\",\"status_id\":3},\"finding_info\":{\"analytic\":{\"category\":\"AWS::Config::ConfigRule\",\"name\":\"securityhub-ec2-instance-managed-by-ssm-ab123467\",\"type\":\"Rule\",\"type_id\":1},\"created_time\":1748541948106,\"created_time_dt\":\"2025-05-29T18:05:48.106Z\",\"desc\":\"This AWS control checks whether the Amazon EC2 instances in your account are managed by AWS Systems Manager.\",\"first_seen_time\":1748541944226,\"first_seen_time_dt\":\"2025-05-29T18:05:44.226Z\",\"last_seen_time\":1750372015643,\"last_seen_time_dt\":\"2025-06-19T22:26:55.643Z\",\"modified_time\":1758875220981,\"modified_time_dt\":\"2025-09-26T08:27:00.981Z\",\"title\":\"EC2 instances should be managed by AWS Systems Manager\",\"types\":[\"Software and Configuration Checks/Industry and Regulatory Standards\",\"Posture Management\"],\"uid\":\"arn:aws:securityhub:us-east-2:123456789012:security-control/SSM.1/finding/cabc123e-1235-ef12-abcd-6123456abcd1\"},\"metadata\":{\"product\":{\"name\":\"Security Hub\",\"uid\":\"arn:aws:securityhub:us-east-2::productv2/aws/securityhub\",\"vendor_name\":\"AWS\"},\"profiles\":[\"cloud\",\"datetime\"],\"uid\":\"d1bc4b01234567890123456789abc123456def5bcdefabcdef123456\",\"version\":\"1.6.0\"},\"remediation\":{\"desc\":\"For information on how to correct this issue, consult the AWS Security Hub controls documentation.\",\"references\":[\"https://docs.aws.amazon.com/console/securityhub/SSM.1/remediation\"]},\"resources\":[{\"cloud_partition\":\"aws\",\"owner\":{\"account\":{\"uid\":\"123456789012\"}},\"region\":\"us-east-2\",\"tags\":[{\"name\":\"aws:autoscaling:groupName\",\"value\":\"eks-demo_prod_linux-1123abc1-5678-efab-abcd-701abcdef892\"},{\"name\":\"aws:ec2:fleet-id\",\"value\":\"fleet-babcdefc-5678-abcd-1234-20123456789b\"},{\"name\":\"k8s.io/cluster-autoscaler/demo_prod\",\"value\":\"owned\"},{\"name\":\"aws:eks:cluster-name\",\"value\":\"demo_prod\"},{\"name\":\"eks:cluster-name\",\"value\":\"demo_prod\"},{\"name\":\"aws:ec2launchtemplate:version\",\"value\":\"6\"},{\"name\":\"eks:nodegroup-name\",\"value\":\"demo_prod_linux\"},{\"name\":\"k8s.io/cluster-autoscaler/enabled\",\"value\":\"true\"},{\"name\":\"kubernetes.io/cluster/demo_prod\",\"value\":\"owned\"},{\"name\":\"aws:ec2launchtemplate:id\",\"value\":\"lt-abcdefabcdef123456\"}],\"type\":\"AWS::EC2::Instance\",\"uid\":\"i-abcd1235cdef1234\",\"uid_alt\":\"arn:aws:ec2:us-east-2:123456789012:instance/i-abcd1235cdef1234\"}],\"severity\":\"Medium\",\"severity_id\":3,\"status\":\"New\",\"status_id\":1,\"time\":1758875220981,\"time_dt\":\"2025-09-26T08:27:00.981Z\",\"type_name\":\"Compliance Finding: Update\",\"type_uid\":200302,\"vendor_attributes\":{\"severity\":\"Medium\",\"severity_id\":3}}", + "outcome": "unknown", + "provider": "AWS", + "severity": 47, + "type": [ + "info" + ] + }, + "host": { + "id": "i-abcd1235cdef1234" + }, + "observer": { + "vendor": "AWS Security Hub" + }, + "orchestrator": { + "cluster": { + "name": "demo_prod" + } + }, + "organization": { + "name": "AWS" + }, + "resource": { + "id": "i-abcd1235cdef1234", + "type": "AWS::EC2::Instance" + }, + "result": { + "evaluation": "failed" + }, + "rule": { + "description": "This AWS control checks whether the Amazon EC2 instances in your account are managed by AWS Systems Manager.", + "id": "SSM.1", + "name": "EC2 instances should be managed by AWS Systems Manager", + "reference": [ + "https://docs.aws.amazon.com/console/securityhub/SSM.1/remediation" + ], + "remediation": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.\\r\\nhttps://docs.aws.amazon.com/console/securityhub/SSM.1/remediation" + }, + "tags": [ + "preserve_duplicate_custom_fields" + ] + }, + { + "@timestamp": "2025-09-26T11:34:42.714Z", + "aws_securityhub": { + "finding": { + "activity_id": "2", + "activity_name": "Update", + "category_name": "Findings", + "category_uid": "2", + "class_name": "Compliance Finding", + "class_uid": "2003", + "cloud": { + "account": { + "uid": "123456789012" + }, + "provider": "AWS", + "region": "us-east-2" + }, + "compliance": { + "assessments": [ + { + "desc": "AWS Config evaluated your resources against the rule. The rule did not apply to the AWS resources in its scope, the specified resources were deleted, or the evaluation results were deleted.", + "meets_criteria": true, + "name": "CONFIG_EVALUATIONS_EMPTY" + } + ], + "control": "Redshift.3", + "standards": [ + "standards/aws-foundational-security-best-practices/v/1.0.0" + ], + "status": "Pass", + "status_id": "1" + }, + "finding_info": { + "analytic": { + "category": "AWS::Config::ConfigRule", + "name": "securityhub-redshift-backup-enabled-abc12311", + "type": "Rule", + "type_id": "1" + }, + "created_time": "2024-09-11T23:08:40.044Z", + "created_time_dt": "2024-09-11T23:08:40.044Z", + "desc": "This control checks whether an Amazon Redshift cluster has automated snapshots enabled, and a retention period greater than or equal to the specified time frame. The control fails if automated snapshots aren't enabled for the cluster, or if the retention period is less than the specified time frame. Unless you provide a custom parameter value for the retention period, Security Hub uses a default value of 7 days.", + "first_seen_time": "2024-09-11T23:08:40.044Z", + "first_seen_time_dt": "2024-09-11T23:08:40.044Z", + "last_seen_time": "2025-09-26T11:34:42.714Z", + "last_seen_time_dt": "2025-09-26T11:34:42.714Z", + "modified_time": "2025-09-26T11:34:42.714Z", + "modified_time_dt": "2025-09-26T11:34:42.714Z", + "title": "Amazon Redshift clusters should have automatic snapshots enabled", + "types": [ + "Software and Configuration Checks/Industry and Regulatory Standards", + "Posture Management" + ], + "uid": "arn:aws:securityhub:us-east-2:123456789012:security-control/Redshift.3/finding/c3abcd12-3456-7890-abdf-c2123456abcd" + }, + "metadata": { + "product": { + "name": "Security Hub", + "uid": "arn:aws:securityhub:us-east-2::productv2/aws/securityhub", + "vendor_name": "AWS" + }, + "profiles": [ + "cloud", + "datetime" + ], + "uid": "d1bc4b01abcdef890123456789abcd12345efabcdefabcdef123ab6", + "version": "1.6.0" + }, + "remediation": { + "desc": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.", + "references": [ + "https://docs.aws.amazon.com/console/securityhub/Redshift.3/remediation" + ] + }, + "resources": [ + { + "cloud_partition": "aws", + "owner": { + "account": { + "uid": "123456789012" + } + }, + "region": "us-east-2", + "type": "AWS::::Account", + "uid": "123456789012" + } + ], + "severity": "Informational", + "severity_id": "1", + "status": "Resolved", + "status_id": "4", + "time": "2025-09-26T11:34:42.714Z", + "time_dt": "2025-09-26T11:34:42.714Z", + "type_name": "Compliance Finding: Update", + "type_uid": "200302", + "vendor_attributes": { + "severity": "Informational", + "severity_id": "1" + } + } + }, + "cloud": { + "account": { + "id": "123456789012" + }, + "provider": "aws", + "region": "us-east-2", + "service": { + "name": "AWS::::Account" + } + }, + "ecs": { + "version": "9.2.0" + }, + "event": { + "action": "Update", + "created": "2025-09-26T11:34:42.714Z", + "id": "arn:aws:securityhub:us-east-2:123456789012:security-control/Redshift.3/finding/c3abcd12-3456-7890-abdf-c2123456abcd", + "kind": "alert", + "original": "{\"activity_id\":2,\"activity_name\":\"Update\",\"category_name\":\"Findings\",\"category_uid\":2,\"class_name\":\"Compliance Finding\",\"class_uid\":2003,\"cloud\":{\"account\":{\"uid\":\"123456789012\"},\"provider\":\"AWS\",\"region\":\"us-east-2\"},\"compliance\":{\"assessments\":[{\"desc\":\"AWS Config evaluated your resources against the rule. The rule did not apply to the AWS resources in its scope, the specified resources were deleted, or the evaluation results were deleted.\",\"meets_criteria\":true,\"name\":\"CONFIG_EVALUATIONS_EMPTY\"}],\"control\":\"Redshift.3\",\"standards\":[\"standards/aws-foundational-security-best-practices/v/1.0.0\"],\"status\":\"Pass\",\"status_id\":1},\"finding_info\":{\"analytic\":{\"category\":\"AWS::Config::ConfigRule\",\"name\":\"securityhub-redshift-backup-enabled-abc12311\",\"type\":\"Rule\",\"type_id\":1},\"created_time\":1726096120044,\"created_time_dt\":\"2024-09-11T23:08:40.044Z\",\"desc\":\"This control checks whether an Amazon Redshift cluster has automated snapshots enabled, and a retention period greater than or equal to the specified time frame. The control fails if automated snapshots aren't enabled for the cluster, or if the retention period is less than the specified time frame. Unless you provide a custom parameter value for the retention period, Security Hub uses a default value of 7 days.\",\"first_seen_time\":1726096120044,\"first_seen_time_dt\":\"2024-09-11T23:08:40.044Z\",\"last_seen_time\":1758886482714,\"last_seen_time_dt\":\"2025-09-26T11:34:42.714Z\",\"modified_time\":1758886482714,\"modified_time_dt\":\"2025-09-26T11:34:42.714Z\",\"title\":\"Amazon Redshift clusters should have automatic snapshots enabled\",\"types\":[\"Software and Configuration Checks/Industry and Regulatory Standards\",\"Posture Management\"],\"uid\":\"arn:aws:securityhub:us-east-2:123456789012:security-control/Redshift.3/finding/c3abcd12-3456-7890-abdf-c2123456abcd\"},\"metadata\":{\"product\":{\"name\":\"Security Hub\",\"uid\":\"arn:aws:securityhub:us-east-2::productv2/aws/securityhub\",\"vendor_name\":\"AWS\"},\"profiles\":[\"cloud\",\"datetime\"],\"uid\":\"d1bc4b01abcdef890123456789abcd12345efabcdefabcdef123ab6\",\"version\":\"1.6.0\"},\"remediation\":{\"desc\":\"For information on how to correct this issue, consult the AWS Security Hub controls documentation.\",\"references\":[\"https://docs.aws.amazon.com/console/securityhub/Redshift.3/remediation\"]},\"resources\":[{\"cloud_partition\":\"aws\",\"owner\":{\"account\":{\"uid\":\"123456789012\"}},\"region\":\"us-east-2\",\"type\":\"AWS::::Account\",\"uid\":\"123456789012\"}],\"severity\":\"Informational\",\"severity_id\":1,\"status\":\"Resolved\",\"status_id\":4,\"time\":1758886482714,\"time_dt\":\"2025-09-26T11:34:42.714Z\",\"type_name\":\"Compliance Finding: Update\",\"type_uid\":200302,\"vendor_attributes\":{\"severity\":\"Informational\",\"severity_id\":1}}", + "outcome": "success", + "provider": "AWS", + "severity": 21, + "type": [ + "info" + ] + }, + "observer": { + "vendor": "AWS Security Hub" + }, + "organization": { + "name": "AWS" + }, + "resource": { + "id": "123456789012", + "type": "AWS::::Account" + }, + "result": { + "evaluation": "passed" + }, + "rule": { + "description": "This control checks whether an Amazon Redshift cluster has automated snapshots enabled, and a retention period greater than or equal to the specified time frame. The control fails if automated snapshots aren't enabled for the cluster, or if the retention period is less than the specified time frame. Unless you provide a custom parameter value for the retention period, Security Hub uses a default value of 7 days.", + "id": "Redshift.3", + "name": "Amazon Redshift clusters should have automatic snapshots enabled", + "reference": [ + "https://docs.aws.amazon.com/console/securityhub/Redshift.3/remediation" + ], + "remediation": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.\\r\\nhttps://docs.aws.amazon.com/console/securityhub/Redshift.3/remediation" + }, + "tags": [ + "preserve_duplicate_custom_fields" + ] + }, + { + "@timestamp": "2025-09-23T21:19:28.239Z", + "aws_securityhub": { + "finding": { + "activity_id": "1", + "activity_name": "Create", + "category_name": "Findings", + "category_uid": "2", + "class_name": "Vulnerability Finding", + "class_uid": "2002", + "cloud": { + "account": { + "type": "AWS Account", + "type_id": "10", + "uid": "123456789012" + }, + "provider": "AWS", + "region": "us-east-2" + }, + "finding_info": { + "created_time": "2025-09-23T21:19:28.239Z", + "created_time_dt": "2025-09-23T21:19:28.239Z", + "desc": "If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath (\"\", \".\", and \"..\"), can result in the binaries listed in the PATH being unexpectedly returned.", + "first_seen_time": "2025-09-23T21:19:28.239Z", + "first_seen_time_dt": "2025-09-23T21:19:28.239Z", + "last_seen_time": "2025-09-23T21:19:28.239Z", + "last_seen_time_dt": "2025-09-23T21:19:28.239Z", + "modified_time": "2025-09-23T21:19:28.239Z", + "modified_time_dt": "2025-09-23T21:19:28.239Z", + "title": "CVE-2025-47906 - go/stdlib", + "types": [ + "Software and Configuration Checks/Vulnerabilities/CVE" + ], + "uid": "arn:aws:inspector2:us-east-2:123456789012:finding/2123456789abcdefabcdef12345679" + }, + "metadata": { + "product": { + "name": "Inspector", + "uid": "arn:aws:securityhub:us-east-2::productv2/aws/inspector", + "vendor_name": "AWS" + }, + "profiles": [ + "cloud", + "datetime" + ], + "uid": "d1bc4b0123456789012345abefabcdefabcdefab123890cdef123456", + "version": "1.5.0" + }, + "resources": [ + { + "cloud_partition": "aws", + "data": { + "awsLambdaFunctionDetails": { + "architectures": [ + "ARM64" + ], + "codeSha256": "OBDFNBKKvsf/dfbSJFBVDKB64v1sJUYVJH/SV5nsdv5svssv=", + "executionRoleArn": "arn:aws:iam::123456789012:role/cloudtrail-test-ab-LambdaExecutionRole-jVHJUFvbhIHVD6", + "functionName": "cloudtrail-test-ab-LambdaFunction-jVHJUsdbdkj6", + "lastModifiedAt": "2025-08-12T08:23:50.000Z", + "layers": [ + "arn:aws:lambda:us-east-2:267093732750:layer:test-cloud-forwarder-ver-0-2-0:1" + ], + "packageType": "ZIP", + "runtime": "PYTHON_3_12", + "version": "$LATEST" + } + }, + "name": "cloudtrail-test-ab-LambdaFunction-jVHJUsdbdkj6", + "owner": { + "account": { + "uid": "123456789012" + } + }, + "region": "us-east-2", + "tags": { + "aws:cloudformation:logical-id": "LambdaFunction", + "aws:cloudformation:stack-id": "arn:aws:cloudformation:us-east-2:123456789012:stack/cloudtrail-test-ab/c3abcd12-3456-7890-abdf-c2123456abcd", + "aws:cloudformation:stack-name": "cloudtrail-test-ab" + }, + "type": "AWS::Lambda::Function", + "uid": "cloudtrail-test-ab-LambdaFunction-jVHJUsdbdkj6", + "uid_alt": "arn:aws:lambda:us-east-2:123456789012:function:cloudtrail-test-ab-LambdaFunction-jVHJUsdbdkj6" + } + ], + "severity": "Medium", + "severity_id": "3", + "status": "New", + "status_id": "1", + "time": "2025-09-23T21:19:28.239Z", + "time_dt": "2025-09-23T21:19:28.239Z", + "type_name": "Vulnerability Finding: Create", + "type_uid": "200201", + "vendor_attributes": { + "severity": "Medium", + "severity_id": "3" + }, + "vulnerabilities": [ + { + "affected_packages": [ + { + "epoch": 0, + "fixed_in_version": "1.24.6", + "name": "go/stdlib", + "package_manager": "GENERIC", + "path": "collector", + "version": "1.24.0" + } + ], + "cve": { + "created_time": "2025-09-18T19:15:37.000Z", + "created_time_dt": "2025-09-18T19:15:37.000Z", + "cvss": [ + { + "base_score": 6.5, + "severity": "MEDIUM", + "vector_string": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L", + "vendor_name": "NVD", + "version": "3.1" + } + ], + "desc": "If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath (\"\", \".\", and \"..\"), can result in the binaries listed in the PATH being unexpectedly returned.", + "epss": { + "score": "0.00017" + }, + "modified_time": "2025-09-19T16:00:27.000Z", + "modified_time_dt": "2025-09-19T16:00:27.000Z", + "uid": "CVE-2025-47906" + }, + "fix_coverage": "Complete", + "fix_coverage_id": "1", + "is_exploit_available": false, + "is_fix_available": true, + "references": [ + "https://groups.google.com/g/golang-announce/c/x5MKroML2yM", + "https://nvd.nist.gov/vuln/detail/CVE-2025-47906" + ], + "severity": "MEDIUM" + } + ] + } + }, + "cloud": { + "account": { + "id": "123456789012" + }, + "provider": "aws", + "region": "us-east-2", + "service": { + "name": "AWS::Lambda::Function" + } + }, + "ecs": { + "version": "9.2.0" + }, + "event": { + "action": "Create", + "category": [ + "vulnerability" + ], + "created": "2025-09-23T21:19:28.239Z", + "id": "arn:aws:inspector2:us-east-2:123456789012:finding/2123456789abcdefabcdef12345679", + "kind": "alert", + "original": "{\"activity_id\":1,\"activity_name\":\"Create\",\"category_name\":\"Findings\",\"category_uid\":2,\"class_name\":\"Vulnerability Finding\",\"class_uid\":2002,\"cloud\":{\"account\":{\"type\":\"AWS Account\",\"type_id\":10,\"uid\":\"123456789012\"},\"provider\":\"AWS\",\"region\":\"us-east-2\"},\"finding_info\":{\"created_time\":1758662368239,\"created_time_dt\":\"2025-09-23T21:19:28.239Z\",\"desc\":\"If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath (\\\"\\\", \\\".\\\", and \\\"..\\\"), can result in the binaries listed in the PATH being unexpectedly returned.\",\"first_seen_time\":1758662368239,\"first_seen_time_dt\":\"2025-09-23T21:19:28.239Z\",\"last_seen_time\":1758662368239,\"last_seen_time_dt\":\"2025-09-23T21:19:28.239Z\",\"modified_time\":1758662368239,\"modified_time_dt\":\"2025-09-23T21:19:28.239Z\",\"title\":\"CVE-2025-47906 - go/stdlib\",\"types\":[\"Software and Configuration Checks/Vulnerabilities/CVE\"],\"uid\":\"arn:aws:inspector2:us-east-2:123456789012:finding/2123456789abcdefabcdef12345679\"},\"metadata\":{\"product\":{\"name\":\"Inspector\",\"uid\":\"arn:aws:securityhub:us-east-2::productv2/aws/inspector\",\"vendor_name\":\"AWS\"},\"profiles\":[\"cloud\",\"datetime\"],\"uid\":\"d1bc4b0123456789012345abefabcdefabcdefab123890cdef123456\",\"version\":\"1.5.0\"},\"resources\":[{\"cloud_partition\":\"aws\",\"data\":{\"awsLambdaFunctionDetails\":{\"architectures\":[\"ARM64\"],\"codeSha256\":\"OBDFNBKKvsf/dfbSJFBVDKB64v1sJUYVJH/SV5nsdv5svssv=\",\"executionRoleArn\":\"arn:aws:iam::123456789012:role/cloudtrail-test-ab-LambdaExecutionRole-jVHJUFvbhIHVD6\",\"functionName\":\"cloudtrail-test-ab-LambdaFunction-jVHJUsdbdkj6\",\"lastModifiedAt\":\"2025-08-12T08:23:50Z\",\"layers\":[\"arn:aws:lambda:us-east-2:267093732750:layer:test-cloud-forwarder-ver-0-2-0:1\"],\"packageType\":\"ZIP\",\"runtime\":\"PYTHON_3_12\",\"version\":\"$LATEST\"}},\"name\":\"cloudtrail-test-ab-LambdaFunction-jVHJUsdbdkj6\",\"owner\":{\"account\":{\"uid\":\"123456789012\"}},\"region\":\"us-east-2\",\"tags\":[{\"name\":\"aws:cloudformation:stack-name\",\"value\":\"cloudtrail-test-ab\"},{\"name\":\"aws:cloudformation:stack-id\",\"value\":\"arn:aws:cloudformation:us-east-2:123456789012:stack/cloudtrail-test-ab/c3abcd12-3456-7890-abdf-c2123456abcd\"},{\"name\":\"aws:cloudformation:logical-id\",\"value\":\"LambdaFunction\"}],\"type\":\"AWS::Lambda::Function\",\"uid\":\"cloudtrail-test-ab-LambdaFunction-jVHJUsdbdkj6\",\"uid_alt\":\"arn:aws:lambda:us-east-2:123456789012:function:cloudtrail-test-ab-LambdaFunction-jVHJUsdbdkj6\"}],\"severity\":\"Medium\",\"severity_id\":3,\"status\":\"New\",\"status_id\":1,\"time\":1758662368239,\"time_dt\":\"2025-09-23T21:19:28.239Z\",\"type_name\":\"Vulnerability Finding: Create\",\"type_uid\":200201,\"vendor_attributes\":{\"severity\":\"Medium\",\"severity_id\":3},\"vulnerabilities\":[{\"affected_packages\":[{\"epoch\":0,\"fixed_in_version\":\"1.24.6\",\"name\":\"go/stdlib\",\"package_manager\":\"GENERIC\",\"path\":\"collector\",\"version\":\"1.24.0\"}],\"cve\":{\"created_time\":1758222937000,\"created_time_dt\":\"2025-09-18T19:15:37.000Z\",\"cvss\":[{\"base_score\":6.5,\"severity\":\"MEDIUM\",\"vector_string\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L\",\"vendor_name\":\"NVD\",\"version\":\"3.1\"}],\"desc\":\"If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath (\\\"\\\", \\\".\\\", and \\\"..\\\"), can result in the binaries listed in the PATH being unexpectedly returned.\",\"epss\":{\"score\":\"0.00017\"},\"modified_time\":1758297627000,\"modified_time_dt\":\"2025-09-19T16:00:27.000Z\",\"uid\":\"CVE-2025-47906\"},\"fix_coverage\":\"Complete\",\"fix_coverage_id\":1,\"is_exploit_available\":false,\"is_fix_available\":true,\"references\":[\"https://groups.google.com/g/golang-announce/c/x5MKroML2yM\",\"https://nvd.nist.gov/vuln/detail/CVE-2025-47906\"],\"severity\":\"MEDIUM\"}]}", + "outcome": "unknown", + "provider": "AWS", + "severity": 47, + "type": [ + "info" + ] + }, + "observer": { + "vendor": "AWS Security Hub" + }, + "organization": { + "name": "AWS" + }, + "package": { + "fixed_version": [ + "1.24.6" + ], + "name": [ + "go/stdlib" + ], + "version": [ + "1.24.0" + ] + }, + "resource": { + "id": "cloudtrail-test-ab-LambdaFunction-jVHJUsdbdkj6", + "type": "AWS::Lambda::Function" + }, + "rule": { + "description": "If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath (\"\", \".\", and \"..\"), can result in the binaries listed in the PATH being unexpectedly returned.", + "name": "CVE-2025-47906 - go/stdlib" + }, + "tags": [ + "preserve_duplicate_custom_fields" + ], + "vulnerability": { + "classification": "CVSS", + "cve": "CVE-2025-47906", + "description": "If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath (\"\", \".\", and \"..\"), can result in the binaries listed in the PATH being unexpectedly returned.", + "enumeration": "CVE", + "id": "CVE-2025-47906", + "published_date": "2025-09-18T19:15:37.000Z", + "reference": [ + "https://groups.google.com/g/golang-announce/c/x5MKroML2yM", + "https://nvd.nist.gov/vuln/detail/CVE-2025-47906" + ], + "scanner": { + "vendor": "Inspector" + }, + "score": { + "base": 6.5, + "version": "3.1" + }, + "severity": "Medium", + "title": "CVE-2025-47906 - go/stdlib" + } + } + ] +} diff --git a/packages/aws_securityhub/data_stream/finding/_dev/test/system/test-default-config.yml b/packages/aws_securityhub/data_stream/finding/_dev/test/system/test-default-config.yml new file mode 100644 index 00000000000..c17705dd42c --- /dev/null +++ b/packages/aws_securityhub/data_stream/finding/_dev/test/system/test-default-config.yml @@ -0,0 +1,38 @@ +input: cel +service: aws_securityhub +vars: + secret_access_key: xxxx + access_key_id: xxxx + ssl: | + certificate_authorities: + - | + -----BEGIN CERTIFICATE----- + MIIDYzCCAksCFHjpS63J08Qx8oUw5qhhPAt4b7XqMA0GCSqGSIb3DQEBCwUAMG4x + CzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRl + cm5ldCBXaWRnaXRzIFB0eSBMdGQxJzAlBgNVBAMMHnNlY3VyaXR5aHViLnh4eHgu + YW1hem9uYXdzLmNvbTAeFw0yNTExMTAxNzA3MjdaFw0zNTExMDgxNzA3MjdaMG4x + CzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRl + cm5ldCBXaWRnaXRzIFB0eSBMdGQxJzAlBgNVBAMMHnNlY3VyaXR5aHViLnh4eHgu + YW1hem9uYXdzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOGm + MbmIurgsjJxtFWDDNa0T0h2bRtVCMC+KwdZpZVwp+K1oFxizkWbsbGFA0SJpMMMZ + aHoSlYfbe7T8QgcJE40o5sVRrOyPNcNbh9THvjmFKE+9SFep083A2f6YBRXssTSA + PMd/hXOdD87biWUnSbgsug0LFZHQcPDz3b6ktExzpEbdMIYSlyrtFass4OWduUzX + W2aiP/jBI2O4ndjmTh78oeED6A10twoaz8fNQzaaAcp9KjB+RViBwgSFekp4sNUo + BiEqLalI6o9ZcbpAIV/fH0SQZy9rEBhrD0xzlqOmM3Mv/xTFkwOgc6EEFA1Tx7nb + Btm0afHgCy63XKKZT+0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAFJ+95GV4zx1k + Ljofy3IwkhF5oW1NsYTQIYPvOhVdTsebP/pXj98Co5QK19CL4UwSNVZmL+egm560 + itIqS+Dh9d1JIdrU4JzMuWI7gqA2r2XdwRdbVfR8fKvt9MXoLE6OtrEgRIhQtgPG + 7+B5Jarsd85CUSnCk8/Xb1jL3AhMyTtThsUhOaRPInqnodagTz9MI/xFXru7X+mJ + tc5b1/Qzo5s2c0v53VSKRl2dEY1hS0FQ6zpupf/nqxK7XjHqA0bthP7EAJj5dSVh + /18+nnWLm0v8/xRjlJ9Z82QRJrJV96H8bWpAcT0Hk13pi+LcF3XgfYQJSR32z4tt + hPpgCP6KcQ== + -----END CERTIFICATE----- +data_stream: + vars: + aws_region: xxxx + tld: amazonaws.com + batch_size: 2 + preserve_original_event: true + enable_request_tracer: true +assert: + hit_count: 5 diff --git a/packages/aws_securityhub/data_stream/finding/agent/stream/cel.yml.hbs b/packages/aws_securityhub/data_stream/finding/agent/stream/cel.yml.hbs new file mode 100644 index 00000000000..9c25545c01b --- /dev/null +++ b/packages/aws_securityhub/data_stream/finding/agent/stream/cel.yml.hbs @@ -0,0 +1,140 @@ +config_version: 2 +interval: {{interval}} +resource.tracer: + enabled: {{enable_request_tracer}} + filename: "../../logs/cel/http-request-trace-*.ndjson" + maxbackups: 5 +{{#if proxy_url}} +resource.proxy_url: {{proxy_url}} +{{/if}} +{{#if ssl}} +resource.ssl: {{ssl}} +{{/if}} +{{#if http_client_timeout}} +resource.timeout: {{http_client_timeout}} +{{/if}} +{{#if resource_rate_limit_limit}} +resource.rate_limit.limit: {{resource_rate_limit_limit}} +{{/if}} +{{#if resource_rate_limit_burst}} +resource.rate_limit.burst: {{resource_rate_limit_burst}} +{{/if}} +resource.url: https://securityhub.{{aws_region}}.{{tld}} + +auth.aws: +{{#if access_key_id}} + access_key_id: {{access_key_id}} +{{/if}} +{{#if secret_access_key}} + secret_access_key: {{secret_access_key}} +{{/if}} +{{#if session_token}} + session_token: {{session_token}} +{{/if}} +{{#if shared_credential_file}} + shared_credential_file: {{shared_credential_file}} +{{/if}} +{{#if credential_profile_name}} + credential_profile_name: {{credential_profile_name}} +{{/if}} +{{#if role_arn}} + role_arn: {{role_arn}} +{{/if}} +{{#if external_id}} + external_id: {{external_id}} +{{/if}} + +state: + batch_size: {{batch_size}} + initial_interval: {{initial_interval}} +redact: + fields: ~ +program: | + ( + state.?want_more.orValue(false) ? + { + "start_time": state.start_time, + "end_time": state.end_time, + } + : + { + "start_time": state.?cursor.last_timestamp.orValue((now - duration(state.initial_interval)).format(time_layout.RFC3339)), + "end_time": now.format(time_layout.RFC3339), + } + ).as(time_range, + post_request( + state.url.trim_right("/") + "/findingsv2", + "application/json", + { + "Filters": { + "CompositeFilters": [{ + "DateFilters": [{ + "FieldName": "finding_info.modified_time_dt", + "Filter": { + "Start": time_range.start_time, + "End": time_range.end_time + } + }] + }] + }, + "MaxResults": state.batch_size, + ?"NextToken": state.?next_token, + "SortCriteria": [{"Field":"finding_info.modified_time_dt","SortOrder":"asc"}] + }.encode_json() + ).do_request().as(resp, resp.StatusCode == 200 ? + resp.Body.decode_json().as(body, { + "events": body.Findings.map(e, { + "message": e.encode_json(), + }), + "initial_interval": state.initial_interval, + "batch_size": state.batch_size, + "start_time": time_range.start_time, + "end_time": time_range.end_time, + ?"next_token": body.?NextToken, + "want_more": body.?NextToken.orValue(null) != null, + "cursor": { + "last_timestamp": ( + body.?NextToken.orValue(null) != null ? + time_range.start_time + : + time_range.end_time + ), + } + }) + : + { + "events": { + "error": { + "code": string(resp.StatusCode), + "id": string(resp.Status), + "message": "POST " + state.url.trim_right("/") + "/findingsv2: " + ( + size(resp.Body) != 0 ? + string(resp.Body) + : + string(resp.Status) + ' (' + string(resp.StatusCode) + ')' + ), + }, + }, + "initial_interval": state.initial_interval, + "batch_size": state.batch_size, + "want_more": false, + } + ) + ) +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#if preserve_duplicate_custom_fields}} + - preserve_duplicate_custom_fields +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/aws_securityhub/data_stream/finding/elasticsearch/ingest_pipeline/default.yml b/packages/aws_securityhub/data_stream/finding/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 00000000000..346b6e83bb5 --- /dev/null +++ b/packages/aws_securityhub/data_stream/finding/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,2072 @@ +--- +description: Pipeline for processing findings. +processors: + - set: + field: ecs.version + tag: set_ecs_version + value: 9.2.0 + - remove: + field: + - organization + - division + - team + ignore_missing: true + if: ctx.organization instanceof String && ctx.division instanceof String && ctx.team instanceof String + tag: remove_agentless_tags + description: >- + Removes the fields added by Agentless as metadata, as they can collide with ECS fields. + - terminate: + tag: data_collection_error + if: ctx.error?.message != null && ctx.message == null && ctx.event?.original == null + description: error message set and no data to process. + + # parse the event JSON + - rename: + field: message + tag: rename_message_to_event_original + target_field: event.original + ignore_missing: true + description: Renames the original `message` field to `event.original` to store a copy of the original message. The `event.original` field is not touched if the document already has one; it may happen when Logstash sends the document. + if: ctx.event?.original == null + - remove: + field: message + tag: remove_message + ignore_missing: true + description: The `message` field is no longer required if the document has an `event.original` field. + if: ctx.event?.original != null + - json: + field: event.original + tag: json_event_original + target_field: aws_securityhub.finding + - script: + description: Recursively traverses the aws_securityhub.finding object to convert suspected timestamps to milliseconds. + tag: convert_timestamps_to_milliseconds + lang: painless + if: ctx.aws_securityhub?.finding != null + source: >- + def convertToMilliseconds(long timestamp) { + if ((long)1e19 - 1 < timestamp) { + throw new IllegalArgumentException("Timestamp format not recognized: " + timestamp); + } else if ((long)1e16 - 1 < timestamp) { + return timestamp / 1000000; // Convert nanoseconds to milliseconds + } else if ((long)1e13 - 1 < timestamp) { + return timestamp / 1000; // Convert microseconds to milliseconds + } else if ((long)1e10 - 1 < timestamp) { + return timestamp; // Already in milliseconds, no conversion needed + } else { + return timestamp * 1000; // Convert seconds to milliseconds + } + } + + def processFields(Map fields) { + if (fields == null) { + return null; + } + for (entry in fields.entrySet()) { + def fieldName = entry.getKey(); + def fieldValue = entry.getValue(); + // Check if the field is a nested object (Map) + if (fieldValue instanceof Map) { + // Recursively process nested objects + processFields((Map) fieldValue); + } else if (fieldName.endsWith('time') || fieldName.endsWith('_time')) { + // If the field name ends with "time" or "_time" and is a number, convert it + if (fieldValue instanceof Number) { + fields[fieldName] = convertToMilliseconds(((Number) fieldValue).longValue()); + } + } + } + return null; + } + processFields(ctx.aws_securityhub.finding); + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + + - convert: + field: aws_securityhub.finding.action_id + tag: convert_action_id_to_string + type: string + ignore_missing: true + - convert: + field: aws_securityhub.finding.activity_id + tag: convert_activity_id_to_string + type: string + ignore_missing: true + - foreach: + field: aws_securityhub.finding.anomaly_analyses + if: ctx.aws_securityhub?.finding?.anomaly_analyses instanceof List + processor: + foreach: + field: _ingest._value.anomalies + ignore_missing: true + processor: + foreach: + field: _ingest._value.observations + ignore_missing: true + processor: + convert: + field: _ingest._value.count + tag: convert_anomaly_analyses_anomalies_observations_count_to_long + type: long + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.count + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: aws_securityhub.finding.anomaly_analyses + if: ctx.aws_securityhub?.finding?.anomaly_analyses instanceof List + processor: + foreach: + field: _ingest._value.baselines + ignore_missing: true + processor: + foreach: + field: _ingest._value.observations + ignore_missing: true + processor: + convert: + field: _ingest._value.count + tag: convert_anomaly_analyses_baselines_observations_count_to_long + type: long + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.count + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: aws_securityhub.finding.api.response.code + tag: convert_api_response_code_to_long + type: long + ignore_missing: true + on_failure: + - remove: + field: aws_securityhub.finding.api.response.code + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - json: + field: aws_securityhub.finding.api.request.data + if: ctx.aws_securityhub?.finding?.api?.request?.data instanceof String + on_failure: + - rename: + field: aws_securityhub.finding.api.request.data + target_field: aws_securityhub.finding.api.request.data.value + - rename: + field: aws_securityhub.finding.api.request.data + target_field: aws_securityhub.finding.api.request.data.value + if: ctx.aws_securityhub?.finding?.api?.request?.data != null && !(ctx.aws_securityhub.finding.api.request.data instanceof Map) + - json: + field: aws_securityhub.finding.api.response.data + if: ctx.aws_securityhub?.finding?.api?.response?.data instanceof String + on_failure: + - rename: + field: aws_securityhub.finding.api.response.data + target_field: aws_securityhub.finding.api.response.data.value + - rename: + field: aws_securityhub.finding.api.response.data + target_field: aws_securityhub.finding.api.response.data.value + if: ctx.aws_securityhub?.finding?.api?.response?.data != null && !(ctx.aws_securityhub.finding.api.response.data instanceof Map) + - convert: + field: aws_securityhub.finding.assignee.account.type_id + tag: convert_assignee_account_type_id_to_string + type: string + ignore_missing: true + - convert: + field: aws_securityhub.finding.assignee.has_mfa + tag: convert_finding_assignee_has_mfa_to_boolean + type: boolean + ignore_missing: true + on_failure: + - remove: + field: aws_securityhub.finding.assignee.has_mfa + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: aws_securityhub.finding.assignee.ldap_person.created_time_dt + tag: date_assignee_ldap_person_created_time_dt + target_field: aws_securityhub.finding.assignee.ldap_person.created_time_dt + formats: + - ISO8601 + - UNIX_MS + - yyyy-MM-dd HH:mm:ss[.SSSSSSSSS][.SSSSSSSS][.SSSSSSS][.SSSSSS][.SSSSS][.SSSS][.SSS][.SS][.S]X + if: ctx.aws_securityhub?.finding?.assignee?.ldap_person?.created_time_dt != null && ctx.aws_securityhub.finding.assignee.ldap_person.created_time_dt != '' + on_failure: + - remove: + field: aws_securityhub.finding.assignee.ldap_person.created_time_dt + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: aws_securityhub.finding.assignee.ldap_person.created_time + tag: date_assignee_ldap_person_created_time + target_field: aws_securityhub.finding.assignee.ldap_person.created_time + formats: + - UNIX_MS + if: ctx.aws_securityhub?.finding?.assignee?.ldap_person?.created_time != null && ctx.aws_securityhub.finding.assignee.ldap_person.created_time != '' + on_failure: + - remove: + field: aws_securityhub.finding.assignee.ldap_person.created_time + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: aws_securityhub.finding.assignee.ldap_person.deleted_time_dt + tag: date_assignee_ldap_person_deleted_time_dt + target_field: aws_securityhub.finding.assignee.ldap_person.deleted_time_dt + formats: + - ISO8601 + - UNIX_MS + - yyyy-MM-dd HH:mm:ss[.SSSSSSSSS][.SSSSSSSS][.SSSSSSS][.SSSSSS][.SSSSS][.SSSS][.SSS][.SS][.S]X + if: ctx.aws_securityhub?.finding?.assignee?.ldap_person?.deleted_time_dt != null && ctx.aws_securityhub.finding.assignee.ldap_person.deleted_time_dt != '' + on_failure: + - remove: + field: aws_securityhub.finding.assignee.ldap_person.deleted_time_dt + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: aws_securityhub.finding.assignee.ldap_person.deleted_time + tag: date_assignee_ldap_person_deleted_time + target_field: aws_securityhub.finding.assignee.ldap_person.deleted_time + formats: + - UNIX_MS + if: ctx.aws_securityhub?.finding?.assignee?.ldap_person?.deleted_time != null && ctx.aws_securityhub.finding.assignee.ldap_person.deleted_time != '' + on_failure: + - remove: + field: aws_securityhub.finding.assignee.ldap_person.deleted_time + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: aws_securityhub.finding.assignee.ldap_person.hire_time_dt + tag: date_assignee_ldap_person_hire_time_dt + target_field: aws_securityhub.finding.assignee.ldap_person.hire_time_dt + formats: + - ISO8601 + - UNIX_MS + - yyyy-MM-dd HH:mm:ss[.SSSSSSSSS][.SSSSSSSS][.SSSSSSS][.SSSSSS][.SSSSS][.SSSS][.SSS][.SS][.S]X + if: ctx.aws_securityhub?.finding?.assignee?.ldap_person?.hire_time_dt != null && ctx.aws_securityhub.finding.assignee.ldap_person.hire_time_dt != '' + on_failure: + - remove: + field: aws_securityhub.finding.assignee.ldap_person.hire_time_dt + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: aws_securityhub.finding.assignee.ldap_person.hire_time + tag: date_assignee_ldap_person_hire_time + target_field: aws_securityhub.finding.assignee.ldap_person.hire_time + formats: + - UNIX_MS + if: ctx.aws_securityhub?.finding?.assignee?.ldap_person?.hire_time != null && ctx.aws_securityhub.finding.assignee.ldap_person.hire_time != '' + on_failure: + - remove: + field: aws_securityhub.finding.assignee.ldap_person.hire_time + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: aws_securityhub.finding.assignee.ldap_person.last_login_time_dt + tag: date_assignee_ldap_person_last_login_time_dt + target_field: aws_securityhub.finding.assignee.ldap_person.last_login_time_dt + formats: + - ISO8601 + - UNIX_MS + - yyyy-MM-dd HH:mm:ss[.SSSSSSSSS][.SSSSSSSS][.SSSSSSS][.SSSSSS][.SSSSS][.SSSS][.SSS][.SS][.S]X + if: ctx.aws_securityhub?.finding?.assignee?.ldap_person?.last_login_time_dt != null && ctx.aws_securityhub.finding.assignee.ldap_person.last_login_time_dt != '' + on_failure: + - remove: + field: aws_securityhub.finding.assignee.ldap_person.last_login_time_dt + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: aws_securityhub.finding.assignee.ldap_person.last_login_time + tag: date_assignee_ldap_person_last_login_time + target_field: aws_securityhub.finding.assignee.ldap_person.last_login_time + formats: + - UNIX_MS + if: ctx.aws_securityhub?.finding?.assignee?.ldap_person?.last_login_time != null && ctx.aws_securityhub.finding.assignee.ldap_person.last_login_time != '' + on_failure: + - remove: + field: aws_securityhub.finding.assignee.ldap_person.last_login_time + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: aws_securityhub.finding.assignee.ldap_person.leave_time_dt + tag: date_assignee_ldap_person_leave_time_dt + target_field: aws_securityhub.finding.assignee.ldap_person.leave_time_dt + formats: + - ISO8601 + - UNIX_MS + - yyyy-MM-dd HH:mm:ss[.SSSSSSSSS][.SSSSSSSS][.SSSSSSS][.SSSSSS][.SSSSS][.SSSS][.SSS][.SS][.S]X + if: ctx.aws_securityhub?.finding?.assignee?.ldap_person?.leave_time_dt != null && ctx.aws_securityhub.finding.assignee.ldap_person.leave_time_dt != '' + on_failure: + - remove: + field: aws_securityhub.finding.assignee.ldap_person.leave_time_dt + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: aws_securityhub.finding.assignee.ldap_person.leave_time + tag: date_assignee_ldap_person_leave_time + target_field: aws_securityhub.finding.assignee.ldap_person.leave_time + formats: + - UNIX_MS + if: ctx.aws_securityhub?.finding?.assignee?.ldap_person?.leave_time != null && ctx.aws_securityhub.finding.assignee.ldap_person.leave_time != '' + on_failure: + - remove: + field: aws_securityhub.finding.assignee.ldap_person.leave_time + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: aws_securityhub.finding.assignee.ldap_person.modified_time_dt + tag: date_assignee_ldap_person_modified_time_dt + target_field: aws_securityhub.finding.assignee.ldap_person.modified_time_dt + formats: + - ISO8601 + - UNIX_MS + - yyyy-MM-dd HH:mm:ss[.SSSSSSSSS][.SSSSSSSS][.SSSSSSS][.SSSSSS][.SSSSS][.SSSS][.SSS][.SS][.S]X + if: ctx.aws_securityhub?.finding?.assignee?.ldap_person?.modified_time_dt != null && ctx.aws_securityhub.finding.assignee.ldap_person.modified_time_dt != '' + on_failure: + - remove: + field: aws_securityhub.finding.assignee.ldap_person.modified_time_dt + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: aws_securityhub.finding.assignee.ldap_person.modified_time + tag: date_assignee_ldap_person_modified_time + target_field: aws_securityhub.finding.assignee.ldap_person.modified_time + formats: + - UNIX_MS + if: ctx.aws_securityhub?.finding?.assignee?.ldap_person?.modified_time != null && ctx.aws_securityhub.finding.assignee.ldap_person.modified_time != '' + on_failure: + - remove: + field: aws_securityhub.finding.assignee.ldap_person.modified_time + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: aws_securityhub.finding.assignee.risk_level_id + tag: convert_assignee_risk_level_id_to_string + type: string + ignore_missing: true + - convert: + field: aws_securityhub.finding.assignee.risk_score + tag: convert_finding_assignee_risk_score_to_long + type: long + ignore_missing: true + on_failure: + - remove: + field: aws_securityhub.finding.assignee.risk_score + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: aws_securityhub.finding.assignee.type_id + tag: convert_assignee_type_id_to_string + type: string + ignore_missing: true + - convert: + field: aws_securityhub.finding.category_uid + tag: convert_category_uid_to_string + type: string + ignore_missing: true + - convert: + field: aws_securityhub.finding.class_uid + tag: convert_class_uid_to_string + type: string + ignore_missing: true + - convert: + field: aws_securityhub.finding.cloud.account.type_id + tag: convert_cloud_account_type_id_to_string + type: string + ignore_missing: true + - foreach: + field: aws_securityhub.finding.compliance.assessments + if: ctx.aws_securityhub?.finding?.compliance?.assessments instanceof List + processor: + convert: + field: _ingest._value.meets_criteria + tag: convert_compliance_assessments_meets_criteria_to_boolean + type: boolean + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.meets_criteria + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: aws_securityhub.finding.compliance.assessments + if: ctx.aws_securityhub?.finding?.compliance?.assessments instanceof List + processor: + convert: + field: _ingest._value.policy.is_applied + tag: convert_compliance_assessments_policy_is_applied_to_boolean + type: boolean + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.policy.is_applied + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: aws_securityhub.finding.compliance.checks + if: ctx.aws_securityhub?.finding?.compliance?.checks instanceof List + processor: + convert: + field: _ingest._value.severity_id + tag: convert_compliance_checks_severity_id_to_string + type: string + ignore_missing: true + - foreach: + field: aws_securityhub.finding.compliance.checks + if: ctx.aws_securityhub?.finding?.compliance?.checks instanceof List + processor: + convert: + field: _ingest._value.status_id + tag: convert_compliance_checks_status_id_to_string + type: string + ignore_missing: true + - convert: + field: aws_securityhub.finding.compliance.status_id + tag: convert_compliance_status_id_to_string + type: string + ignore_missing: true + - convert: + field: aws_securityhub.finding.confidence_id + tag: convert_confidence_id_to_string + type: string + ignore_missing: true + - convert: + field: aws_securityhub.finding.confidence_score + tag: convert_finding_confidence_score_to_long + type: long + ignore_missing: true + on_failure: + - remove: + field: aws_securityhub.finding.confidence_score + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: aws_securityhub.finding.count + tag: convert_finding_count_to_long + type: long + ignore_missing: true + on_failure: + - remove: + field: aws_securityhub.finding.count + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: aws_securityhub.finding.disposition_id + tag: convert_disposition_id_to_string + type: string + ignore_missing: true + - convert: + field: aws_securityhub.finding.duration + tag: convert_duration_to_long + type: long + ignore_missing: true + on_failure: + - remove: + field: aws_securityhub.finding.duration + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: aws_securityhub.finding.end_time_dt + tag: date_end_time_dt + target_field: aws_securityhub.finding.end_time_dt + formats: + - ISO8601 + - UNIX_MS + - yyyy-MM-dd HH:mm:ss[.SSSSSSSSS][.SSSSSSSS][.SSSSSSS][.SSSSSS][.SSSSS][.SSSS][.SSS][.SS][.S]X + if: ctx.aws_securityhub?.finding?.end_time_dt != null && ctx.aws_securityhub.finding.end_time_dt != '' + on_failure: + - remove: + field: aws_securityhub.finding.end_time_dt + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: aws_securityhub.finding.end_time + tag: date_end_time + target_field: aws_securityhub.finding.end_time + formats: + - UNIX_MS + if: ctx.aws_securityhub?.finding?.end_time != null && ctx.aws_securityhub.finding.end_time != '' + on_failure: + - remove: + field: aws_securityhub.finding.end_time + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: aws_securityhub.finding.enrichments + if: ctx.aws_securityhub?.finding?.enrichments instanceof List + processor: + convert: + field: _ingest._value.reputation.base_score + tag: convert_enrichments_reputation_base_score_to_float + type: float + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.reputation.base_score + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: aws_securityhub.finding.enrichments + if: ctx.aws_securityhub?.finding?.enrichments instanceof List + processor: + convert: + field: _ingest._value.reputation.score_id + tag: convert_enrichments_reputation_score_id_to_string + type: string + ignore_missing: true + - foreach: + field: aws_securityhub.finding.enrichments + if: ctx.aws_securityhub?.finding?.enrichments instanceof List + processor: + date: + field: _ingest._value.created_time_dt + tag: date_enrichments_created_time_dt + target_field: _ingest._value.created_time_dt + formats: + - ISO8601 + - UNIX_MS + - yyyy-MM-dd HH:mm:ss[.SSSSSSSSS][.SSSSSSSS][.SSSSSSS][.SSSSSS][.SSSSS][.SSSS][.SSS][.SS][.S]X + on_failure: + - remove: + field: _ingest._value.reputation.base_score + ignore_missing: true + - foreach: + field: aws_securityhub.finding.enrichments + if: ctx.aws_securityhub?.finding?.enrichments instanceof List + processor: + date: + field: _ingest._value.created_time + tag: date_enrichments_created_time + target_field: _ingest._value.created_time + formats: + - UNIX_MS + on_failure: + - remove: + field: _ingest._value.reputation.base_score + ignore_missing: true + - convert: + field: aws_securityhub.finding.firewall_rule.duration + tag: convert_finding_firewall_rule_duration_to_long + type: long + ignore_missing: true + on_failure: + - remove: + field: aws_securityhub.finding.firewall_rule.duration + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: aws_securityhub.finding.firewall_rule.rate_limit + tag: convert_finding_firewall_rule_rate_limit_to_long + type: long + ignore_missing: true + on_failure: + - remove: + field: aws_securityhub.finding.firewall_rule.rate_limit + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: aws_securityhub.finding.impact_id + tag: convert_finding_impact_id_to_string + type: string + ignore_missing: true + - convert: + field: aws_securityhub.finding.impact_score + tag: convert_finding_impact_score_to_long + type: long + ignore_missing: true + on_failure: + - remove: + field: aws_securityhub.finding.impact_score + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: aws_securityhub.finding.is_alert + tag: convert_finding_is_alert_to_boolean + type: boolean + ignore_missing: true + on_failure: + - remove: + field: aws_securityhub.finding.is_alert + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: aws_securityhub.finding.is_suspected_breach + tag: convert_finding_is_suspected_breach_to_boolean + type: boolean + ignore_missing: true + on_failure: + - remove: + field: aws_securityhub.finding.is_suspected_breach + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: aws_securityhub.finding.malware_scan_info.end_time_dt + tag: date_malware_scan_info_end_time_dt + target_field: aws_securityhub.finding.malware_scan_info.end_time_dt + formats: + - ISO8601 + - UNIX_MS + - yyyy-MM-dd HH:mm:ss[.SSSSSSSSS][.SSSSSSSS][.SSSSSSS][.SSSSSS][.SSSSS][.SSSS][.SSS][.SS][.S]X + if: ctx.aws_securityhub?.finding?.malware_scan_info?.end_time_dt != null && ctx.aws_securityhub.finding.malware_scan_info.end_time_dt != '' + on_failure: + - remove: + field: aws_securityhub.finding.malware_scan_info.end_time_dt + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: aws_securityhub.finding.malware_scan_info.end_time + tag: date_malware_scan_info_end_time + target_field: aws_securityhub.finding.malware_scan_info.end_time + formats: + - UNIX_MS + if: ctx.aws_securityhub?.finding?.malware_scan_info?.end_time != null && ctx.aws_securityhub.finding.malware_scan_info.end_time != '' + on_failure: + - remove: + field: aws_securityhub.finding.malware_scan_info.end_time + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: aws_securityhub.finding.malware_scan_info.num_files + tag: convert_finding_malware_scan_info_num_files_to_long + type: long + ignore_missing: true + on_failure: + - remove: + field: aws_securityhub.finding.malware_scan_info.num_files + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: aws_securityhub.finding.malware_scan_info.num_infected + tag: convert_finding_malware_scan_info_num_infected_to_long + type: long + ignore_missing: true + on_failure: + - remove: + field: aws_securityhub.finding.malware_scan_info.num_infected + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: aws_securityhub.finding.malware_scan_info.num_volumes + tag: convert_finding_malware_scan_info_num_volumes_to_long + type: long + ignore_missing: true + on_failure: + - remove: + field: aws_securityhub.finding.malware_scan_info.num_volumes + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: aws_securityhub.finding.malware_scan_info.size + tag: convert_finding_malware_scan_info_size_to_long + type: long + ignore_missing: true + on_failure: + - remove: + field: aws_securityhub.finding.malware_scan_info.size + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: aws_securityhub.finding.malware_scan_info.start_time_dt + tag: date_malware_scan_info_start_time_dt + target_field: aws_securityhub.finding.malware_scan_info.start_time_dt + formats: + - ISO8601 + - UNIX_MS + - yyyy-MM-dd HH:mm:ss[.SSSSSSSSS][.SSSSSSSS][.SSSSSSS][.SSSSSS][.SSSSS][.SSSS][.SSS][.SS][.S]X + if: ctx.aws_securityhub?.finding?.malware_scan_info?.start_time_dt != null && ctx.aws_securityhub.finding.malware_scan_info.start_time_dt != '' + on_failure: + - remove: + field: aws_securityhub.finding.malware_scan_info.start_time_dt + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: aws_securityhub.finding.malware_scan_info.start_time + tag: date_malware_scan_info_start_time + target_field: aws_securityhub.finding.malware_scan_info.start_time + formats: + - UNIX_MS + if: ctx.aws_securityhub?.finding?.malware_scan_info?.start_time != null && ctx.aws_securityhub.finding.malware_scan_info.start_time != '' + on_failure: + - remove: + field: aws_securityhub.finding.malware_scan_info.start_time + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: aws_securityhub.finding.malware_scan_info.type_id + tag: convert_finding_malware_scan_info_type_id_to_string + type: string + ignore_missing: true + - convert: + field: aws_securityhub.finding.malware_scan_info.unique_malware_count + tag: convert_finding_malware_scan_info_unique_malware_count_to_long + type: long + ignore_missing: true + on_failure: + - remove: + field: aws_securityhub.finding.malware_scan_info.unique_malware_count + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: aws_securityhub.finding.observables + if: ctx.aws_securityhub?.finding?.observables instanceof List + processor: + convert: + field: _ingest._value.reputation.base_score + tag: convert_finding_observables_reputation_base_score_to_float + type: float + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.reputation.base_score + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: aws_securityhub.finding.observables + if: ctx.aws_securityhub?.finding?.observables instanceof List + processor: + convert: + field: _ingest._value.reputation.score_id + tag: convert_finding_observables_reputation_score_id_to_string + type: string + ignore_missing: true + - foreach: + field: aws_securityhub.finding.observables + if: ctx.aws_securityhub?.finding?.observables instanceof List + processor: + convert: + field: _ingest._value.type_id + tag: convert_finding_observables_type_id_to_string + type: string + ignore_missing: true + - convert: + field: aws_securityhub.finding.policy.is_applied + tag: convert_finding_policy_is_applied_to_boolean + type: boolean + ignore_missing: true + on_failure: + - remove: + field: aws_securityhub.finding.policy.is_applied + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: aws_securityhub.finding.priority_id + tag: convert_finding_priority_id_to_string + type: string + ignore_missing: true + - json: + field: aws_securityhub.finding.raw_data + if: ctx.aws_securityhub?.finding?.raw_data instanceof String + tag: json_decoding_raw_data + on_failure: + - rename: + field: aws_securityhub.finding.raw_data + target_field: aws_securityhub.finding.raw_data_keyword + ignore_missing: true + - convert: + field: aws_securityhub.finding.raw_data_size + tag: convert_finding_raw_data_size_to_long + type: long + ignore_missing: true + on_failure: + - remove: + field: aws_securityhub.finding.raw_data_size + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: aws_securityhub.finding.remediation.kb_article_list + if: ctx.aws_securityhub?.finding?.remediation?.kb_article_list instanceof List + processor: + date: + field: _ingest._value.created_time_dt + tag: date_remediation_kb_article_list_created_time_dt + target_field: _ingest._value.created_time_dt + formats: + - ISO8601 + - UNIX_MS + - yyyy-MM-dd HH:mm:ss[.SSSSSSSSS][.SSSSSSSS][.SSSSSSS][.SSSSSS][.SSSSS][.SSSS][.SSS][.SS][.S]X + on_failure: + - remove: + field: _ingest._value.created_time_dt + ignore_missing: true + - foreach: + field: aws_securityhub.finding.remediation.kb_article_list + if: ctx.aws_securityhub?.finding?.remediation?.kb_article_list instanceof List + processor: + date: + field: _ingest._value.created_time + tag: date_remediation_kb_article_list_created_time + target_field: _ingest._value.created_time + formats: + - UNIX_MS + on_failure: + - remove: + field: _ingest._value.created_time + ignore_missing: true + - foreach: + field: aws_securityhub.finding.remediation.kb_article_list + if: ctx.aws_securityhub?.finding?.remediation?.kb_article_list instanceof List + processor: + convert: + field: _ingest._value.install_state_id + tag: convert_remediation_kb_article_list_install_state_id_to_string + type: string + ignore_missing: true + - foreach: + field: aws_securityhub.finding.remediation.kb_article_list + if: ctx.aws_securityhub?.finding?.remediation?.kb_article_list instanceof List + processor: + convert: + field: _ingest._value.is_superseded + tag: convert_remediation_kb_article_list_is_superseded_to_boolean + type: boolean + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.is_superseded + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: aws_securityhub.finding.remediation.kb_article_list + if: ctx.aws_securityhub?.finding?.remediation?.kb_article_list instanceof List + processor: + convert: + field: _ingest._value.size + tag: convert_remediation_kb_article_list_size_to_long + type: long + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.size + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: aws_securityhub.finding.risk_level_id + tag: convert_finding_risk_level_id_to_string + type: string + ignore_missing: true + - convert: + field: aws_securityhub.finding.risk_score + tag: convert_finding_risk_score_to_long + type: long + ignore_missing: true + on_failure: + - remove: + field: aws_securityhub.finding.risk_score + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: aws_securityhub.finding.severity_id + tag: convert_finding_severity_id_to_string + type: string + ignore_missing: true + - date: + field: aws_securityhub.finding.start_time_dt + tag: date_finding_start_time_dt + target_field: aws_securityhub.finding.start_time_dt + formats: + - ISO8601 + - UNIX_MS + - yyyy-MM-dd HH:mm:ss[.SSSSSSSSS][.SSSSSSSS][.SSSSSSS][.SSSSSS][.SSSSS][.SSSS][.SSS][.SS][.S]X + if: ctx.aws_securityhub?.finding?.start_time_dt != null && ctx.aws_securityhub.finding.start_time_dt != '' + on_failure: + - remove: + field: aws_securityhub.finding.start_time_dt + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: aws_securityhub.finding.start_time + tag: date_start_time + target_field: aws_securityhub.finding.start_time + formats: + - UNIX_MS + if: ctx.aws_securityhub?.finding?.start_time != null && ctx.aws_securityhub.finding.start_time != '' + on_failure: + - remove: + field: aws_securityhub.finding.start_time + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: aws_securityhub.finding.status_id + tag: convert_finding_status_id_to_string + type: string + ignore_missing: true + - foreach: + field: aws_securityhub.finding.tickets + if: ctx.aws_securityhub?.finding?.tickets instanceof List + processor: + convert: + field: _ingest._value.type_id + tag: convert_tickets_type_id_to_string + type: string + ignore_missing: true + - foreach: + field: aws_securityhub.finding.tickets + if: ctx.aws_securityhub?.finding?.tickets instanceof List + processor: + convert: + field: _ingest._value.status_id + tag: convert_tickets_status_id_to_string + type: string + ignore_missing: true + - date: + field: aws_securityhub.finding.time_dt + tag: date_finding_time_dt + target_field: aws_securityhub.finding.time_dt + formats: + - ISO8601 + - UNIX_MS + - yyyy-MM-dd HH:mm:ss[.SSSSSSSSS][.SSSSSSSS][.SSSSSSS][.SSSSSS][.SSSSS][.SSSS][.SSS][.SS][.S]X + if: ctx.aws_securityhub?.finding?.time_dt != null && ctx.aws_securityhub.finding.time_dt != '' + on_failure: + - remove: + field: aws_securityhub.finding.time_dt + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: aws_securityhub.finding.time + tag: date_finding_time + target_field: aws_securityhub.finding.time + formats: + - UNIX_MS + if: ctx.aws_securityhub?.finding?.time != null && ctx.aws_securityhub.finding.time != '' + on_failure: + - remove: + field: aws_securityhub.finding.time + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: aws_securityhub.finding.timezone_offset + tag: convert_finding_timezone_offset_to_long + type: long + ignore_missing: true + on_failure: + - remove: + field: aws_securityhub.finding.timezone_offset + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: aws_securityhub.finding.type_uid + tag: convert_finding_type_uid_to_string + type: string + ignore_missing: true + - json: + field: aws_securityhub.finding.unmapped + if: ctx.aws_securityhub?.finding?.unmapped instanceof String + on_failure: + - rename: + field: aws_securityhub.finding.unmapped + target_field: aws_securityhub.finding.unmapped.value + - rename: + field: aws_securityhub.finding.unmapped + target_field: aws_securityhub.finding.unmapped.value + if: ctx.aws_securityhub?.finding?.unmapped != null && !(ctx.aws_securityhub.finding.unmapped instanceof Map) + - convert: + field: aws_securityhub.finding.vendor_attributes.severity_id + tag: convert_finding_vendor_attributes_severity_id_to_string + type: string + ignore_missing: true + - convert: + field: aws_securityhub.finding.verdict_id + tag: convert_finding_verdict_id_to_string + type: string + ignore_missing: true + + + # convert values + - pipeline: + name: '{{ IngestPipeline "pipeline_object_actor" }}' + if: ctx.aws_securityhub?.finding?.class_uid != null && ['2002','2003','2004','2006'].contains(ctx.aws_securityhub.finding.class_uid) && ctx.aws_securityhub.finding.actor != null + tag: pipeline_object_actor + ignore_missing_pipeline: true + - pipeline: + name: '{{ IngestPipeline "pipeline_object_attack" }}' + if: ctx.aws_securityhub?.finding?.class_uid != null && ['2002','2003','2004','2006'].contains(ctx.aws_securityhub.finding.class_uid) && ctx.aws_securityhub.finding.attacks instanceof List + tag: pipeline_object_attack + ignore_missing_pipeline: true + - pipeline: + name: '{{ IngestPipeline "pipeline_object_device" }}' + if: ctx.aws_securityhub?.finding?.class_uid != null && ['2002','2003','2004','2006'].contains(ctx.aws_securityhub.finding.class_uid) && ctx.aws_securityhub.finding.device != null + tag: pipeline_object_device + ignore_missing_pipeline: true + - pipeline: + name: '{{ IngestPipeline "pipeline_object_evidence" }}' + if: ctx.aws_securityhub?.finding?.class_uid != null && ['2003','2004'].contains(ctx.aws_securityhub.finding.class_uid) && ctx.aws_securityhub.finding.evidences instanceof List + tag: pipeline_object_device + ignore_missing_pipeline: true + - pipeline: + name: '{{ IngestPipeline "pipeline_object_finding" }}' + if: ctx.aws_securityhub?.finding?.class_uid != null && ['2002','2003','2004','2006'].contains(ctx.aws_securityhub.finding.class_uid) && ctx.aws_securityhub.finding.finding_info != null + tag: pipeline_object_finding + ignore_missing_pipeline: true + - pipeline: + name: '{{ IngestPipeline "pipeline_object_malware" }}' + if: ctx.aws_securityhub?.finding?.class_uid != null && ['2002','2003','2004','2006'].contains(ctx.aws_securityhub.finding.class_uid) && ctx.aws_securityhub.finding.malware instanceof List + tag: pipeline_object_malware + ignore_missing_pipeline: true + - pipeline: + name: '{{ IngestPipeline "pipeline_object_osint" }}' + if: ctx.aws_securityhub?.finding?.class_uid != null && ['2002','2003','2004','2006'].contains(ctx.aws_securityhub.finding.class_uid) && ctx.aws_securityhub.finding.osint instanceof List + tag: pipeline_object_osint + ignore_missing_pipeline: true + - pipeline: + name: '{{ IngestPipeline "pipeline_object_resources" }}' + if: ctx.aws_securityhub?.finding?.class_uid != null && ['2002','2003','2004','2006'].contains(ctx.aws_securityhub.finding.class_uid) && ctx.aws_securityhub.finding.resources instanceof List + tag: pipeline_object_resources + ignore_missing_pipeline: true + - pipeline: + name: '{{ IngestPipeline "pipeline_object_vulnerabilities" }}' + if: ctx.aws_securityhub?.finding?.class_uid != null && ['2002','2004'].contains(ctx.aws_securityhub.finding.class_uid) && ctx.aws_securityhub.finding.vulnerabilities instanceof List + tag: pipeline_object_vulnerabilities + ignore_missing_pipeline: true + +# populate ECS fields + + - set: + field: '@timestamp' + tag: set_@timestamp_from_finding_info_modified_time_dt + copy_from: aws_securityhub.finding.finding_info.modified_time_dt + ignore_empty_value: true + - set: + field: '@timestamp' + tag: set_@timestamp_from_finding_info_modified_time + copy_from: aws_securityhub.finding.finding_info.modified_time + ignore_empty_value: true + if: ctx['@timestamp'] == null + + # event.* + - set: + field: event.kind + tag: set_event_kind + if: ctx.aws_securityhub?.finding?.class_uid != null && ['2002','2003','2004','2006'].contains(ctx.aws_securityhub.finding.class_uid) + value: alert + - append: + field: event.category + tag: append_vulnerability_into_event_category + value: vulnerability + allow_duplicates: false + if: ctx.aws_securityhub?.finding?.class_uid != null && ['2002'].contains(ctx.aws_securityhub.finding.class_uid) + - append: + field: event.type + tag: append_info_into_event_type + value: info + allow_duplicates: false + - set: + field: event.action + tag: set_event_action_from_activity_name + copy_from: aws_securityhub.finding.activity_name + ignore_empty_value: true + - set: + field: event.end + tag: set_event_end_from_end_time_dt + copy_from: aws_securityhub.finding.end_time_dt + ignore_empty_value: true + - set: + field: event.end + tag: set_event_end_from_end_time + copy_from: aws_securityhub.finding.end_time + ignore_empty_value: true + if: ctx.event?.end == null + - script: + description: Convert duration from milliseconds to nanoseconds. + tag: script_duration_ms_to_ns + lang: painless + if: ctx.aws_securityhub?.finding?.duration != null + source: >- + ctx.event.duration = ctx.aws_securityhub.finding.duration * 1000000; + - set: + field: event.id + tag: set_event_id_from_finding_info_uid + copy_from: aws_securityhub.finding.finding_info.uid + ignore_empty_value: true + - set: + field: event.provider + tag: set_event_provider_from_metadata_log_provider + copy_from: aws_securityhub.finding.metadata.log_provider + ignore_empty_value: true + - set: + field: event.provider + tag: set_event_provider_from_metadata_product_vendor_name + copy_from: aws_securityhub.finding.metadata.product.vendor_name + ignore_empty_value: true + if: ctx.aws_securityhub?.finding?.metadata?.log_provider == null + - set: + field: event.sequence + tag: set_event_sequence + copy_from: aws_securityhub.finding.metadata.sequence + ignore_empty_value: true + - set: + field: event.start + tag: set_event_start_from_start_time_dt + copy_from: aws_securityhub.finding.start_time_dt + ignore_empty_value: true + - set: + field: event.start + tag: set_event_start_from_start_time + copy_from: aws_securityhub.finding.start_time + ignore_empty_value: true + if: ctx.event?.start == null + - set: + field: event.created + tag: set_event_created_from_time_dt + copy_from: aws_securityhub.finding.time_dt + ignore_empty_value: true + - set: + field: event.created + tag: set_event_created_from_time + copy_from: aws_securityhub.finding.time + ignore_empty_value: true + if: ctx.event?.created == null + - set: + field: event.outcome + tag: set_event_outcome_unknown + value: unknown + if: ctx.aws_securityhub?.finding?.status_id != null && ['0', '1', '2'].contains(ctx.aws_securityhub.finding.status_id) + - set: + field: event.outcome + tag: set_event_outcome_success + value: success + if: ctx.aws_securityhub?.finding?.status_id != null && ['3', '4'].contains(ctx.aws_securityhub.finding.status_id) + + - script: + description: Extract ECS fields from aws.securityhub_findings.resources. + tag: script_extract_fields_from_resource + lang: painless + if: ctx.aws_securityhub?.finding?.resources instanceof List && ctx.aws_securityhub.finding.resources.size() > 0 + source: |- + // Arrays won't work in general in current UI of Cloud Security Posture workflow. In AWS SecurityHub, a finding may contain multiple resources, but rarely. + // When a finding has single-resource, we extract ECS fields as single-value so that the Findings UI behaves as expected for almost all cases. + // But in the rare multi-resource case, we extract the ECS fields from the primary resource. + + def res; + + if (ctx.aws_securityhub.finding.resources.size() == 1) { + res = ctx.aws_securityhub.finding.resources[0]; + } else { + for (def resource: ctx.aws_securityhub.finding.resources) { + if (resource.labels?.contains('primary_resource') == true) { + res = resource; + break; + } + } + } + + // Define fields to be extracted. + ctx.resource = ctx.resource ?: [:]; + ctx.user = ctx.user ?: [:]; + ctx.group = ctx.group ?: [:]; + ctx.host = ctx.host ?: [:]; + ctx.host.ip = ctx.host.ip ?: []; + ctx.orchestrator = ctx.orchestrator ?: [:]; + ctx.orchestrator.cluster = ctx.orchestrator.cluster ?: [:]; + ctx.cloud = ctx.cloud ?: [:]; + ctx.cloud.instance = ctx.cloud.instance ?: [:]; + ctx.cloud.service = ctx.cloud.service ?: [:]; + ctx.cloud.machine = ctx.cloud.machine ?: [:]; + + // Extract resource field + ctx.resource.type = res.type; + ctx.resource.id = res.uid; + if (res.tags instanceof List) { + for (def tag: res.tags) { + if (tag.name == 'Name') { + ctx.resource.name = tag.value; + break; + } + } + } + + // Extract ECS user field + if (res.type == 'AWS::IAM::User') { + ctx.user.id = res.uid; + } + + // Extract ECS group field + if (res.type == 'AWS::IAM::Group') { + ctx.group.id = res.uid; + } + + // Extract ECS host field + if (res.type == 'AWS::EC2::Instance' && res.uid != null) { + ctx.host.id = res.uid; + } + if (res.type == 'AWS::EC2::Instance' && res.tags instanceof List) { + for (def tag: res.tags) { + if (tag.name == 'Name') { + ctx.host.name = tag.value; + } + } + } + if (res.type == 'AWS::EC2::Instance' && res.data?.awsEc2InstanceDetails?.type != null) { + ctx.host.type = res.data.awsEc2InstanceDetails.type; + } + if (res.type == 'AWS::EC2::Instance' && res.data?.awsEc2InstanceDetails?.ipV4Addresses instanceof List) { + for (def ipv4: res.data.awsEc2InstanceDetails.ipV4Addresses) { + if (ipv4 instanceof String) { + ctx.host.ip.add(ipv4); + } + } + } + if (res.type == 'AWS::EC2::Instance' && res.data?.awsEc2InstanceDetails?.ipV6Addresses instanceof List) { + for (def ipv6: res.data.awsEc2InstanceDetails.ipV6Addresses) { + if (ipv6 instanceof String) { + ctx.host.ip.add(ipv6); + } + } + } + + // Extract ECS orchestrator field + if (res.tags instanceof List) { + for (def tag: res.tags) { + if (tag.name == 'aws:eks:cluster-name') { + ctx.orchestrator.cluster.name = tag.value; + } + } + } + if (res.type == 'AWS::EKS::Cluster') { + ctx.orchestrator.cluster.id = res.uid; + ctx.orchestrator.type = 'kubernetes'; + } + + // Extract ECS cloud field + ctx.cloud.region = res.region; + ctx.cloud.service.name = res.type; + if (res.type == 'AWS::EC2::Instance' && res.data?.awsEc2InstanceDetails?.type != null) { + ctx.cloud.machine.type = res.data.awsEc2InstanceDetails.type; + } + if (res.type == 'AWS::EC2::Instance') { + ctx.cloud.instance.id = res.uid; + ctx.cloud.instance.name = res.name; + } + + // Convert key:value tags into object for better searchability. + for (def resource: ctx.aws_securityhub.finding.resources) { + if (resource.tags instanceof List) { + def tags = [:]; + for (def tag: resource.tags) { + tags[tag.name] = tag.value; + } + resource.tags = tags; + } + } + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + + # cloud.* + - set: + field: cloud.account.id + tag: set_cloud_account_uid_from_finding_cloud_account_uid + copy_from: aws_securityhub.finding.cloud.account.uid + ignore_empty_value: true + - set: + field: cloud.account.name + tag: set_cloud_account_name_from_finding_cloud_account_name + copy_from: aws_securityhub.finding.cloud.account.name + ignore_empty_value: true + - set: + field: cloud.availability_zone + tag: set_cloud_availability_zone_from_finding_cloud_zone + copy_from: aws_securityhub.finding.cloud.zone + ignore_empty_value: true + - set: + field: cloud.provider + tag: set_cloud_provider_to_aws + value: aws + if: ctx.aws_securityhub?.finding?.cloud?.provider != null && ctx.aws_securityhub.finding.cloud.provider.toLowerCase().contains('aws') + - set: + field: cloud.provider + tag: set_cloud_provider_to_azure + value: azure + if: ctx.aws_securityhub?.finding?.cloud?.provider != null && ctx.aws_securityhub.finding.cloud.provider.toLowerCase().contains('azure') + - set: + field: cloud.provider + tag: set_cloud_provider_to_gcp + value: gcp + if: ctx.aws_securityhub?.finding?.cloud?.provider != null && ctx.aws_securityhub.finding.cloud.provider.toLowerCase().contains('gcp') + - set: + field: cloud.region + tag: set_cloud_region_from_finding_cloud_region + copy_from: aws_securityhub.finding.cloud.region + ignore_empty_value: true + if: ctx.cloud?.region == null + + # organization.* + - set: + field: organization.name + tag: set_organization_name_from_metadata_product_vendor_name + copy_from: aws_securityhub.finding.metadata.product.vendor_name + ignore_empty_value: true + + # observer.* + - set: + field: observer.vendor + tag: set_observer_vendor + value: AWS Security Hub + + # rule.* + - set: + field: rule.id + tag: set_rule_id_from_metadata_product_feature_uid + copy_from: aws_securityhub.finding.metadata.product.feature.uid + ignore_empty_value: true + - set: + field: rule.id + tag: set_rule_id_from_finding_compliance_control + copy_from: aws_securityhub.finding.compliance.control + ignore_empty_value: true + if: ctx.rule?.id == null + - set: + field: rule.name + tag: set_rule_name_from_finding_info_title + copy_from: aws_securityhub.finding.finding_info.title + ignore_empty_value: true + - set: + field: rule.description + tag: set_rule_description_from_finding_info_desc + copy_from: aws_securityhub.finding.finding_info.desc + ignore_empty_value: true + - set: + field: rule.ruleset + tag: set_rule_ruleset_from_finding_compliance_requirements + copy_from: aws_securityhub.finding.compliance.requirements + ignore_empty_value: true + - script: + description: Map rule.remediation and rule.reference field. + tag: script_map_rule_remediation_and_rule_reference_field + lang: painless + source: |- + ctx.rule = ctx.rule ?: [:]; + + def remediation = ctx.aws_securityhub?.finding?.remediation; + if (remediation == null && ctx.aws_securityhub?.finding?.vulnerabilities instanceof List && ctx.aws_securityhub.finding.vulnerabilities.size() > 0) { + remediation = ctx.aws_securityhub.finding.vulnerabilities[0].remediation; + } + + def desc = remediation?.desc; + if (remediation?.references instanceof List) { + for (def ref: remediation.references) { + desc += '\\r\\n' + ref; + } + } + + ctx.rule.remediation = desc; + ctx.rule.reference = remediation?.references; + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + + # result.* + - set: + field: result.evaluation + tag: set_result_evaluation_unknown + value: unknown + if: ctx.aws_securityhub?.finding?.compliance?.status_id == '0' || ctx.aws_securityhub?.finding?.compliance?.status_id == '2' + - set: + field: result.evaluation + tag: set_result_evaluation_passed + value: passed + if: ctx.aws_securityhub?.finding?.compliance?.status_id == '1' + - set: + field: result.evaluation + tag: set_result_evaluation_failed + value: failed + if: ctx.aws_securityhub?.finding?.compliance?.status_id == '3' + + # url.* + - set: + field: url.full + tag: set_url_full_from_finding_info_src_url + copy_from: aws_securityhub.finding.finding_info.src_url + ignore_empty_value: true + + # vulnerability.*, package.* + - script: + description: Extract fields from aws.securityhub_findings.vulnerabilities with single vulnerability. + tag: script_extract_fields_from_vulnerability + lang: painless + if: ctx.aws_securityhub?.finding?.vulnerabilities instanceof List && ctx.aws_securityhub.finding.vulnerabilities.size() > 0 + source: |- + def vuln = ctx.aws_securityhub.finding.vulnerabilities[0]; + + // Define fields to be extracted. + ctx.package = ctx.package ?: [:]; + ctx.package.name = ctx.package.name ?: []; + ctx.package.version = ctx.package.version ?: []; + ctx.package.fixed_version = ctx.package.fixed_version ?: []; + ctx.vulnerability = ctx.vulnerability ?: [:]; + ctx.vulnerability.scanner = ctx.vulnerability.scanner ?: [:]; + ctx.vulnerability.score = ctx.vulnerability.score ?: [:]; + + if (vuln.affected_packages instanceof List) { + for (def pkg: vuln.affected_packages) { + if (pkg.name != null) { + ctx.package.name.add(pkg.name); + } + if (pkg.version != null) { + ctx.package.version.add(pkg.version); + } + if (pkg.fixed_in_version != null) { + ctx.package.fixed_version.add(pkg.fixed_in_version); + } + } + } + + ctx.vulnerability.description = vuln.cve?.desc; + ctx.vulnerability.id = vuln.cve?.uid; + ctx.vulnerability.reference = vuln.references; + ctx.vulnerability.published_date = vuln.cve?.created_time_dt; + if (ctx.vulnerability.published_date == null) { + ctx.vulnerability.published_date = vuln.cve?.created_time; + } + + if (vuln.cve?.uid != null) { + String[] tokenList = vuln.cve.uid.splitOnToken("-"); + ctx.vulnerability.enumeration = tokenList[0]; + if (tokenList[0] == 'CVE') { + ctx.vulnerability.cve = vuln.cve.uid; + } + } + + if (vuln.cve?.cvss instanceof List && vuln.cve.cvss.size() > 0) { + def cvss = vuln.cve.cvss[0]; + ctx.vulnerability.score.base = cvss.base_score; + ctx.vulnerability.score.version = cvss.version; + ctx.vulnerability.classification = 'CVSS'; + if (cvss.severity == 'NONE') { + ctx.vulnerability.severity = 'None'; + } else if (cvss.severity == 'LOW') { + ctx.vulnerability.severity = 'Low'; + } else if (cvss.severity == 'MEDIUM') { + ctx.vulnerability.severity = 'Medium'; + } else if (cvss.severity == 'HIGH') { + ctx.vulnerability.severity = 'High'; + } else if (cvss.severity == 'CRITICAL') { + ctx.vulnerability.severity = 'Critical'; + } + } + + if (ctx.aws_securityhub.finding.finding_info?.title != null) { + ctx.vulnerability.title = ctx.aws_securityhub.finding.finding_info.title; + } + if (ctx.aws_securityhub.finding.metadata?.product?.name != null) { + ctx.vulnerability.scanner.vendor = ctx.aws_securityhub.finding.metadata.product.name; + } + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - script: + lang: painless + description: Script to set event.severity and vulnerability.severity. + tag: set_event_severity_and_vulnerability_severity + if: ctx.aws_securityhub?.finding?.severity_id instanceof String + source: |- + String severity = ctx.aws_securityhub.finding.severity_id; + String vulnerability_severity; + if (severity == "1" || severity == "2") { // Informational and Low + ctx.event.severity = 21; + vulnerability_severity = 'Low'; + } else if (severity == "3") { // Medium + ctx.event.severity = 47; + vulnerability_severity = 'Medium'; + } else if (severity == "4") { // High + ctx.event.severity = 73; + vulnerability_severity = 'High'; + } else if (severity == "5" || severity == "6") { // Critical and Fatal + ctx.event.severity = 99; + vulnerability_severity = 'Critical'; + } + ctx.vulnerability = ctx.vulnerability ?: [:]; + if (ctx.aws_securityhub?.finding?.vulnerabilities instanceof List && ctx.aws_securityhub.finding.vulnerabilities.size() > 0) { + ctx.vulnerability.severity = vulnerability_severity; + } + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + + # related.* + - append: + field: related.user + tag: append_actor_process_auid_to_related_user + value: '{{{aws_securityhub.finding.actor.process.auid}}}' + if: ctx.aws_securityhub?.finding?.actor?.process?.auid != null + allow_duplicates: false + - append: + field: related.user + tag: append_actor_process_euid_to_related_user + value: '{{{aws_securityhub.finding.actor.process.euid}}}' + if: ctx.aws_securityhub?.finding?.actor?.process?.euid != null + allow_duplicates: false + - append: + field: related.user + tag: append_actor_user_display_name_to_related_user + value: '{{{aws_securityhub.finding.actor.user.display_name}}}' + if: ctx.aws_securityhub?.finding?.actor?.user?.display_name != null + allow_duplicates: false + - append: + field: related.user + tag: append_actor_user_email_addr_to_related_user + value: '{{{aws_securityhub.finding.actor.user.email_addr}}}' + if: ctx.aws_securityhub?.finding?.actor?.user?.email_addr != null + allow_duplicates: false + - append: + field: related.user + tag: append_actor_user_forward_addr_to_related_user + value: '{{{aws_securityhub.finding.actor.user.forward_addr}}}' + if: ctx.aws_securityhub?.finding?.actor?.user?.forward_addr != null + allow_duplicates: false + - append: + field: related.user + tag: append_actor_user_full_name_to_related_user + value: '{{{aws_securityhub.finding.actor.user.full_name}}}' + if: ctx.aws_securityhub?.finding?.actor?.user?.full_name != null + allow_duplicates: false + - append: + field: related.user + tag: append_actor_user_name_to_related_user + value: '{{{aws_securityhub.finding.actor.user.name}}}' + if: ctx.aws_securityhub?.finding?.actor?.user?.name != null + allow_duplicates: false + - append: + field: related.user + tag: append_actor_user_uid_to_related_user + value: '{{{aws_securityhub.finding.actor.user.uid}}}' + if: ctx.aws_securityhub?.finding?.actor?.user?.uid != null + allow_duplicates: false + - append: + field: related.user + tag: append_actor_user_uid_alt_to_related_user + value: '{{{aws_securityhub.finding.actor.user.uid_alt}}}' + if: ctx.aws_securityhub?.finding?.actor?.user?.uid_alt != null + allow_duplicates: false + - append: + field: related.user + tag: append_assignee_display_name_to_related_user + value: '{{{aws_securityhub.finding.assignee.display_name}}}' + if: ctx.aws_securityhub?.finding?.assignee?.display_name != null + allow_duplicates: false + - append: + field: related.user + tag: append_assignee_email_addr_to_related_user + value: '{{{aws_securityhub.finding.assignee.email_addr}}}' + if: ctx.aws_securityhub?.finding?.assignee?.email_addr != null + allow_duplicates: false + - append: + field: related.user + tag: append_assignee_forward_addr_to_related_user + value: '{{{aws_securityhub.finding.assignee.forward_addr}}}' + if: ctx.aws_securityhub?.finding?.assignee?.forward_addr != null + allow_duplicates: false + - append: + field: related.user + tag: append_assignee_full_name_to_related_user + value: '{{{aws_securityhub.finding.assignee.full_name}}}' + if: ctx.aws_securityhub?.finding?.assignee?.full_name != null + allow_duplicates: false + - append: + field: related.user + tag: append_assignee_name_to_related_user + value: '{{{aws_securityhub.finding.assignee.name}}}' + if: ctx.aws_securityhub?.finding?.assignee?.name != null + allow_duplicates: false + - append: + field: related.user + tag: append_assignee_uid_to_related_user + value: '{{{aws_securityhub.finding.assignee.uid}}}' + if: ctx.aws_securityhub?.finding?.assignee?.uid != null + allow_duplicates: false + - append: + field: related.user + tag: append_assignee_uid_alt_to_related_user + value: '{{{aws_securityhub.finding.assignee.uid_alt}}}' + if: ctx.aws_securityhub?.finding?.assignee?.uid_alt != null + allow_duplicates: false + - append: + field: related.hosts + tag: append_device_domain_to_related_hosts + value: '{{{aws_securityhub.finding.device.domain}}}' + if: ctx.aws_securityhub?.finding?.device?.domain != null + allow_duplicates: false + - append: + field: related.hosts + tag: append_device_hostname_to_related_hosts + value: '{{{aws_securityhub.finding.device.hostname}}}' + if: ctx.aws_securityhub?.finding?.device?.hostname != null + allow_duplicates: false + - append: + field: related.hosts + tag: append_device_instance_uid_to_related_hosts + value: '{{{aws_securityhub.finding.device.instance_uid}}}' + if: ctx.aws_securityhub?.finding?.device?.instance_uid != null + allow_duplicates: false + - append: + field: related.ip + tag: append_device_ip_to_related_ip + value: '{{{aws_securityhub.finding.device.ip}}}' + if: ctx.aws_securityhub?.finding?.device?.ip != null + allow_duplicates: false + - append: + field: related.hosts + tag: append_device_name_to_related_hosts + value: '{{{aws_securityhub.finding.device.name}}}' + if: ctx.aws_securityhub?.finding?.device?.name != null + allow_duplicates: false + - foreach: + field: aws_securityhub.finding.device.network_interfaces + if: ctx.aws_securityhub?.finding?.device?.network_interfaces instanceof List + processor: + append: + field: related.hosts + tag: append_device_network_interfaces_hostname_to_related_hosts + value: '{{{_ingest._value.hostname}}}' + allow_duplicates: false + - foreach: + field: aws_securityhub.finding.device.network_interfaces + if: ctx.aws_securityhub?.finding?.device?.network_interfaces instanceof List + processor: + append: + field: related.ip + tag: append_device_network_interfaces_ip_to_related_ip + value: '{{{_ingest._value.ip}}}' + allow_duplicates: false + - append: + field: related.user + tag: append_device_owner_display_name_to_related_user + value: '{{{aws_securityhub.finding.device.owner.display_name}}}' + if: ctx.aws_securityhub?.finding?.device?.owner?.display_name != null + allow_duplicates: false + - append: + field: related.user + tag: append_device_owner_email_addr_to_related_user + value: '{{{aws_securityhub.finding.device.owner.email_addr}}}' + if: ctx.aws_securityhub?.finding?.device?.owner?.email_addr != null + allow_duplicates: false + - append: + field: related.user + tag: append_device_owner_forward_addr_to_related_user + value: '{{{aws_securityhub.finding.device.owner.forward_addr}}}' + if: ctx.aws_securityhub?.finding?.device?.owner?.forward_addr != null + allow_duplicates: false + - append: + field: related.user + tag: append_device_owner_full_name_to_related_user + value: '{{{aws_securityhub.finding.device.owner.full_name}}}' + if: ctx.aws_securityhub?.finding?.device?.owner?.full_name != null + allow_duplicates: false + - append: + field: related.user + tag: append_device_owner_name_to_related_user + value: '{{{aws_securityhub.finding.device.owner.name}}}' + if: ctx.aws_securityhub?.finding?.device?.owner?.name != null + allow_duplicates: false + - append: + field: related.user + tag: append_device_owner_uid_to_related_user + value: '{{{aws_securityhub.finding.device.owner.uid}}}' + if: ctx.aws_securityhub?.finding?.device?.owner?.uid != null + allow_duplicates: false + - append: + field: related.user + tag: append_device_owner_uid_alt_to_related_user + value: '{{{aws_securityhub.finding.device.owner.uid_alt}}}' + if: ctx.aws_securityhub?.finding?.device?.owner?.uid_alt != null + allow_duplicates: false + - append: + field: related.hosts + tag: append_device_uid_to_related_hosts + value: '{{{aws_securityhub.finding.device.uid}}}' + if: ctx.aws_securityhub?.finding?.device?.uid != null + allow_duplicates: false + - append: + field: related.hosts + tag: append_device_uid_alt_to_related_hosts + value: '{{{aws_securityhub.finding.device.uid_alt}}}' + if: ctx.aws_securityhub?.finding?.device?.uid_alt != null + allow_duplicates: false + - foreach: + field: aws_securityhub.finding.osint + if: ctx.aws_securityhub?.finding?.osint instanceof List + processor: + append: + field: related.user + tag: append_osint_creator_display_name_to_related_user + value: '{{{_ingest._value.creator.display_name}}}' + allow_duplicates: false + - foreach: + field: aws_securityhub.finding.osint + if: ctx.aws_securityhub?.finding?.osint instanceof List + processor: + append: + field: related.user + tag: append_osint_creator_email_addr_to_related_user + value: '{{{_ingest._value.creator.email_addr}}}' + allow_duplicates: false + - foreach: + field: aws_securityhub.finding.osint + if: ctx.aws_securityhub?.finding?.osint instanceof List + processor: + append: + field: related.user + tag: append_osint_creator_forward_addr_to_related_user + value: '{{{_ingest._value.creator.forward_addr}}}' + allow_duplicates: false + - foreach: + field: aws_securityhub.finding.osint + if: ctx.aws_securityhub?.finding?.osint instanceof List + processor: + append: + field: related.user + tag: append_osint_creator_full_name_to_related_user + value: '{{{_ingest._value.creator.full_name}}}' + allow_duplicates: false + - foreach: + field: aws_securityhub.finding.osint + if: ctx.aws_securityhub?.finding?.osint instanceof List + processor: + append: + field: related.user + tag: append_osint_creator_name_to_related_user + value: '{{{_ingest._value.creator.name}}}' + allow_duplicates: false + - foreach: + field: aws_securityhub.finding.osint + if: ctx.aws_securityhub?.finding?.osint instanceof List + processor: + append: + field: related.user + tag: append_osint_creator_uid_to_related_user + value: '{{{_ingest._value.creator.uid}}}' + allow_duplicates: false + - foreach: + field: aws_securityhub.finding.osint + if: ctx.aws_securityhub?.finding?.osint instanceof List + processor: + append: + field: related.user + tag: append_osint_creator_uid_alt_to_related_user + value: '{{{_ingest._value.creator.uid_alt}}}' + allow_duplicates: false + - foreach: + field: aws_securityhub.finding.osint + if: ctx.aws_securityhub?.finding?.osint instanceof List + processor: + append: + field: related.user + tag: append_osint_whois_email_addr_to_related_user + value: '{{{_ingest._value.whois.email_addr}}}' + allow_duplicates: false + - foreach: + field: aws_securityhub.finding.osint + if: ctx.aws_securityhub?.finding?.osint instanceof List + processor: + append: + field: related.hosts + tag: append_osint_whois_domain_to_related_hosts + value: '{{{_ingest._value.whois.domain}}}' + allow_duplicates: false + - script: + lang: painless + description: Script to add related.* from osint. + tag: set_related_fields_from_osint + if: ctx.aws_securityhub?.finding?.osint instanceof List + source: |- + ctx.related = ctx.related ?: [:]; + ctx.related.ip = ctx.related.ip ?: []; + ctx.related.hosts = ctx.related.hosts ?: []; + ctx.related.hash = ctx.related.hash ?: []; + for (def o: ctx.aws_securityhub.finding.osint) { + if (o.type_id == '1') { // IP Address + ctx.related.ip.add(o.value); + } else if (o.type_id == '2' || o.type_id == '3') { // Domain, Hostname + ctx.related.hosts.add(o.value); + } else if (o.type_id == '4') { // Hash + ctx.related.hash.add(o.value); + } else if (o.type_id == '9') { // Email Address + ctx.related.user.add(o.value); + } + } + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: aws_securityhub.finding.resources + if: ctx.aws_securityhub?.finding?.resources instanceof List + processor: + append: + field: related.hosts + tag: append_resources_hostname_to_related_hosts + value: '{{{_ingest._value.hostname}}}' + allow_duplicates: false + - foreach: + field: aws_securityhub.finding.resources + if: ctx.aws_securityhub?.finding?.resources instanceof List + processor: + append: + field: related.ip + tag: append_resources_ip_to_related_ip + value: '{{{_ingest._value.ip}}}' + allow_duplicates: false + - foreach: + field: aws_securityhub.finding.resources + if: ctx.aws_securityhub?.finding?.resources instanceof List + processor: + append: + field: related.user + tag: append_resources_owner_display_name_to_related_user + value: '{{{_ingest._value.owner.display_name}}}' + allow_duplicates: false + - foreach: + field: aws_securityhub.finding.resources + if: ctx.aws_securityhub?.finding?.resources instanceof List + processor: + append: + field: related.user + tag: append_resources_owner_email_addr_to_related_user + value: '{{{_ingest._value.owner.email_addr}}}' + allow_duplicates: false + - foreach: + field: aws_securityhub.finding.resources + if: ctx.aws_securityhub?.finding?.resources instanceof List + processor: + append: + field: related.user + tag: append_resources_owner_forward_addr_to_related_user + value: '{{{_ingest._value.owner.forward_addr}}}' + allow_duplicates: false + - foreach: + field: aws_securityhub.finding.resources + if: ctx.aws_securityhub?.finding?.resources instanceof List + processor: + append: + field: related.user + tag: append_resources_owner_full_name_to_related_user + value: '{{{_ingest._value.owner.full_name}}}' + allow_duplicates: false + - foreach: + field: aws_securityhub.finding.resources + if: ctx.aws_securityhub?.finding?.resources instanceof List + processor: + append: + field: related.user + tag: append_resources_owner_name_to_related_user + value: '{{{_ingest._value.owner.name}}}' + allow_duplicates: false + - foreach: + field: aws_securityhub.finding.resources + if: ctx.aws_securityhub?.finding?.resources instanceof List + processor: + append: + field: related.user + tag: append_resources_owner_uid_to_related_user + value: '{{{_ingest._value.owner.uid}}}' + allow_duplicates: false + - foreach: + field: aws_securityhub.finding.resources + if: ctx.aws_securityhub?.finding?.resources instanceof List + processor: + append: + field: related.user + tag: append_resources_owner_uid_alt_to_related_user + value: '{{{_ingest._value.owner.uid_alt}}}' + allow_duplicates: false + - foreach: + field: aws_securityhub.finding.resources + if: ctx.aws_securityhub?.finding?.resources instanceof List + processor: + foreach: + field: _ingest._value.data.awsEc2InstanceDetails.ipV4Addresses + ignore_missing: true + processor: + append: + field: related.ip + tag: append_resources_data_awsEc2InstanceDetails_ipV4Addresses_to_related_ip + value: '{{{_ingest._value}}}' + allow_duplicates: false + - foreach: + field: aws_securityhub.finding.resources + if: ctx.aws_securityhub?.finding?.resources instanceof List + processor: + foreach: + field: _ingest._value.data.awsEc2InstanceDetails.ipV6Addresses + ignore_missing: true + processor: + append: + field: related.ip + tag: append_resources_data_awsEc2InstanceDetails_ipV6Addresses_to_related_ip + value: '{{{_ingest._value}}}' + allow_duplicates: false + + - remove: + field: + - aws_securityhub.finding.activity_name + - aws_securityhub.finding.finding_info.uid + - aws_securityhub.finding.metadata.sequence + - aws_securityhub.finding.start_time_dt + - aws_securityhub.finding.end_time_dt + - aws_securityhub.finding.finding_info.modified_time_dt + - aws_securityhub.finding.metadata.log_provider + - aws_securityhub.finding.time_dt + - aws_securityhub.finding.cloud.account.uid + - aws_securityhub.finding.cloud.account.name + - aws_securityhub.finding.cloud.zone + - aws_securityhub.finding.metadata.product.vendor_name + - aws_securityhub.finding.metadata.product.feature.uid + - aws_securityhub.finding.finding_info.title + - aws_securityhub.finding.finding_info.desc + - aws_securityhub.finding.compliance.requirements + - aws_securityhub.finding.finding_info.src_url + tag: remove_duplicate_custom_fields + ignore_missing: true + if: ctx.tags == null || !(ctx.tags.contains('preserve_duplicate_custom_fields')) + + # Cleanup + - script: + tag: script_to_drop_null_values + lang: painless + description: This script processor iterates over the whole document to remove fields with null values. + source: |- + void handleMap(Map map) { + map.values().removeIf(v -> { + if (v instanceof Map) { + handleMap(v); + } else if (v instanceof List) { + handleList(v); + } + return v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0) + }); + } + void handleList(List list) { + list.removeIf(v -> { + if (v instanceof Map) { + handleMap(v); + } else if (v instanceof List) { + handleList(v); + } + return v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0) + }); + } + handleMap(ctx); + - set: + field: event.kind + tag: set_pipeline_error_into_event_kind + value: pipeline_error + if: ctx.error?.message != null + - append: + field: tags + value: preserve_original_event + allow_duplicates: false + if: ctx.error?.message != null +on_failure: + - append: + field: error.message + value: |- + Processor '{{{ _ingest.on_failure_processor_type }}}' + {{{#_ingest.on_failure_processor_tag}}}with tag '{{{ _ingest.on_failure_processor_tag }}}' + {{{/_ingest.on_failure_processor_tag}}}failed with message '{{{ _ingest.on_failure_message }}}' + - set: + field: event.kind + tag: set_pipeline_error_to_event_kind + value: pipeline_error + - append: + field: tags + value: preserve_original_event + allow_duplicates: false diff --git a/packages/aws_securityhub/data_stream/finding/elasticsearch/ingest_pipeline/pipeline_object_actor.yml b/packages/aws_securityhub/data_stream/finding/elasticsearch/ingest_pipeline/pipeline_object_actor.yml new file mode 100644 index 00000000000..ded35067ced --- /dev/null +++ b/packages/aws_securityhub/data_stream/finding/elasticsearch/ingest_pipeline/pipeline_object_actor.yml @@ -0,0 +1,287 @@ +--- +description: Pipeline for processing Actor object. +# Actor object docs: https://schema.ocsf.io/1.5.0/objects/actor +processors: + - convert: + field: aws_securityhub.finding.actor.idp.has_mfa + tag: convert_actor_idp_has_mfa_to_boolean + type: boolean + ignore_missing: true + on_failure: + - remove: + field: aws_securityhub.finding.actor.idp.has_mfa + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: aws_securityhub.finding.actor.idp.state_id + tag: convert_actor_idp_state_id_to_string + type: string + ignore_missing: true + - convert: + field: aws_securityhub.finding.actor.process.auid + tag: convert_actor_process_auid_to_string + type: string + ignore_missing: true + - convert: + field: aws_securityhub.finding.actor.process.egid + tag: convert_actor_process_egid_to_string + type: string + ignore_missing: true + - convert: + field: aws_securityhub.finding.actor.process.euid + tag: convert_actor_process_euid_to_string + type: string + ignore_missing: true + - date: + field: aws_securityhub.finding.actor.process.created_time_dt + tag: date_actor_process_created_time_dt + target_field: aws_securityhub.finding.actor.process.created_time_dt + formats: + - ISO8601 + - UNIX_MS + - yyyy-MM-dd HH:mm:ss[.SSSSSSSSS][.SSSSSSSS][.SSSSSSS][.SSSSSS][.SSSSS][.SSSS][.SSS][.SS][.S]X + if: ctx.aws_securityhub?.finding?.actor?.process?.created_time_dt != null && ctx.aws_securityhub.finding.actor.process.created_time_dt != '' + on_failure: + - remove: + field: aws_securityhub.finding.actor.process.created_time_dt + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: aws_securityhub.finding.actor.process.created_time + tag: date_actor_process_created_time + target_field: aws_securityhub.finding.actor.process.created_time + formats: + - UNIX_MS + if: ctx.aws_securityhub?.finding?.actor?.process?.created_time != null && ctx.aws_securityhub.finding.actor.process.created_time != '' + on_failure: + - remove: + field: aws_securityhub.finding.actor.process.created_time + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: aws_securityhub.finding.actor.process.integrity_id + tag: convert_actor_process_integrity_id_to_string + type: string + ignore_missing: true + - convert: + field: aws_securityhub.finding.actor.process.namespace_pid + tag: convert_actor_process_namespace_pid_to_long + type: long + ignore_missing: true + on_failure: + - remove: + field: aws_securityhub.finding.actor.process.namespace_pid + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: aws_securityhub.finding.actor.process.pid + tag: convert_actor_process_pid_to_long + type: long + ignore_missing: true + on_failure: + - remove: + field: aws_securityhub.finding.actor.process.pid + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: aws_securityhub.finding.actor.process.terminated_time_dt + tag: date_actor_process_terminated_time_dt + target_field: aws_securityhub.finding.actor.process.terminated_time_dt + formats: + - ISO8601 + - UNIX_MS + - yyyy-MM-dd HH:mm:ss[.SSSSSSSSS][.SSSSSSSS][.SSSSSSS][.SSSSSS][.SSSSS][.SSSS][.SSS][.SS][.S]X + if: ctx.aws_securityhub?.finding?.actor?.process?.terminated_time_dt != null && ctx.aws_securityhub.finding.actor.process.terminated_time_dt != '' + on_failure: + - remove: + field: aws_securityhub.finding.actor.process.terminated_time_dt + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: aws_securityhub.finding.actor.process.terminated_time + tag: date_actor_process_terminated_time + target_field: aws_securityhub.finding.actor.process.terminated_time + formats: + - UNIX_MS + if: ctx.aws_securityhub?.finding?.actor?.process?.terminated_time != null && ctx.aws_securityhub.finding.actor.process.terminated_time != '' + on_failure: + - remove: + field: aws_securityhub.finding.actor.process.terminated_time + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: aws_securityhub.finding.actor.process.tid + tag: convert_actor_process_tid_to_string + type: string + ignore_missing: true + - convert: + field: aws_securityhub.finding.actor.session.count + tag: convert_actor_session_count_to_long + type: long + ignore_missing: true + on_failure: + - remove: + field: aws_securityhub.finding.actor.session.count + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: aws_securityhub.finding.actor.session.created_time_dt + tag: date_actor_session_created_time_dt + target_field: aws_securityhub.finding.actor.session.created_time_dt + formats: + - ISO8601 + - UNIX_MS + - yyyy-MM-dd HH:mm:ss[.SSSSSSSSS][.SSSSSSSS][.SSSSSSS][.SSSSSS][.SSSSS][.SSSS][.SSS][.SS][.S]X + if: ctx.aws_securityhub?.finding?.actor?.session?.created_time_dt != null && ctx.aws_securityhub.finding.actor.session.created_time_dt != '' + on_failure: + - remove: + field: aws_securityhub.finding.actor.session.created_time_dt + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: aws_securityhub.finding.actor.session.created_time + tag: date_actor_session_created_time + target_field: aws_securityhub.finding.actor.session.created_time + formats: + - UNIX_MS + if: ctx.aws_securityhub?.finding?.actor?.session?.created_time != null && ctx.aws_securityhub.finding.actor.session.created_time != '' + on_failure: + - remove: + field: aws_securityhub.finding.actor.session.created_time + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: aws_securityhub.finding.actor.session.expiration_time_dt + tag: date_actor_session_expiration_time_dt + target_field: aws_securityhub.finding.actor.session.expiration_time_dt + formats: + - ISO8601 + - UNIX_MS + - yyyy-MM-dd HH:mm:ss[.SSSSSSSSS][.SSSSSSSS][.SSSSSSS][.SSSSSS][.SSSSS][.SSSS][.SSS][.SS][.S]X + if: ctx.aws_securityhub?.finding?.actor?.session?.expiration_time_dt != null && ctx.aws_securityhub.finding.actor.session.expiration_time_dt != '' + on_failure: + - remove: + field: aws_securityhub.finding.actor.session.expiration_time_dt + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: aws_securityhub.finding.actor.session.expiration_time + tag: date_actor_session_expiration_time + target_field: aws_securityhub.finding.actor.session.expiration_time + formats: + - UNIX_MS + if: ctx.aws_securityhub?.finding?.actor?.session?.expiration_time != null && ctx.aws_securityhub.finding.actor.session.expiration_time != '' + on_failure: + - remove: + field: aws_securityhub.finding.actor.session.expiration_time + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: aws_securityhub.finding.actor.session.is_mfa + tag: convert_actor_session_is_mfa_to_boolean + type: boolean + ignore_missing: true + on_failure: + - remove: + field: aws_securityhub.finding.actor.session.is_mfa + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: aws_securityhub.finding.actor.session.is_remote + tag: convert_actor_session_is_remote_to_boolean + type: boolean + ignore_missing: true + on_failure: + - remove: + field: aws_securityhub.finding.actor.session.is_remote + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: aws_securityhub.finding.actor.session.is_vpn + tag: convert_actor_session_is_vpn_to_boolean + type: boolean + ignore_missing: true + on_failure: + - remove: + field: aws_securityhub.finding.actor.session.is_vpn + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: aws_securityhub.finding.actor.user.has_mfa + tag: convert_actor_user_has_mfa_to_boolean + type: boolean + ignore_missing: true + on_failure: + - remove: + field: aws_securityhub.finding.actor.user.has_mfa + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: aws_securityhub.finding.actor.user.risk_level_id + tag: convert_actor_user_risk_level_id_to_string + type: string + ignore_missing: true + - convert: + field: aws_securityhub.finding.actor.user.risk_score + tag: convert_actor_user_risk_score_to_long + type: long + ignore_missing: true + on_failure: + - remove: + field: aws_securityhub.finding.actor.user.risk_score + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: aws_securityhub.finding.actor.user.type_id + tag: convert_actor_user_type_id_to_string + type: string + ignore_missing: true +on_failure: + - append: + field: error.message + value: |- + Processor '{{{ _ingest.on_failure_processor_type }}}' + {{{#_ingest.on_failure_processor_tag}}}with tag '{{{ _ingest.on_failure_processor_tag }}}' + {{{/_ingest.on_failure_processor_tag}}}failed with message '{{{ _ingest.on_failure_message }}}' + - set: + field: event.kind + tag: set_pipeline_error_to_event_kind + value: pipeline_error + - append: + field: tags + value: preserve_original_event + allow_duplicates: false diff --git a/packages/aws_securityhub/data_stream/finding/elasticsearch/ingest_pipeline/pipeline_object_attack.yml b/packages/aws_securityhub/data_stream/finding/elasticsearch/ingest_pipeline/pipeline_object_attack.yml new file mode 100644 index 00000000000..678b68a5ca5 --- /dev/null +++ b/packages/aws_securityhub/data_stream/finding/elasticsearch/ingest_pipeline/pipeline_object_attack.yml @@ -0,0 +1,100 @@ +--- +description: Pipeline for processing Attack object. +# Attack object docs: https://schema.ocsf.io/1.5.0/objects/attack +processors: + - foreach: + field: aws_securityhub.finding.attacks + if: ctx.aws_securityhub?.finding?.attacks instanceof List + processor: + append: + field: threat.tactic.id + value: '{{{_ingest._value.tactic.uid}}}' + tag: append_attacks_tactic_uid_into_threat_tactic_id + allow_duplicates: false + - foreach: + field: aws_securityhub.finding.attacks + if: ctx.aws_securityhub?.finding?.attacks instanceof List + processor: + append: + field: threat.tactic.name + value: '{{{_ingest._value.tactic.name}}}' + tag: append_attacks_tactic_name_into_threat_tactic_name + allow_duplicates: false + - foreach: + field: aws_securityhub.finding.attacks + if: ctx.aws_securityhub?.finding?.attacks instanceof List + processor: + append: + field: threat.tactic.reference + value: '{{{_ingest._value.tactic.src_url}}}' + tag: append_attacks_tactic_src_url_into_threat_tactic_reference + allow_duplicates: false + - foreach: + field: aws_securityhub.finding.attacks + if: ctx.aws_securityhub?.finding?.attacks instanceof List + processor: + append: + field: threat.technique.id + value: '{{{_ingest._value.technique.uid}}}' + tag: append_attacks_technique_uid_into_threat_technique_id + allow_duplicates: false + - foreach: + field: aws_securityhub.finding.attacks + if: ctx.aws_securityhub?.finding?.attacks instanceof List + processor: + append: + field: threat.technique.name + value: '{{{_ingest._value.technique.name}}}' + tag: append_attacks_technique_name_into_threat_technique_name + allow_duplicates: false + - foreach: + field: aws_securityhub.finding.attacks + if: ctx.aws_securityhub?.finding?.attacks instanceof List + processor: + append: + field: threat.technique.reference + value: '{{{_ingest._value.technique.src_url}}}' + tag: append_attacks_technique_src_url_into_threat_technique_reference + allow_duplicates: false + - foreach: + field: aws_securityhub.finding.attacks + if: ctx.aws_securityhub?.finding?.attacks instanceof List + processor: + append: + field: threat.technique.subtechnique.id + value: '{{{_ingest._value.sub_technique.uid}}}' + tag: append_attacks_sub_technique_uid_into_threat_technique_subtechnique_id + allow_duplicates: false + - foreach: + field: aws_securityhub.finding.attacks + if: ctx.aws_securityhub?.finding?.attacks instanceof List + processor: + append: + field: threat.technique.subtechnique.name + value: '{{{_ingest._value.sub_technique.name}}}' + tag: append_attacks_sub_technique_name_into_threat_technique_subtechnique_name + allow_duplicates: false + - foreach: + field: aws_securityhub.finding.attacks + if: ctx.aws_securityhub?.finding?.attacks instanceof List + processor: + append: + field: threat.technique.subtechnique.reference + value: '{{{_ingest._value.sub_technique.src_url}}}' + tag: append_attacks_sub_technique_src_url_into_threat_technique_subtechnique_reference + allow_duplicates: false +on_failure: + - append: + field: error.message + value: |- + Processor '{{{ _ingest.on_failure_processor_type }}}' + {{{#_ingest.on_failure_processor_tag}}}with tag '{{{ _ingest.on_failure_processor_tag }}}' + {{{/_ingest.on_failure_processor_tag}}}failed with message '{{{ _ingest.on_failure_message }}}' + - set: + field: event.kind + tag: set_pipeline_error_to_event_kind + value: pipeline_error + - append: + field: tags + value: preserve_original_event + allow_duplicates: false diff --git a/packages/aws_securityhub/data_stream/finding/elasticsearch/ingest_pipeline/pipeline_object_device.yml b/packages/aws_securityhub/data_stream/finding/elasticsearch/ingest_pipeline/pipeline_object_device.yml new file mode 100644 index 00000000000..8103dd2c8a7 --- /dev/null +++ b/packages/aws_securityhub/data_stream/finding/elasticsearch/ingest_pipeline/pipeline_object_device.yml @@ -0,0 +1,725 @@ +--- +description: Pipeline for processing Device object. +# Device object docs: https://schema.ocsf.io/1.5.0/objects/device +processors: + - foreach: + field: aws_securityhub.finding.device.agent_list + if: ctx.aws_securityhub?.finding?.device?.agent_list instanceof List + processor: + convert: + field: _ingest._value.type_id + tag: convert_device_agent_list_type_id_to_string + type: string + ignore_missing: true + - date: + field: aws_securityhub.finding.device.boot_time_dt + tag: date_device_boot_time_dt + target_field: aws_securityhub.finding.device.boot_time_dt + formats: + - ISO8601 + - UNIX_MS + - yyyy-MM-dd HH:mm:ss[.SSSSSSSSS][.SSSSSSSS][.SSSSSSS][.SSSSSS][.SSSSS][.SSSS][.SSS][.SS][.S]X + if: ctx.aws_securityhub?.finding?.device?.boot_time_dt != null && ctx.aws_securityhub.finding.device.boot_time_dt != '' + on_failure: + - remove: + field: aws_securityhub.finding.device.boot_time_dt + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: aws_securityhub.finding.device.boot_time + tag: date_device_boot_time + target_field: aws_securityhub.finding.device.boot_time + formats: + - UNIX_MS + if: ctx.aws_securityhub?.finding?.device?.boot_time != null && ctx.aws_securityhub.finding.device.boot_time != '' + on_failure: + - remove: + field: aws_securityhub.finding.device.boot_time + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: aws_securityhub.finding.device.container.size + tag: convert_finding_device_container_size_to_long + type: long + ignore_missing: true + on_failure: + - remove: + field: aws_securityhub.finding.device.container.size + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: aws_securityhub.finding.device.created_time_dt + tag: date_device_created_time_dt + target_field: aws_securityhub.finding.device.created_time_dt + formats: + - ISO8601 + - UNIX_MS + - yyyy-MM-dd HH:mm:ss[.SSSSSSSSS][.SSSSSSSS][.SSSSSSS][.SSSSSS][.SSSSS][.SSSS][.SSS][.SS][.S]X + if: ctx.aws_securityhub?.finding?.device?.created_time_dt != null && ctx.aws_securityhub.finding.device.created_time_dt != '' + on_failure: + - remove: + field: aws_securityhub.finding.device.created_time_dt + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: aws_securityhub.finding.device.created_time + tag: date_device_created_time + target_field: aws_securityhub.finding.device.created_time + formats: + - UNIX_MS + if: ctx.aws_securityhub?.finding?.device?.created_time != null && ctx.aws_securityhub.finding.device.created_time != '' + on_failure: + - remove: + field: aws_securityhub.finding.device.created_time + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: aws_securityhub.finding.device.first_seen_time_dt + tag: date_device_first_seen_time_dt + target_field: aws_securityhub.finding.device.first_seen_time_dt + formats: + - ISO8601 + - UNIX_MS + - yyyy-MM-dd HH:mm:ss[.SSSSSSSSS][.SSSSSSSS][.SSSSSSS][.SSSSSS][.SSSSS][.SSSS][.SSS][.SS][.S]X + if: ctx.aws_securityhub?.finding?.device?.first_seen_time_dt != null && ctx.aws_securityhub.finding.device.first_seen_time_dt != '' + on_failure: + - remove: + field: aws_securityhub.finding.device.first_seen_time_dt + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: aws_securityhub.finding.device.first_seen_time + tag: date_device_first_seen_time + target_field: aws_securityhub.finding.device.first_seen_time + formats: + - UNIX_MS + if: ctx.aws_securityhub?.finding?.device?.first_seen_time != null && ctx.aws_securityhub.finding.device.first_seen_time != '' + on_failure: + - remove: + field: aws_securityhub.finding.device.first_seen_time + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: aws_securityhub.finding.device.hw_info.cpu_architecture_id + tag: convert_device_hw_info_cpu_architecture_id_to_string + type: string + ignore_missing: true + - convert: + field: aws_securityhub.finding.device.hw_info.cpu_bits + tag: convert_device_hw_info_cpu_bits_to_long + type: long + ignore_missing: true + on_failure: + - remove: + field: aws_securityhub.finding.device.hw_info.cpu_bits + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: aws_securityhub.finding.device.hw_info.cpu_cores + tag: convert_device_hw_info_cpu_cores_to_long + type: long + ignore_missing: true + on_failure: + - remove: + field: aws_securityhub.finding.device.hw_info.cpu_cores + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: aws_securityhub.finding.device.hw_info.cpu_count + tag: convert_device_hw_info_cpu_count_to_long + type: long + ignore_missing: true + on_failure: + - remove: + field: aws_securityhub.finding.device.hw_info.cpu_count + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: aws_securityhub.finding.device.hw_info.cpu_speed + tag: convert_device_hw_info_cpu_speed_to_long + type: long + ignore_missing: true + on_failure: + - remove: + field: aws_securityhub.finding.device.hw_info.cpu_speed + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: aws_securityhub.finding.device.hw_info.ram_size + tag: convert_device_hw_info_ram_size_to_long + type: long + ignore_missing: true + on_failure: + - remove: + field: aws_securityhub.finding.device.hw_info.ram_size + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - remove: + field: aws_securityhub.finding.device.ip + tag: remove_empty_device_ip + if: ctx.aws_securityhub?.finding?.device?.ip == '' || ctx.aws_securityhub?.finding?.device?.ip == '-' + - convert: + field: aws_securityhub.finding.device.ip + tag: convert_device_ip_to_ip + type: ip + ignore_missing: true + on_failure: + - remove: + field: aws_securityhub.finding.device.ip + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: aws_securityhub.finding.device.is_backed_up + tag: convert_device_is_backed_up_to_boolean + type: boolean + ignore_missing: true + on_failure: + - remove: + field: aws_securityhub.finding.device.is_backed_up + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: aws_securityhub.finding.device.is_compliant + tag: convert_device_is_compliant_to_boolean + type: boolean + ignore_missing: true + on_failure: + - remove: + field: aws_securityhub.finding.device.is_compliant + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: aws_securityhub.finding.device.is_managed + tag: convert_device_is_managed_to_boolean + type: boolean + ignore_missing: true + on_failure: + - remove: + field: aws_securityhub.finding.device.is_managed + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: aws_securityhub.finding.device.is_mobile_account_active + tag: convert_device_is_mobile_account_active_to_boolean + type: boolean + ignore_missing: true + on_failure: + - remove: + field: aws_securityhub.finding.device.is_mobile_account_active + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: aws_securityhub.finding.device.is_personal + tag: convert_device_is_personal_to_boolean + type: boolean + ignore_missing: true + on_failure: + - remove: + field: aws_securityhub.finding.device.is_personal + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: aws_securityhub.finding.device.is_shared + tag: convert_device_is_shared_to_boolean + type: boolean + ignore_missing: true + on_failure: + - remove: + field: aws_securityhub.finding.device.is_shared + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: aws_securityhub.finding.device.is_supervised + tag: convert_device_is_supervised_to_boolean + type: boolean + ignore_missing: true + on_failure: + - remove: + field: aws_securityhub.finding.device.is_supervised + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: aws_securityhub.finding.device.is_trusted + tag: convert_device_is_trusted_to_boolean + type: boolean + ignore_missing: true + on_failure: + - remove: + field: aws_securityhub.finding.device.is_trusted + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: aws_securityhub.finding.device.last_seen_time_dt + tag: date_device_last_seen_time_dt + target_field: aws_securityhub.finding.device.last_seen_time_dt + formats: + - ISO8601 + - UNIX_MS + - yyyy-MM-dd HH:mm:ss[.SSSSSSSSS][.SSSSSSSS][.SSSSSSS][.SSSSSS][.SSSSS][.SSSS][.SSS][.SS][.S]X + if: ctx.aws_securityhub?.finding?.device?.last_seen_time_dt != null && ctx.aws_securityhub.finding.device.last_seen_time_dt != '' + on_failure: + - remove: + field: aws_securityhub.finding.device.last_seen_time_dt + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: aws_securityhub.finding.device.last_seen_time + tag: date_device_last_seen_time + target_field: aws_securityhub.finding.device.last_seen_time + formats: + - UNIX_MS + if: ctx.aws_securityhub?.finding?.device?.last_seen_time != null && ctx.aws_securityhub.finding.device.last_seen_time != '' + on_failure: + - remove: + field: aws_securityhub.finding.device.last_seen_time + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: aws_securityhub.finding.device.location.is_on_premises + tag: convert_device_location_is_on_premises_to_boolean + type: boolean + ignore_missing: true + on_failure: + - remove: + field: aws_securityhub.finding.device.location.is_on_premises + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: aws_securityhub.finding.device.location.lat + tag: convert_device_location_lat_to_double + type: double + ignore_missing: true + on_failure: + - remove: + field: aws_securityhub.finding.device.location.lat + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: aws_securityhub.finding.device.location.long + tag: convert_device_location_long_to_double + type: double + ignore_missing: true + on_failure: + - remove: + field: aws_securityhub.finding.device.location.long + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: aws_securityhub.finding.device.location.value.lat + copy_from: aws_securityhub.finding.device.location.lat + tag: set_device_location_value_lat + ignore_empty_value: true + - set: + field: aws_securityhub.finding.device.location.value.lon + copy_from: aws_securityhub.finding.device.location.long + tag: set_device_location_value_lon + ignore_empty_value: true + - gsub: + field: aws_securityhub.finding.device.mac + pattern: '[:.]' + replacement: '-' + tag: gsub_device_mac + ignore_missing: true + on_failure: + - remove: + field: aws_securityhub.finding.device.mac + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - uppercase: + field: aws_securityhub.finding.device.mac + tag: uppercase_device_mac + ignore_missing: true + if: ctx.aws_securityhub?.finding?.device?.mac != '' + on_failure: + - remove: + field: aws_securityhub.finding.device.mac + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: aws_securityhub.finding.device.modified_time_dt + tag: date_device_modified_time_dt + target_field: aws_securityhub.finding.device.modified_time_dt + formats: + - ISO8601 + - UNIX_MS + - yyyy-MM-dd HH:mm:ss[.SSSSSSSSS][.SSSSSSSS][.SSSSSSS][.SSSSSS][.SSSSS][.SSSS][.SSS][.SS][.S]X + if: ctx.aws_securityhub?.finding?.device?.modified_time_dt != null && ctx.aws_securityhub.finding.device.modified_time_dt != '' + on_failure: + - remove: + field: aws_securityhub.finding.device.modified_time_dt + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: aws_securityhub.finding.device.modified_time + tag: date_device_modified_time + target_field: aws_securityhub.finding.device.modified_time + formats: + - UNIX_MS + if: ctx.aws_securityhub?.finding?.device?.modified_time != null && ctx.aws_securityhub.finding.device.modified_time != '' + on_failure: + - remove: + field: aws_securityhub.finding.device.modified_time + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: aws_securityhub.finding.device.namespace_pid + tag: convert_device_namespace_pid_to_long + type: long + ignore_missing: true + on_failure: + - remove: + field: aws_securityhub.finding.device.namespace_pid + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: aws_securityhub.finding.device.network_interfaces + if: ctx.aws_securityhub?.finding?.device?.network_interfaces instanceof List + processor: + convert: + field: _ingest._value.ip + tag: convert_device_network_interfaces_ip_to_ip + type: ip + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.ip + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: aws_securityhub.finding.device.network_interfaces + if: ctx.aws_securityhub?.finding?.device?.network_interfaces instanceof List + processor: + gsub: + field: _ingest._value.mac + pattern: '[:.]' + replacement: '-' + tag: gsub_device_network_interfaces_mac + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.mac + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: aws_securityhub.finding.device.network_interfaces + if: ctx.aws_securityhub?.finding?.device?.network_interfaces instanceof List + processor: + uppercase: + field: _ingest._value.mac + tag: uppercase_device_network_interfaces_mac + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.mac + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: aws_securityhub.finding.device.network_interfaces + if: ctx.aws_securityhub?.finding?.device?.network_interfaces instanceof List + processor: + convert: + field: _ingest._value.type_id + tag: convert_device_network_interfaces_type_id_to_string + type: string + ignore_missing: true + - foreach: + field: aws_securityhub.finding.device.network_interfaces + if: ctx.aws_securityhub?.finding?.device?.network_interfaces instanceof List + processor: + convert: + field: _ingest._value.subnet_prefix + tag: convert_device_network_interfaces_subnet_prefix_to_long + type: long + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.subnet_prefix + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: aws_securityhub.finding.device.os.cpu_bits + tag: convert_device_os_cpu_bits_to_long + type: long + ignore_missing: true + on_failure: + - remove: + field: aws_securityhub.finding.device.os.cpu_bits + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: aws_securityhub.finding.device.os.sp_ver + tag: convert_device_os_sp_ver_to_string + type: string + ignore_missing: true + - convert: + field: aws_securityhub.finding.device.os.type_id + tag: convert_device_os_type_id_to_string + type: string + ignore_missing: true + - convert: + field: aws_securityhub.finding.device.owner.has_mfa + tag: convert_device_owner.has_mfa_to_boolean + type: boolean + ignore_missing: true + on_failure: + - remove: + field: aws_securityhub.finding.device.owner.has_mfa + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: aws_securityhub.finding.device.owner.risk_level_id + tag: convert_device_owner_risk_level_id_to_string + type: string + ignore_missing: true + - convert: + field: aws_securityhub.finding.device.owner.risk_score + tag: convert_device_owner_risk_score_to_long + type: long + ignore_missing: true + on_failure: + - remove: + field: aws_securityhub.finding.device.owner.risk_score + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: aws_securityhub.finding.device.risk_level_id + tag: convert_device_risk_level_id_to_string + type: string + ignore_missing: true + - convert: + field: aws_securityhub.finding.device.risk_score + tag: convert_device_risk_score_to_long + type: long + ignore_missing: true + on_failure: + - remove: + field: aws_securityhub.finding.device.risk_score + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: aws_securityhub.finding.device.type_id + tag: convert_device_type_id_to_string + type: string + ignore_missing: true + +# # populate ECS fields +# - set: +# field: host.boot.id +# copy_from: aws_securityhub.finding.device.boot_uid +# tag: set_host_boot_id +# ignore_empty_value: true +# - set: +# field: host.domain +# copy_from: aws_securityhub.finding.device.domain +# tag: set_host_domain +# ignore_empty_value: true +# - append: +# field: related.hosts +# value: '{{{aws_securityhub.finding.device.domain}}}' +# tag: append_device_domain_into_related_hosts +# allow_duplicates: false +# if: ctx.aws_securityhub?.finding?.device?.domain != null +# - set: +# field: host.hostname +# copy_from: aws_securityhub.finding.device.hostname +# tag: set_host_hostname +# ignore_empty_value: true +# - append: +# field: related.hosts +# value: '{{{aws_securityhub.finding.device.hostname}}}' +# tag: append_device_hostname_into_related_hosts +# allow_duplicates: false +# if: ctx.aws_securityhub?.finding?.device?.hostname != null +# - set: +# field: host.id +# copy_from: aws_securityhub.finding.device.uid +# tag: set_host_id +# ignore_empty_value: true +# - append: +# field: related.hosts +# value: '{{{aws_securityhub.finding.device.uid}}}' +# tag: append_device_uid_into_related_hosts +# allow_duplicates: false +# if: ctx.aws_securityhub?.finding?.device?.uid != null +# - append: +# field: host.ip +# value: '{{{aws_securityhub.finding.device.ip}}}' +# tag: append_device_ip_into_host_ip +# allow_duplicates: false +# if: ctx.aws_securityhub?.finding?.device?.ip != null +# - append: +# field: related.ip +# value: '{{{aws_securityhub.finding.device.ip}}}' +# tag: append_device_ip_into_related_ip +# allow_duplicates: false +# if: ctx.aws_securityhub?.finding?.device?.ip != null +# - append: +# field: host.mac +# value: '{{{aws_securityhub.finding.device.mac}}}' +# tag: append_device_ip_into_host_mac +# allow_duplicates: false +# if: ctx.aws_securityhub?.finding?.device?.mac != null +# - append: +# field: related.hosts +# value: '{{{aws_securityhub.finding.device.name}}}' +# tag: append_device_name_into_related_hosts +# allow_duplicates: false +# if: ctx.aws_securityhub.finding?.device?.name != null +# - set: +# field: host.architecture +# copy_from: aws_securityhub.finding.device.hw_info.cpu_architecture +# tag: set_host_architecture +# ignore_empty_value: true +# - foreach: +# field: aws_securityhub.finding.device.network_interfaces +# if: ctx.aws_securityhub?.finding?.device?.network_interfaces instanceof List +# processor: +# append: +# field: related.hosts +# value: '{{{_ingest._value.hostname}}}' +# tag: append_device_network_interfaces_hostname_into_related_hosts +# allow_duplicates: false +# - foreach: +# field: aws_securityhub.finding.device.network_interfaces +# if: ctx.aws_securityhub?.finding?.device?.network_interfaces instanceof List +# processor: +# append: +# field: related.ip +# value: '{{{_ingest._value.ip}}}' +# tag: append_device_network_interfaces_ip_into_related_ip +# allow_duplicates: false +# - set: +# field: host.os.name +# copy_from: aws_securityhub.finding.device.os.name +# tag: set_host_os_name +# ignore_empty_value: true +# - set: +# field: host.os.type +# copy_from: aws_securityhub.finding.device.os.type +# tag: set_host_os_type +# ignore_empty_value: true +# if: ctx.aws_securityhub?.finding?.device?.os?.type != null && ['Linux','Windows','Android','macOS','iOS'].contains(ctx.aws_securityhub.finding.device.os.type) +# - lowercase: +# field: host.os.type +# tag: lowercase_host_os_type +# ignore_missing: true +# if: ctx.host?.os?.type != '' +# on_failure: +# - remove: +# field: host.os.type +# ignore_missing: true +# - append: +# field: error.message +# value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' +# - set: +# field: host.os.version +# copy_from: aws_securityhub.finding.device.os.build +# tag: set_host_os_version +# ignore_empty_value: true +# - set: +# field: host.risk.static_level +# copy_from: aws_securityhub.finding.device.risk_level +# tag: set_host_risk_static_level +# ignore_empty_value: true +# - set: +# field: host.risk.static_score +# copy_from: aws_securityhub.finding.device.risk_score +# tag: set_host_risk_static_score +# ignore_empty_value: true +# - set: +# field: host.type +# copy_from: aws_securityhub.finding.device.type +# tag: set_host_type +# ignore_empty_value: true +on_failure: + - append: + field: error.message + value: |- + Processor '{{{ _ingest.on_failure_processor_type }}}' + {{{#_ingest.on_failure_processor_tag}}}with tag '{{{ _ingest.on_failure_processor_tag }}}' + {{{/_ingest.on_failure_processor_tag}}}failed with message '{{{ _ingest.on_failure_message }}}' + - set: + field: event.kind + tag: set_pipeline_error_to_event_kind + value: pipeline_error + - append: + field: tags + value: preserve_original_event + allow_duplicates: false diff --git a/packages/aws_securityhub/data_stream/finding/elasticsearch/ingest_pipeline/pipeline_object_evidence.yml b/packages/aws_securityhub/data_stream/finding/elasticsearch/ingest_pipeline/pipeline_object_evidence.yml new file mode 100644 index 00000000000..f7e3bc48469 --- /dev/null +++ b/packages/aws_securityhub/data_stream/finding/elasticsearch/ingest_pipeline/pipeline_object_evidence.yml @@ -0,0 +1,723 @@ +--- +description: Pipeline for processing Evidence Artifacts object. +# Evidence object docs: https://schema.ocsf.io/1.5.0/objects/evidences +processors: + - foreach: + field: aws_securityhub.finding.evidences + if: ctx.aws_securityhub?.finding?.evidences instanceof List + processor: + convert: + field: _ingest._value.actor.idp.has_mfa + tag: convert_evidences_actor_idp_has_mfa_to_boolean + type: boolean + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.actor.idp.has_mfa + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: aws_securityhub.finding.evidences + if: ctx.aws_securityhub?.finding?.evidences instanceof List + processor: + convert: + field: _ingest._value.actor.idp.state_id + tag: convert_evidences_actor_idp_state_id_to_string + type: string + ignore_missing: true + - foreach: + field: aws_securityhub.finding.evidences + if: ctx.aws_securityhub?.finding?.evidences instanceof List + processor: + convert: + field: _ingest._value.actor.process.auid + tag: convert_evidences_actor_process_auid_to_string + type: string + ignore_missing: true + - foreach: + field: aws_securityhub.finding.evidences + if: ctx.aws_securityhub?.finding?.evidences instanceof List + processor: + convert: + field: _ingest._value.actor.process.egid + tag: convert_evidences_actor_process_egid_to_string + type: string + ignore_missing: true + - foreach: + field: aws_securityhub.finding.evidences + if: ctx.aws_securityhub?.finding?.evidences instanceof List + processor: + convert: + field: _ingest._value.actor.process.euid + tag: convert_evidences_actor_process_euid_to_string + type: string + ignore_missing: true + - foreach: + field: aws_securityhub.finding.evidences + if: ctx.aws_securityhub?.finding?.evidences instanceof List + processor: + date: + field: _ingest._value.actor.process.created_time_dt + tag: date_evidences_actor_process_created_time_dt + target_field: _ingest._value.actor.process.created_time_dt + formats: + - ISO8601 + - UNIX_MS + - yyyy-MM-dd HH:mm:ss[.SSSSSSSSS][.SSSSSSSS][.SSSSSSS][.SSSSSS][.SSSSS][.SSSS][.SSS][.SS][.S]X + on_failure: + - remove: + field: _ingest._value.actor.process.created_time_dt + ignore_missing: true + - foreach: + field: aws_securityhub.finding.evidences + if: ctx.aws_securityhub?.finding?.evidences instanceof List + processor: + date: + field: _ingest._value.actor.process.created_time + tag: date_evidences_actor_process_created_time + target_field: _ingest._value.actor.process.created_time + formats: + - UNIX_MS + on_failure: + - remove: + field: _ingest._value.actor.process.created_time + ignore_missing: true + - foreach: + field: aws_securityhub.finding.evidences + if: ctx.aws_securityhub?.finding?.evidences instanceof List + processor: + convert: + field: _ingest._value.actor.process.integrity_id + tag: convert_evidences_actor_process_integrity_id_to_string + type: string + ignore_missing: true + - foreach: + field: aws_securityhub.finding.evidences + if: ctx.aws_securityhub?.finding?.evidences instanceof List + processor: + convert: + field: _ingest._value.actor.process.namespace_pid + tag: convert_evidences_actor_process_namespace_pid_to_long + type: long + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.actor.process.namespace_pid + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: aws_securityhub.finding.evidences + if: ctx.aws_securityhub?.finding?.evidences instanceof List + processor: + convert: + field: _ingest._value.actor.process.pid + tag: convert_evidences_actor_process_pid_to_long + type: long + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.actor.process.pid + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: aws_securityhub.finding.evidences + if: ctx.aws_securityhub?.finding?.evidences instanceof List + processor: + date: + field: _ingest._value.actor.process.terminated_time_dt + tag: date_evidences_actor_process_terminated_time_dt + target_field: _ingest._value.actor.process.terminated_time_dt + formats: + - ISO8601 + - UNIX_MS + - yyyy-MM-dd HH:mm:ss[.SSSSSSSSS][.SSSSSSSS][.SSSSSSS][.SSSSSS][.SSSSS][.SSSS][.SSS][.SS][.S]X + on_failure: + - remove: + field: _ingest._value.actor.process.terminated_time_dt + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: aws_securityhub.finding.evidences + if: ctx.aws_securityhub?.finding?.evidences instanceof List + processor: + date: + field: _ingest._value.actor.process.terminated_time + tag: date_evidences_actor_process_terminated_time + target_field: _ingest._value.actor.process.terminated_time + formats: + - UNIX_MS + on_failure: + - remove: + field: _ingest._value.actor.process.terminated_time + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: aws_securityhub.finding.evidences + if: ctx.aws_securityhub?.finding?.evidences instanceof List + processor: + convert: + field: _ingest._value.actor.process.tid + tag: convert_evidences_actor_process_tid_to_string + type: string + ignore_missing: true + - foreach: + field: aws_securityhub.finding.evidences + if: ctx.aws_securityhub?.finding?.evidences instanceof List + processor: + convert: + field: _ingest._value.actor.session.count + tag: convert_evidences_actor_session_count_to_long + type: long + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.actor.session.count + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: aws_securityhub.finding.evidences + if: ctx.aws_securityhub?.finding?.evidences instanceof List + processor: + date: + field: _ingest._value.actor.session.created_time_dt + tag: date_evidences_actor_session_created_time_dt + target_field: _ingest._value.actor.session.created_time_dt + formats: + - ISO8601 + - UNIX_MS + - yyyy-MM-dd HH:mm:ss[.SSSSSSSSS][.SSSSSSSS][.SSSSSSS][.SSSSSS][.SSSSS][.SSSS][.SSS][.SS][.S]X + on_failure: + - remove: + field: _ingest._value.actor.session.created_time_dt + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: aws_securityhub.finding.evidences + if: ctx.aws_securityhub?.finding?.evidences instanceof List + processor: + date: + field: _ingest._value.actor.session.created_time + tag: date_evidences_actor_session_created_time + target_field: _ingest._value.actor.session.created_time + formats: + - UNIX_MS + on_failure: + - remove: + field: _ingest._value.actor.session.created_time + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: aws_securityhub.finding.evidences + if: ctx.aws_securityhub?.finding?.evidences instanceof List + processor: + date: + field: _ingest._value.actor.session.expiration_time_dt + tag: date_evidences_actor_session_expiration_time_dt + target_field: _ingest._value.actor.session.expiration_time_dt + formats: + - ISO8601 + - UNIX_MS + - yyyy-MM-dd HH:mm:ss[.SSSSSSSSS][.SSSSSSSS][.SSSSSSS][.SSSSSS][.SSSSS][.SSSS][.SSS][.SS][.S]X + on_failure: + - remove: + field: _ingest._value.actor.session.expiration_time_dt + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: aws_securityhub.finding.evidences + if: ctx.aws_securityhub?.finding?.evidences instanceof List + processor: + date: + field: _ingest._value.actor.session.expiration_time + tag: date_evidences_actor_session_expiration_time + target_field: _ingest._value.actor.session.expiration_time + formats: + - UNIX_MS + on_failure: + - remove: + field: _ingest._value.actor.session.expiration_time + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: aws_securityhub.finding.evidences + if: ctx.aws_securityhub?.finding?.evidences instanceof List + processor: + convert: + field: _ingest._value.actor.session.is_mfa + tag: convert_evidences_actor_session_is_mfa_to_boolean + type: boolean + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.actor.session.is_mfa + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: aws_securityhub.finding.evidences + if: ctx.aws_securityhub?.finding?.evidences instanceof List + processor: + convert: + field: _ingest._value.actor.session.is_remote + tag: convert_evidences_actor_session_is_remote_to_boolean + type: boolean + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.actor.session.is_remote + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: aws_securityhub.finding.evidences + if: ctx.aws_securityhub?.finding?.evidences instanceof List + processor: + convert: + field: _ingest._value.actor.session.is_vpn + tag: convert_evidences_actor_session_is_vpn_to_boolean + type: boolean + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.actor.session.is_vpn + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: aws_securityhub.finding.evidences + if: ctx.aws_securityhub?.finding?.evidences instanceof List + processor: + convert: + field: _ingest._value.actor.user.has_mfa + tag: convert_evidences_actor_user_has_mfa_to_boolean + type: boolean + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.actor.user.has_mfa + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: aws_securityhub.finding.evidences + if: ctx.aws_securityhub?.finding?.evidences instanceof List + processor: + convert: + field: _ingest._value.actor.user.risk_level_id + tag: convert_evidences_actor_user_risk_level_id_to_string + type: string + ignore_missing: true + - foreach: + field: aws_securityhub.finding.evidences + if: ctx.aws_securityhub?.finding?.evidences instanceof List + processor: + convert: + field: _ingest._value.actor.user.risk_score + tag: convert_evidences_actor_user_risk_score_to_long + type: long + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.actor.user.risk_score + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: aws_securityhub.finding.evidences + if: ctx.aws_securityhub?.finding?.evidences instanceof List + processor: + convert: + field: _ingest._value.actor.user.type_id + tag: convert_evidences_actor_user_type_id_to_string + type: string + ignore_missing: true + - foreach: + field: aws_securityhub.finding.evidences + if: ctx.aws_securityhub?.finding?.evidences instanceof List + processor: + convert: + field: _ingest._value.api.response.code + tag: convert_evidences_api_response_code_to_long + type: long + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.api.response.code + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: aws_securityhub.finding.evidences + if: ctx.aws_securityhub?.finding?.evidences instanceof List + processor: + convert: + field: _ingest._value.connection_info.boundary_id + tag: convert_evidences_connection_info_boundary_id_to_string + type: string + ignore_missing: true + - foreach: + field: aws_securityhub.finding.evidences + if: ctx.aws_securityhub?.finding?.evidences instanceof List + processor: + convert: + field: _ingest._value.connection_info.direction_id + tag: convert_evidences_connection_info_direction_id_to_string + type: string + ignore_missing: true + - foreach: + field: aws_securityhub.finding.evidences + if: ctx.aws_securityhub?.finding?.evidences instanceof List + processor: + convert: + field: _ingest._value.connection_info.protocol_num + tag: convert_evidences_connection_info_protocol_num_to_long + type: long + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.connection_info.protocol_num + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: aws_securityhub.finding.evidences + if: ctx.aws_securityhub?.finding?.evidences instanceof List + processor: + convert: + field: _ingest._value.connection_info.protocol_ver_id + tag: convert_evidences_connection_info_protocol_ver_id_to_string + type: string + ignore_missing: true + - foreach: + field: aws_securityhub.finding.evidences + if: ctx.aws_securityhub?.finding?.evidences instanceof List + processor: + convert: + field: _ingest._value.connection_info.tcp_flags + tag: convert_evidences_connection_info_tcp_flags_to_long + type: long + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.connection_info.tcp_flags + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: aws_securityhub.finding.evidences + if: ctx.aws_securityhub?.finding?.evidences instanceof List + processor: + convert: + field: _ingest._value.src_endpoint.intermediate_ips + tag: convert_evidences_src_endpoint_intermediate_ips_size_to_ip + type: ip + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.src_endpoint.intermediate_ips + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: aws_securityhub.finding.evidences + if: ctx.aws_securityhub?.finding?.evidences instanceof List + processor: + convert: + field: _ingest._value.src_endpoint.ip + tag: convert_evidences_src_endpoint_ip_size_to_ip + type: ip + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.src_endpoint.ip + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: aws_securityhub.finding.evidences + if: ctx.aws_securityhub?.finding?.evidences instanceof List + processor: + gsub: + field: _ingest._value.src_endpoint.mac + pattern: '[:.]' + replacement: '-' + tag: gsub_evidences_src_endpoint_mac + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.src_endpoint.mac + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: aws_securityhub.finding.evidences + if: ctx.aws_securityhub?.finding?.evidences instanceof List + processor: + uppercase: + field: _ingest._value.src_endpoint.mac + tag: uppercase_evidences_src_endpoint_mac + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.src_endpoint.mac + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: aws_securityhub.finding.evidences + if: ctx.aws_securityhub?.finding?.evidences instanceof List + processor: + convert: + field: _ingest._value.src_endpoint.namespace_pid + tag: convert_evidences_src_endpoint_namespace_pid_to_long + type: long + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.src_endpoint.namespace_pid + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: aws_securityhub.finding.evidences + if: ctx.aws_securityhub?.finding?.evidences instanceof List + processor: + convert: + field: _ingest._value.src_endpoint.port + tag: convert_evidences_src_endpoint_port_to_long + type: long + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.src_endpoint.port + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: aws_securityhub.finding.evidences + if: ctx.aws_securityhub?.finding?.evidences instanceof List + processor: + convert: + field: _ingest._value.src_endpoint.type_id + tag: convert_evidences_src_endpoint_type_id_to_string + type: string + ignore_missing: true + - foreach: + field: aws_securityhub.finding.evidences + if: ctx.aws_securityhub?.finding?.evidences instanceof List + processor: + convert: + field: _ingest._value.process.auid + tag: convert_evidences_process_auid_to_string + type: string + ignore_missing: true + - foreach: + field: aws_securityhub.finding.evidences + if: ctx.aws_securityhub?.finding?.evidences instanceof List + processor: + convert: + field: _ingest._value.process.egid + tag: convert_evidences_process_egid_to_string + type: string + ignore_missing: true + - foreach: + field: aws_securityhub.finding.evidences + if: ctx.aws_securityhub?.finding?.evidences instanceof List + processor: + convert: + field: _ingest._value.process.euid + tag: convert_evidences_process_euid_to_string + type: string + ignore_missing: true + - foreach: + field: aws_securityhub.finding.evidences + if: ctx.aws_securityhub?.finding?.evidences instanceof List + processor: + date: + field: _ingest._value.process.created_time_dt + tag: date_evidences_process_created_time_dt + target_field: _ingest._value.process.created_time_dt + formats: + - ISO8601 + - UNIX_MS + - yyyy-MM-dd HH:mm:ss[.SSSSSSSSS][.SSSSSSSS][.SSSSSSS][.SSSSSS][.SSSSS][.SSSS][.SSS][.SS][.S]X + on_failure: + - remove: + field: _ingest._value.process.created_time_dt + ignore_missing: true + - foreach: + field: aws_securityhub.finding.evidences + if: ctx.aws_securityhub?.finding?.evidences instanceof List + processor: + date: + field: _ingest._value.process.created_time + tag: date_evidences_process_created_time + target_field: _ingest._value.process.created_time + formats: + - UNIX_MS + on_failure: + - remove: + field: _ingest._value.process.created_time + ignore_missing: true + - foreach: + field: aws_securityhub.finding.evidences + if: ctx.aws_securityhub?.finding?.evidences instanceof List + processor: + convert: + field: _ingest._value.process.integrity_id + tag: convert_evidences_process_integrity_id_to_string + type: string + ignore_missing: true + - foreach: + field: aws_securityhub.finding.evidences + if: ctx.aws_securityhub?.finding?.evidences instanceof List + processor: + convert: + field: _ingest._value.process.namespace_pid + tag: convert_evidences_process_namespace_pid_to_long + type: long + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.process.namespace_pid + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: aws_securityhub.finding.evidences + if: ctx.aws_securityhub?.finding?.evidences instanceof List + processor: + convert: + field: _ingest._value.process.pid + tag: convert_evidences_process_pid_to_long + type: long + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.process.pid + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: aws_securityhub.finding.evidences + if: ctx.aws_securityhub?.finding?.evidences instanceof List + processor: + date: + field: _ingest._value.process.terminated_time_dt + tag: date_evidences_process_terminated_time_dt + target_field: _ingest._value.process.terminated_time_dt + formats: + - ISO8601 + - UNIX_MS + - yyyy-MM-dd HH:mm:ss[.SSSSSSSSS][.SSSSSSSS][.SSSSSSS][.SSSSSS][.SSSSS][.SSSS][.SSS][.SS][.S]X + on_failure: + - remove: + field: _ingest._value.process.terminated_time_dt + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: aws_securityhub.finding.evidences + if: ctx.aws_securityhub?.finding?.evidences instanceof List + processor: + date: + field: _ingest._value.process.terminated_time + tag: date_evidences_process_terminated_time + target_field: _ingest._value.process.terminated_time + formats: + - UNIX_MS + on_failure: + - remove: + field: _ingest._value.process.terminated_time + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: aws_securityhub.finding.evidences + if: ctx.aws_securityhub?.finding?.evidences instanceof List + processor: + convert: + field: _ingest._value.process.tid + tag: convert_evidences_process_tid_to_string + type: string + ignore_missing: true + - foreach: + field: aws_securityhub.finding.evidences + if: ctx.aws_securityhub?.finding?.evidences instanceof List + processor: + convert: + field: _ingest._value.query.opcode_id + tag: convert_evidences_query_opcode_id_to_string + type: string + ignore_missing: true + - foreach: + field: aws_securityhub.finding.evidences + if: ctx.aws_securityhub?.finding?.evidences instanceof List + processor: + convert: + field: _ingest._value.query.packet_uid + tag: convert_evidences_query_packet_uid_to_string + type: string + ignore_missing: true + - foreach: + field: aws_securityhub.finding.evidences + if: ctx.aws_securityhub?.finding?.evidences instanceof List + processor: + convert: + field: _ingest._value.verdict_id + tag: convert_evidences_verdict_id_to_string + type: string + ignore_missing: true +on_failure: + - append: + field: error.message + value: |- + Processor '{{{ _ingest.on_failure_processor_type }}}' + {{{#_ingest.on_failure_processor_tag}}}with tag '{{{ _ingest.on_failure_processor_tag }}}' + {{{/_ingest.on_failure_processor_tag}}}failed with message '{{{ _ingest.on_failure_message }}}' + - set: + field: event.kind + tag: set_pipeline_error_to_event_kind + value: pipeline_error + - append: + field: tags + value: preserve_original_event + allow_duplicates: false diff --git a/packages/aws_securityhub/data_stream/finding/elasticsearch/ingest_pipeline/pipeline_object_finding.yml b/packages/aws_securityhub/data_stream/finding/elasticsearch/ingest_pipeline/pipeline_object_finding.yml new file mode 100644 index 00000000000..4cd9352042b --- /dev/null +++ b/packages/aws_securityhub/data_stream/finding/elasticsearch/ingest_pipeline/pipeline_object_finding.yml @@ -0,0 +1,169 @@ +--- +description: Pipeline for processing Finding object. +# Finding object docs: https://schema.ocsf.io/1.5.0/objects/finding_info +processors: + - convert: + field: aws_securityhub.finding.finding_info.analytic.type_id + tag: convert_finding_info_analytic_type_id_to_string + type: string + ignore_missing: true + - date: + field: aws_securityhub.finding.finding_info.created_time_dt + tag: date_finding_info_created_time_dt + target_field: aws_securityhub.finding.finding_info.created_time_dt + formats: + - ISO8601 + - UNIX_MS + - yyyy-MM-dd HH:mm:ss[.SSSSSSSSS][.SSSSSSSS][.SSSSSSS][.SSSSSS][.SSSSS][.SSSS][.SSS][.SS][.S]X + if: ctx.aws_securityhub?.finding?.finding_info?.created_time_dt != null && ctx.aws_securityhub.finding.finding_info.created_time_dt != '' + on_failure: + - remove: + field: aws_securityhub.finding.finding_info.created_time_dt + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: aws_securityhub.finding.finding_info.created_time + tag: date_finding_info_created_time + target_field: aws_securityhub.finding.finding_info.created_time + formats: + - UNIX_MS + if: ctx.aws_securityhub?.finding?.finding_info?.created_time != null && ctx.aws_securityhub.finding.finding_info.created_time != '' + on_failure: + - remove: + field: aws_securityhub.finding.finding_info.created_time + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: aws_securityhub.finding.finding_info.first_seen_time_dt + tag: date_finding_info_first_seen_time_dt + target_field: aws_securityhub.finding.finding_info.first_seen_time_dt + formats: + - ISO8601 + - UNIX_MS + - yyyy-MM-dd HH:mm:ss[.SSSSSSSSS][.SSSSSSSS][.SSSSSSS][.SSSSSS][.SSSSS][.SSSS][.SSS][.SS][.S]X + if: ctx.aws_securityhub?.finding?.finding_info?.first_seen_time_dt != null && ctx.aws_securityhub.finding.finding_info.first_seen_time_dt != '' + on_failure: + - remove: + field: aws_securityhub.finding.finding_info.first_seen_time_dt + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: aws_securityhub.finding.finding_info.first_seen_time + tag: date_finding_info_first_seen_time + target_field: aws_securityhub.finding.finding_info.first_seen_time + formats: + - UNIX_MS + if: ctx.aws_securityhub?.finding?.finding_info?.first_seen_time != null && ctx.aws_securityhub.finding.finding_info.first_seen_time != '' + on_failure: + - remove: + field: aws_securityhub.finding.finding_info.first_seen_time + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: aws_securityhub.finding.finding_info.kill_chain.phase_id + tag: convert_finding_info_kill_chain_phase_id_to_string + type: string + ignore_missing: true + - date: + field: aws_securityhub.finding.finding_info.last_seen_time_dt + tag: date_finding_info_last_seen_time_dt + target_field: aws_securityhub.finding.finding_info.last_seen_time_dt + formats: + - ISO8601 + - UNIX_MS + - yyyy-MM-dd HH:mm:ss[.SSSSSSSSS][.SSSSSSSS][.SSSSSSS][.SSSSSS][.SSSSS][.SSSS][.SSS][.SS][.S]X + if: ctx.aws_securityhub?.finding?.finding_info?.last_seen_time_dt != null && ctx.aws_securityhub.finding.finding_info.last_seen_time_dt != '' + on_failure: + - remove: + field: aws_securityhub.finding.finding_info.last_seen_time_dt + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: aws_securityhub.finding.finding_info.last_seen_time + tag: date_finding_info_last_seen_time + target_field: aws_securityhub.finding.finding_info.last_seen_time + formats: + - UNIX_MS + if: ctx.aws_securityhub?.finding?.finding_info?.last_seen_time != null && ctx.aws_securityhub.finding.finding_info.last_seen_time != '' + on_failure: + - remove: + field: aws_securityhub.finding.finding_info.last_seen_time + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: aws_securityhub.finding.finding_info.modified_time_dt + tag: date_finding_info_modified_time_dt + target_field: aws_securityhub.finding.finding_info.modified_time_dt + formats: + - ISO8601 + - UNIX_MS + - yyyy-MM-dd HH:mm:ss[.SSSSSSSSS][.SSSSSSSS][.SSSSSSS][.SSSSSS][.SSSSS][.SSSS][.SSS][.SS][.S]X + if: ctx.aws_securityhub?.finding?.finding_info?.modified_time_dt != null && ctx.aws_securityhub.finding.finding_info.modified_time_dt != '' + on_failure: + - remove: + field: aws_securityhub.finding.finding_info.modified_time_dt + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: aws_securityhub.finding.finding_info.modified_time + tag: date_finding_info_modified_time + target_field: aws_securityhub.finding.finding_info.modified_time + formats: + - UNIX_MS + if: ctx.aws_securityhub?.finding?.finding_info?.modified_time != null && ctx.aws_securityhub.finding.finding_info.modified_time != '' + on_failure: + - remove: + field: aws_securityhub.finding.finding_info.modified_time + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: aws_securityhub.finding.finding_info.related_analytics + if: ctx.aws_securityhub?.finding?.finding_info?.related_analytics instanceof List + processor: + convert: + field: _ingest._value.type_id + tag: convert_finding_info.related_analytics_type_id_to_string + type: string + ignore_missing: true + - convert: + field: aws_securityhub.finding.finding_info.related_events_count + tag: convert_finding_info_related_events_count_to_long + type: long + ignore_missing: true + on_failure: + - remove: + field: aws_securityhub.finding.finding_info.related_events_count + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' +on_failure: + - append: + field: error.message + value: |- + Processor '{{{ _ingest.on_failure_processor_type }}}' + {{{#_ingest.on_failure_processor_tag}}}with tag '{{{ _ingest.on_failure_processor_tag }}}' + {{{/_ingest.on_failure_processor_tag}}}failed with message '{{{ _ingest.on_failure_message }}}' + - set: + field: event.kind + tag: set_pipeline_error_to_event_kind + value: pipeline_error + - append: + field: tags + value: preserve_original_event + allow_duplicates: false diff --git a/packages/aws_securityhub/data_stream/finding/elasticsearch/ingest_pipeline/pipeline_object_malware.yml b/packages/aws_securityhub/data_stream/finding/elasticsearch/ingest_pipeline/pipeline_object_malware.yml new file mode 100644 index 00000000000..3eb433fbbde --- /dev/null +++ b/packages/aws_securityhub/data_stream/finding/elasticsearch/ingest_pipeline/pipeline_object_malware.yml @@ -0,0 +1,422 @@ +--- +description: Pipeline for processing Malware object. +# Malware object docs: https://schema.ocsf.io/1.5.0/objects/malware +processors: + - foreach: + field: aws_securityhub.finding.malware + if: ctx.aws_securityhub?.finding?.malware instanceof List + processor: + convert: + field: _ingest._value.classification_ids + tag: convert_malware_classification_ids_to_string + type: string + ignore_missing: true + - foreach: + field: aws_securityhub.finding.malware + if: ctx.aws_securityhub?.finding?.malware instanceof List + processor: + foreach: + field: _ingest._value.cves + ignore_missing: true + processor: + date: + field: _ingest._value.created_time_dt + tag: date_malware_cves_created_time_dt + target_field: _ingest._value.created_time_dt + formats: + - ISO8601 + - UNIX_MS + - yyyy-MM-dd HH:mm:ss[.SSSSSSSSS][.SSSSSSSS][.SSSSSSS][.SSSSSS][.SSSSS][.SSSS][.SSS][.SS][.S]X + on_failure: + - remove: + field: _ingest._value.created_time_dt + ignore_missing: true + - foreach: + field: aws_securityhub.finding.malware + if: ctx.aws_securityhub?.finding?.malware instanceof List + processor: + foreach: + field: _ingest._value.cves + ignore_missing: true + processor: + date: + field: _ingest._value.created_time + tag: date_malware_cves_created_time + target_field: _ingest._value.created_time + formats: + - UNIX_MS + on_failure: + - remove: + field: _ingest._value.created_time + ignore_missing: true + - foreach: + field: aws_securityhub.finding.malware + if: ctx.aws_securityhub?.finding?.malware instanceof List + processor: + foreach: + field: _ingest._value.cves + ignore_missing: true + processor: + foreach: + field: _ingest._value.cvss + ignore_missing: true + processor: + convert: + field: _ingest._value.base_score + tag: convert_malware_cves_cvss_base_score_to_float + type: float + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.base_score + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: aws_securityhub.finding.malware + if: ctx.aws_securityhub?.finding?.malware instanceof List + processor: + foreach: + field: _ingest._value.cves + ignore_missing: true + processor: + foreach: + field: _ingest._value.cvss + ignore_missing: true + processor: + convert: + field: _ingest._value.overall_score + tag: convert_malware_cves_cvss_overall_score_to_float + type: float + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.overall_score + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: aws_securityhub.finding.malware + if: ctx.aws_securityhub?.finding?.malware instanceof List + processor: + foreach: + field: _ingest._value.cves + ignore_missing: true + processor: + date: + field: _ingest._value.modified_time_dt + tag: date_malware_cves_modified_time_dt + target_field: _ingest._value.modified_time_dt + formats: + - ISO8601 + - UNIX_MS + - yyyy-MM-dd HH:mm:ss[.SSSSSSSSS][.SSSSSSSS][.SSSSSSS][.SSSSSS][.SSSSS][.SSSS][.SSS][.SS][.S]X + on_failure: + - remove: + field: _ingest._value.modified_time_dt + ignore_missing: true + - foreach: + field: aws_securityhub.finding.malware + if: ctx.aws_securityhub?.finding?.malware instanceof List + processor: + foreach: + field: _ingest._value.cves + ignore_missing: true + processor: + date: + field: _ingest._value.modified_time + tag: date_malware_cves_modified_time + target_field: _ingest._value.modified_time + formats: + - UNIX_MS + on_failure: + - remove: + field: _ingest._value.modified_time + ignore_missing: true + - foreach: + field: aws_securityhub.finding.malware + if: ctx.aws_securityhub?.finding?.malware instanceof List + processor: + foreach: + field: _ingest._value.files + ignore_missing: true + processor: + date: + field: _ingest._value.accessed_time_dt + tag: date_malware_files_accessed_time_dt + target_field: _ingest._value.accessed_time_dt + formats: + - ISO8601 + - UNIX_MS + - yyyy-MM-dd HH:mm:ss[.SSSSSSSSS][.SSSSSSSS][.SSSSSSS][.SSSSSS][.SSSSS][.SSSS][.SSS][.SS][.S]X + on_failure: + - remove: + field: _ingest._value.accessed_time_dt + ignore_missing: true + - foreach: + field: aws_securityhub.finding.malware + if: ctx.aws_securityhub?.finding?.malware instanceof List + processor: + foreach: + field: _ingest._value.files + ignore_missing: true + processor: + date: + field: _ingest._value.accessed_time + tag: date_malware_files_accessed_time + target_field: _ingest._value.accessed_time + formats: + - UNIX_MS + on_failure: + - remove: + field: _ingest._value.accessed_time + ignore_missing: true + - foreach: + field: aws_securityhub.finding.malware + if: ctx.aws_securityhub?.finding?.malware instanceof List + processor: + foreach: + field: _ingest._value.files + ignore_missing: true + processor: + convert: + field: _ingest._value.attributes + tag: convert_malware_files_attributes_to_long + type: long + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.attributes + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: aws_securityhub.finding.malware + if: ctx.aws_securityhub?.finding?.malware instanceof List + processor: + foreach: + field: _ingest._value.files + ignore_missing: true + processor: + convert: + field: _ingest._value.confidentiality_id + tag: convert_malware_files_confidentiality_id_to_string + type: string + ignore_missing: true + - foreach: + field: aws_securityhub.finding.malware + if: ctx.aws_securityhub?.finding?.malware instanceof List + processor: + foreach: + field: _ingest._value.files + ignore_missing: true + processor: + date: + field: _ingest._value.created_time_dt + tag: date_malware_files_created_time_dt + target_field: _ingest._value.created_time_dt + formats: + - ISO8601 + - UNIX_MS + - yyyy-MM-dd HH:mm:ss[.SSSSSSSSS][.SSSSSSSS][.SSSSSSS][.SSSSSS][.SSSSS][.SSSS][.SSS][.SS][.S]X + on_failure: + - remove: + field: _ingest._value.created_time_dt + ignore_missing: true + - foreach: + field: aws_securityhub.finding.malware + if: ctx.aws_securityhub?.finding?.malware instanceof List + processor: + foreach: + field: _ingest._value.files + ignore_missing: true + processor: + date: + field: _ingest._value.created_time + tag: date_malware_files_created_time + target_field: _ingest._value.created_time + formats: + - UNIX_MS + on_failure: + - remove: + field: _ingest._value.created_time + ignore_missing: true + - foreach: + field: aws_securityhub.finding.malware + if: ctx.aws_securityhub?.finding?.malware instanceof List + processor: + foreach: + field: _ingest._value.files + ignore_missing: true + processor: + convert: + field: _ingest._value.drive_type_id + tag: convert_malware_files_drive_type_id_to_string + type: string + ignore_missing: true + - foreach: + field: aws_securityhub.finding.malware + if: ctx.aws_securityhub?.finding?.malware instanceof List + processor: + foreach: + field: _ingest._value.files + ignore_missing: true + processor: + convert: + field: _ingest._value.is_deleted + tag: convert_malware_files_is_deleted_to_boolean + type: boolean + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.is_deleted + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: aws_securityhub.finding.malware + if: ctx.aws_securityhub?.finding?.malware instanceof List + processor: + foreach: + field: _ingest._value.files + ignore_missing: true + processor: + convert: + field: _ingest._value.is_encrypted + tag: convert_malware_files_is_encrypted_to_boolean + type: boolean + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.is_encrypted + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: aws_securityhub.finding.malware + if: ctx.aws_securityhub?.finding?.malware instanceof List + processor: + foreach: + field: _ingest._value.files + ignore_missing: true + processor: + convert: + field: _ingest._value.is_system + tag: convert_malware_files_is_system_to_boolean + type: boolean + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.is_system + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: aws_securityhub.finding.malware + if: ctx.aws_securityhub?.finding?.malware instanceof List + processor: + foreach: + field: _ingest._value.files + ignore_missing: true + processor: + date: + field: _ingest._value.modified_time_dt + tag: date_malware_files_modified_time_dt + target_field: _ingest._value.modified_time_dt + formats: + - ISO8601 + - UNIX_MS + - yyyy-MM-dd HH:mm:ss[.SSSSSSSSS][.SSSSSSSS][.SSSSSSS][.SSSSSS][.SSSSS][.SSSS][.SSS][.SS][.S]X + on_failure: + - remove: + field: _ingest._value.modified_time_dt + ignore_missing: true + - foreach: + field: aws_securityhub.finding.malware + if: ctx.aws_securityhub?.finding?.malware instanceof List + processor: + foreach: + field: _ingest._value.files + ignore_missing: true + processor: + date: + field: _ingest._value.modified_time + tag: date_malware_files_modified_time + target_field: _ingest._value.modified_time + formats: + - UNIX_MS + on_failure: + - remove: + field: _ingest._value.modified_time + ignore_missing: true + - foreach: + field: aws_securityhub.finding.malware + if: ctx.aws_securityhub?.finding?.malware instanceof List + processor: + foreach: + field: _ingest._value.files + ignore_missing: true + processor: + convert: + field: _ingest._value.size + tag: convert_malware_files_size_to_long + type: long + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.size + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: aws_securityhub.finding.malware + if: ctx.aws_securityhub?.finding?.malware instanceof List + processor: + foreach: + field: _ingest._value.files + ignore_missing: true + processor: + convert: + field: _ingest._value.type_id + tag: convert_malware_files_type_id_to_string + type: string + ignore_missing: true + - foreach: + field: aws_securityhub.finding.malware + if: ctx.aws_securityhub?.finding?.malware instanceof List + processor: + convert: + field: _ingest._value.num_infected + tag: convert_malware_num_infected_to_long + type: long + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.num_infected + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: aws_securityhub.finding.malware + if: ctx.aws_securityhub?.finding?.malware instanceof List + processor: + convert: + field: _ingest._value.severity_id + tag: convert_malware_severity_id_to_string + type: string + ignore_missing: true +on_failure: + - append: + field: error.message + value: |- + Processor '{{{ _ingest.on_failure_processor_type }}}' + {{{#_ingest.on_failure_processor_tag}}}with tag '{{{ _ingest.on_failure_processor_tag }}}' + {{{/_ingest.on_failure_processor_tag}}}failed with message '{{{ _ingest.on_failure_message }}}' + - set: + field: event.kind + tag: set_pipeline_error_to_event_kind + value: pipeline_error + - append: + field: tags + value: preserve_original_event + allow_duplicates: false diff --git a/packages/aws_securityhub/data_stream/finding/elasticsearch/ingest_pipeline/pipeline_object_metadata.yml b/packages/aws_securityhub/data_stream/finding/elasticsearch/ingest_pipeline/pipeline_object_metadata.yml new file mode 100644 index 00000000000..e83a37bc7fd --- /dev/null +++ b/packages/aws_securityhub/data_stream/finding/elasticsearch/ingest_pipeline/pipeline_object_metadata.yml @@ -0,0 +1,270 @@ +--- +description: Pipeline for processing Metadata object. +# Metadata object docs: https://schema.ocsf.io/1.5.0/objects/metadata +processors: + - foreach: + field: aws_securityhub.finding.metadata.data_classifications + if: ctx.aws_securityhub?.finding?.metadata?.data_classifications instanceof List + processor: + convert: + field: _ingest._value.category_id + tag: convert_finding_metadata_data_classifications_category_id_to_string + type: string + ignore_missing: true + - foreach: + field: aws_securityhub.finding.metadata.data_classifications + if: ctx.aws_securityhub?.finding?.metadata?.data_classifications instanceof List + processor: + convert: + field: _ingest._value.confidentiality_id + tag: convert_finding_metadata_data_classifications_confidentiality_id_to_string + type: string + ignore_missing: true + - foreach: + field: aws_securityhub.finding.metadata.data_classifications + if: ctx.aws_securityhub?.finding?.metadata?.data_classifications instanceof List + processor: + convert: + field: _ingest._value.size + tag: convert_finding_metadata_data_classifications_size_to_long + type: long + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.size + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: aws_securityhub.finding.metadata.data_classifications + if: ctx.aws_securityhub?.finding?.metadata?.data_classifications instanceof List + processor: + convert: + field: _ingest._value.status_id + tag: convert_finding_metadata_data_classifications_status_id_to_string + type: string + ignore_missing: true + - foreach: + field: aws_securityhub.finding.metadata.data_classifications + if: ctx.aws_securityhub?.finding?.metadata?.data_classifications instanceof List + processor: + convert: + field: _ingest._value.total + tag: convert_finding_metadata_data_classifications_total_to_long + type: long + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.total + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: aws_securityhub.finding.metadata.logged_time_dt + tag: date_metadata_logged_time_dt + target_field: aws_securityhub.finding.metadata.logged_time_dt + formats: + - ISO8601 + - UNIX_MS + - yyyy-MM-dd HH:mm:ss[.SSSSSSSSS][.SSSSSSSS][.SSSSSSS][.SSSSSS][.SSSSS][.SSSS][.SSS][.SS][.S]X + if: ctx.aws_securityhub?.finding?.metadata?.logged_time_dt != null && ctx.aws_securityhub.finding.metadata.logged_time_dt != '' + on_failure: + - remove: + field: aws_securityhub.finding.metadata.logged_time_dt + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: aws_securityhub.finding.metadata.logged_time + tag: date_metadata_logged_time + target_field: aws_securityhub.finding.metadata.logged_time + formats: + - UNIX_MS + if: ctx.aws_securityhub?.finding?.metadata?.logged_time != null && ctx.aws_securityhub.finding.metadata.logged_time != '' + on_failure: + - remove: + field: aws_securityhub.finding.metadata.logged_time + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: aws_securityhub.finding.metadata.loggers + if: ctx.aws_securityhub?.finding?.metadata?.loggers instanceof List + processor: + date: + field: _ingest._value.logged_time_dt + tag: date_metadata_loggers_logged_time_dt + target_field: _ingest._value.logged_time_dt + formats: + - ISO8601 + - UNIX_MS + - yyyy-MM-dd HH:mm:ss[.SSSSSSSSS][.SSSSSSSS][.SSSSSSS][.SSSSSS][.SSSSS][.SSSS][.SSS][.SS][.S]X + on_failure: + - remove: + field: _ingest._value.logged_time_dt + ignore_missing: true + - foreach: + field: aws_securityhub.finding.metadata.loggers + if: ctx.aws_securityhub?.finding?.metadata?.loggers instanceof List + processor: + date: + field: _ingest._value.logged_time + tag: date_metadata_loggers_logged_time + target_field: _ingest._value.logged_time + formats: + - UNIX_MS + on_failure: + - remove: + field: _ingest._value.logged_time + ignore_missing: true + - foreach: + field: aws_securityhub.finding.metadata.loggers + if: ctx.aws_securityhub?.finding?.metadata?.loggers instanceof List + processor: + date: + field: _ingest._value.transmit_time_dt + tag: date_metadata_loggers_transmit_time_dt + target_field: _ingest._value.transmit_time_dt + formats: + - ISO8601 + - UNIX_MS + - yyyy-MM-dd HH:mm:ss[.SSSSSSSSS][.SSSSSSSS][.SSSSSSS][.SSSSSS][.SSSSS][.SSSS][.SSS][.SS][.S]X + on_failure: + - remove: + field: _ingest._value.transmit_time_dt + ignore_missing: true + - foreach: + field: aws_securityhub.finding.metadata.loggers + if: ctx.aws_securityhub?.finding?.metadata?.loggers instanceof List + processor: + date: + field: _ingest._value.transmit_time + tag: date_metadata_loggers_transmit_time + target_field: _ingest._value.transmit_time + formats: + - UNIX_MS + on_failure: + - remove: + field: _ingest._value.transmit_time + ignore_missing: true + - date: + field: aws_securityhub.finding.metadata.modified_time_dt + tag: date_metadata_modified_time_dt + target_field: aws_securityhub.finding.metadata.modified_time_dt + formats: + - ISO8601 + - UNIX_MS + - yyyy-MM-dd HH:mm:ss[.SSSSSSSSS][.SSSSSSSS][.SSSSSSS][.SSSSSS][.SSSSS][.SSSS][.SSS][.SS][.S]X + if: ctx.aws_securityhub?.finding?.metadata?.modified_time_dt != null && ctx.aws_securityhub.finding.metadata.modified_time_dt != '' + on_failure: + - remove: + field: aws_securityhub.finding.metadata.modified_time_dt + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: aws_securityhub.finding.metadata.modified_time + tag: date_metadata_modified_time + target_field: aws_securityhub.finding.metadata.modified_time + formats: + - UNIX_MS + if: ctx.aws_securityhub?.finding?.metadata?.modified_time != null && ctx.aws_securityhub.finding.metadata.modified_time != '' + on_failure: + - remove: + field: aws_securityhub.finding.metadata.modified_time + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: aws_securityhub.finding.metadata.processed_time_dt + tag: date_metadata_processed_time_dt + target_field: aws_securityhub.finding.metadata.processed_time_dt + formats: + - ISO8601 + - UNIX_MS + - yyyy-MM-dd HH:mm:ss[.SSSSSSSSS][.SSSSSSSS][.SSSSSSS][.SSSSSS][.SSSSS][.SSSS][.SSS][.SS][.S]X + if: ctx.aws_securityhub?.finding?.metadata?.processed_time_dt != null && ctx.aws_securityhub.finding.metadata.processed_time_dt != '' + on_failure: + - remove: + field: aws_securityhub.finding.metadata.processed_time_dt + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: aws_securityhub.finding.metadata.processed_time + tag: date_metadata_processed_time + target_field: aws_securityhub.finding.metadata.processed_time + formats: + - UNIX_MS + if: ctx.aws_securityhub?.finding?.metadata?.processed_time != null && ctx.aws_securityhub.finding.metadata.processed_time != '' + on_failure: + - remove: + field: aws_securityhub.finding.metadata.processed_time + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: aws_securityhub.finding.metadata.sequence + tag: convert_finding_metadata_sequence_to_long + type: long + ignore_missing: true + on_failure: + - remove: + field: aws_securityhub.finding.metadata.sequence + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: aws_securityhub.finding.metadata.transformation_info_list + if: ctx.aws_securityhub?.finding?.metadata?.transformation_info_list instanceof List + processor: + date: + field: _ingest._value.time_dt + tag: date_metadata_transformation_info_list_time_dt + target_field: _ingest._value.time_dt + formats: + - ISO8601 + - UNIX_MS + - yyyy-MM-dd HH:mm:ss[.SSSSSSSSS][.SSSSSSSS][.SSSSSSS][.SSSSSS][.SSSSS][.SSSS][.SSS][.SS][.S]X + on_failure: + - remove: + field: _ingest._value.time_dt + ignore_missing: true + - foreach: + field: aws_securityhub.finding.metadata.transformation_info_list + if: ctx.aws_securityhub?.finding?.metadata?.transformation_info_list instanceof List + processor: + date: + field: _ingest._value.time + tag: date_metadata_transformation_info_list_time + target_field: _ingest._value.time + formats: + - UNIX_MS + on_failure: + - remove: + field: _ingest._value.time + ignore_missing: true +on_failure: + - append: + field: error.message + value: |- + Processor '{{{ _ingest.on_failure_processor_type }}}' + {{{#_ingest.on_failure_processor_tag}}}with tag '{{{ _ingest.on_failure_processor_tag }}}' + {{{/_ingest.on_failure_processor_tag}}}failed with message '{{{ _ingest.on_failure_message }}}' + - set: + field: event.kind + tag: set_pipeline_error_to_event_kind + value: pipeline_error + - append: + field: tags + value: preserve_original_event + allow_duplicates: false diff --git a/packages/aws_securityhub/data_stream/finding/elasticsearch/ingest_pipeline/pipeline_object_osint.yml b/packages/aws_securityhub/data_stream/finding/elasticsearch/ingest_pipeline/pipeline_object_osint.yml new file mode 100644 index 00000000000..962e1100718 --- /dev/null +++ b/packages/aws_securityhub/data_stream/finding/elasticsearch/ingest_pipeline/pipeline_object_osint.yml @@ -0,0 +1,996 @@ +--- +description: Pipeline for processing OSINT object. +# OSINT object docs: https://schema.ocsf.io/1.5.0/objects/osint +processors: + - foreach: + field: aws_securityhub.finding.osint + if: ctx.aws_securityhub?.finding?.osint instanceof List + processor: + foreach: + field: _ingest._value.answers + ignore_missing: true + processor: + convert: + field: _ingest._value.ttl + tag: convert_osint_answers_ttl_to_long + type: long + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.ttl + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: aws_securityhub.finding.osint + if: ctx.aws_securityhub?.finding?.osint instanceof List + processor: + foreach: + field: _ingest._value.answers + ignore_missing: true + processor: + convert: + field: _ingest._value.flag_ids + tag: convert_osint_answers_flag_ids_to_string + type: string + ignore_missing: true + - foreach: + field: aws_securityhub.finding.osint + if: ctx.aws_securityhub?.finding?.osint instanceof List + processor: + foreach: + field: _ingest._value.answers + ignore_missing: true + processor: + convert: + field: _ingest._value.packet_uid + tag: convert_osint_answers_packet_uid_to_string + type: string + ignore_missing: true + - foreach: + field: aws_securityhub.finding.osint + if: ctx.aws_securityhub?.finding?.osint instanceof List + processor: + convert: + field: _ingest._value.autonomous_system.number + tag: convert_osint_autonomous_system_number_to_long + type: long + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.autonomous_system.number + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: aws_securityhub.finding.osint + if: ctx.aws_securityhub?.finding?.osint instanceof List + processor: + convert: + field: _ingest._value.confidence_id + tag: convert_osint_confidence_id_to_string + type: string + ignore_missing: true + - foreach: + field: aws_securityhub.finding.osint + if: ctx.aws_securityhub?.finding?.osint instanceof List + processor: + date: + field: _ingest._value.created_time_dt + tag: date_osint_created_time_dt + target_field: _ingest._value.created_time_dt + formats: + - ISO8601 + - UNIX_MS + - yyyy-MM-dd HH:mm:ss[.SSSSSSSSS][.SSSSSSSS][.SSSSSSS][.SSSSSS][.SSSSS][.SSSS][.SSS][.SS][.S]X + on_failure: + - remove: + field: _ingest._value.created_time_dt + ignore_missing: true + - foreach: + field: aws_securityhub.finding.osint + if: ctx.aws_securityhub?.finding?.osint instanceof List + processor: + date: + field: _ingest._value.created_time + tag: date_osint_created_time + target_field: _ingest._value.created_time + formats: + - UNIX_MS + on_failure: + - remove: + field: _ingest._value.created_time + ignore_missing: true + - foreach: + field: aws_securityhub.finding.osint + if: ctx.aws_securityhub?.finding?.osint instanceof List + processor: + convert: + field: _ingest._value.creator.has_mfa + tag: convert_osint_creator_has_mfa_to_boolean + type: boolean + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.creator.has_mfa + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: aws_securityhub.finding.osint + if: ctx.aws_securityhub?.finding?.osint instanceof List + processor: + convert: + field: _ingest._value.creator.risk_level_id + tag: convert_osint_creator_risk_level_id_to_string + type: string + ignore_missing: true + - foreach: + field: aws_securityhub.finding.osint + if: ctx.aws_securityhub?.finding?.osint instanceof List + processor: + convert: + field: _ingest._value.creator.risk_score + tag: convert_osint_creator_risk_score_to_long + type: long + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.creator.risk_score + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: aws_securityhub.finding.osint + if: ctx.aws_securityhub?.finding?.osint instanceof List + processor: + convert: + field: _ingest._value.creator.type_id + tag: convert_osint_creator_type_id_to_string + type: string + ignore_missing: true + - foreach: + field: aws_securityhub.finding.osint + if: ctx.aws_securityhub?.finding?.osint instanceof List + processor: + convert: + field: _ingest._value.detection_pattern_type_id + tag: convert_osint_detection_pattern_type_id_to_string + type: string + ignore_missing: true + - foreach: + field: aws_securityhub.finding.osint + if: ctx.aws_securityhub?.finding?.osint instanceof List + processor: + convert: + field: _ingest._value.email.is_read + tag: convert_osint_email_is_read_to_boolean + type: boolean + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.email.is_read + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: aws_securityhub.finding.osint + if: ctx.aws_securityhub?.finding?.osint instanceof List + processor: + convert: + field: _ingest._value.email.size + tag: convert_osint_email_size_to_long + type: long + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.email.size + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: aws_securityhub.finding.osint + if: ctx.aws_securityhub?.finding?.osint instanceof List + processor: + foreach: + field: _ingest._value.x_originating_ip + ignore_missing: true + processor: + convert: + field: _ingest._value + tag: convert_osint_x_originating_ip_to_ip + type: ip + ignore_missing: true + on_failure: + - remove: + field: _ingest._value + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: aws_securityhub.finding.osint + if: ctx.aws_securityhub?.finding?.osint instanceof List + processor: + date: + field: _ingest._value.expiration_time_dt + tag: date_osint_expiration_time_dt + target_field: _ingest._value.expiration_time_dt + formats: + - ISO8601 + - UNIX_MS + - yyyy-MM-dd HH:mm:ss[.SSSSSSSSS][.SSSSSSSS][.SSSSSSS][.SSSSSS][.SSSSS][.SSSS][.SSS][.SS][.S]X + on_failure: + - remove: + field: _ingest._value.expiration_time_dt + ignore_missing: true + - foreach: + field: aws_securityhub.finding.osint + if: ctx.aws_securityhub?.finding?.osint instanceof List + processor: + date: + field: _ingest._value.expiration_time + tag: date_osint_expiration_time + target_field: _ingest._value.expiration_time + formats: + - UNIX_MS + on_failure: + - remove: + field: _ingest._value.expiration_time + ignore_missing: true + - foreach: + field: aws_securityhub.finding.osint + if: ctx.aws_securityhub?.finding?.osint instanceof List + processor: + date: + field: _ingest._value.file.accessed_time_dt + tag: date_osint_file_accessed_time_dt + target_field: _ingest._value.file.accessed_time_dt + formats: + - ISO8601 + - UNIX_MS + - yyyy-MM-dd HH:mm:ss[.SSSSSSSSS][.SSSSSSSS][.SSSSSSS][.SSSSSS][.SSSSS][.SSSS][.SSS][.SS][.S]X + on_failure: + - remove: + field: _ingest._value.file.accessed_time_dt + ignore_missing: true + - foreach: + field: aws_securityhub.finding.osint + if: ctx.aws_securityhub?.finding?.osint instanceof List + processor: + date: + field: _ingest._value.file.accessed_time + tag: date_osint_file_accessed_time + target_field: _ingest._value.file.accessed_time + formats: + - UNIX_MS + on_failure: + - remove: + field: _ingest._value.file.accessed_time + ignore_missing: true + - foreach: + field: aws_securityhub.finding.osint + if: ctx.aws_securityhub?.finding?.osint instanceof List + processor: + convert: + field: _ingest._value.file.attributes + tag: convert_osint_file_attributes_to_long + type: long + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.file.attributes + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: aws_securityhub.finding.osint + if: ctx.aws_securityhub?.finding?.osint instanceof List + processor: + convert: + field: _ingest._value.file.confidentiality_id + tag: convert_osint_file_confidentiality_id_to_string + type: string + ignore_missing: true + - foreach: + field: aws_securityhub.finding.osint + if: ctx.aws_securityhub?.finding?.osint instanceof List + processor: + date: + field: _ingest._value.file.created_time_dt + tag: date_osint_file_created_time_dt + target_field: _ingest._value.file.created_time_dt + formats: + - ISO8601 + - UNIX_MS + - yyyy-MM-dd HH:mm:ss[.SSSSSSSSS][.SSSSSSSS][.SSSSSSS][.SSSSSS][.SSSSS][.SSSS][.SSS][.SS][.S]X + on_failure: + - remove: + field: _ingest._value.file.created_time_dt + ignore_missing: true + - foreach: + field: aws_securityhub.finding.osint + if: ctx.aws_securityhub?.finding?.osint instanceof List + processor: + date: + field: _ingest._value.file.created_time + tag: date_osint_file_created_time + target_field: _ingest._value.file.created_time + formats: + - UNIX_MS + on_failure: + - remove: + field: _ingest._value.file.created_time + ignore_missing: true + - foreach: + field: aws_securityhub.finding.osint + if: ctx.aws_securityhub?.finding?.osint instanceof List + processor: + convert: + field: _ingest._value.file.drive_type_id + tag: convert_osint_file_drive_type_id_to_string + type: string + ignore_missing: true + - foreach: + field: aws_securityhub.finding.osint + if: ctx.aws_securityhub?.finding?.osint instanceof List + processor: + convert: + field: _ingest._value.file.is_deleted + tag: convert_osint_file_is_deleted_to_boolean + type: boolean + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.file.is_deleted + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: aws_securityhub.finding.osint + if: ctx.aws_securityhub?.finding?.osint instanceof List + processor: + convert: + field: _ingest._value.file.is_encrypted + tag: convert_osint_file_is_encrypted_to_boolean + type: boolean + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.file.is_encrypted + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: aws_securityhub.finding.osint + if: ctx.aws_securityhub?.finding?.osint instanceof List + processor: + convert: + field: _ingest._value.file.is_system + tag: convert_osint_file_is_system_to_boolean + type: boolean + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.file.is_system + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: aws_securityhub.finding.osint + if: ctx.aws_securityhub?.finding?.osint instanceof List + processor: + date: + field: _ingest._value.file.modified_time_dt + tag: date_osint_file_modified_time_dt + target_field: _ingest._value.file.modified_time_dt + formats: + - ISO8601 + - UNIX_MS + - yyyy-MM-dd HH:mm:ss[.SSSSSSSSS][.SSSSSSSS][.SSSSSSS][.SSSSSS][.SSSSS][.SSSS][.SSS][.SS][.S]X + on_failure: + - remove: + field: _ingest._value.file.modified_time_dt + ignore_missing: true + - foreach: + field: aws_securityhub.finding.osint + if: ctx.aws_securityhub?.finding?.osint instanceof List + processor: + date: + field: _ingest._value.file.modified_time + tag: date_osint_file_modified_time + target_field: _ingest._value.file.modified_time + formats: + - UNIX_MS + on_failure: + - remove: + field: _ingest._value.file.modified_time + ignore_missing: true + - foreach: + field: aws_securityhub.finding.osint + if: ctx.aws_securityhub?.finding?.osint instanceof List + processor: + convert: + field: _ingest._value.file.type_id + tag: convert_osint_file_type_id_to_string + type: string + ignore_missing: true + - foreach: + field: aws_securityhub.finding.osint + if: ctx.aws_securityhub?.finding?.osint instanceof List + processor: + convert: + field: _ingest._value.file.size + tag: convert_osint_file_size_to_long + type: long + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.file.size + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: aws_securityhub.finding.osint + if: ctx.aws_securityhub?.finding?.osint instanceof List + processor: + foreach: + field: _ingest._value.kill_chain + ignore_missing: true + processor: + convert: + field: _ingest._value.phase_id + tag: convert_osint_kill_chain_phase_id_to_string + type: string + ignore_missing: true + - foreach: + field: aws_securityhub.finding.osint + if: ctx.aws_securityhub?.finding?.osint instanceof List + processor: + convert: + field: _ingest._value.location.is_on_premises + tag: convert_osint_location_is_on_premises_to_boolean + type: boolean + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.location.is_on_premises + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: aws_securityhub.finding.osint + if: ctx.aws_securityhub?.finding?.osint instanceof List + processor: + convert: + field: _ingest._value.location.lat + tag: convert_osint_location_lat_to_double + type: double + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.location.lat + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: aws_securityhub.finding.osint + if: ctx.aws_securityhub?.finding?.osint instanceof List + processor: + convert: + field: _ingest._value.location.long + tag: convert_osint_location_long_to_double + type: double + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.location.long + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: aws_securityhub.finding.osint + if: ctx.aws_securityhub?.finding?.osint instanceof List + processor: + foreach: + field: _ingest._value.malware + ignore_missing: true + processor: + convert: + field: _ingest._value.classification_ids + tag: convert_osint_malware_classification_ids_to_string + type: string + ignore_missing: true + - foreach: + field: aws_securityhub.finding.osint + if: ctx.aws_securityhub?.finding?.osint instanceof List + processor: + foreach: + field: _ingest._value.malware + ignore_missing: true + processor: + convert: + field: _ingest._value.num_infected + tag: convert_osint_malware_num_infected_to_long + type: long + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.num_infected + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: aws_securityhub.finding.osint + if: ctx.aws_securityhub?.finding?.osint instanceof List + processor: + foreach: + field: _ingest._value.malware + ignore_missing: true + processor: + convert: + field: _ingest._value.severity_id + tag: convert_osint_malware_severity_id_to_string + type: string + ignore_missing: true + - foreach: + field: aws_securityhub.finding.osint + if: ctx.aws_securityhub?.finding?.osint instanceof List + processor: + date: + field: _ingest._value.modified_time_dt + tag: date_osint_modified_time_dt + target_field: _ingest._value.modified_time_dt + formats: + - ISO8601 + - UNIX_MS + - yyyy-MM-dd HH:mm:ss[.SSSSSSSSS][.SSSSSSSS][.SSSSSSS][.SSSSSS][.SSSSS][.SSSS][.SSS][.SS][.S]X + on_failure: + - remove: + field: _ingest._value.modified_time_dt + ignore_missing: true + - foreach: + field: aws_securityhub.finding.osint + if: ctx.aws_securityhub?.finding?.osint instanceof List + processor: + date: + field: _ingest._value.modified_time + tag: date_osint_modified_time + target_field: _ingest._value.modified_time + formats: + - UNIX_MS + on_failure: + - remove: + field: _ingest._value.modified_time + ignore_missing: true + - foreach: + field: aws_securityhub.finding.osint + if: ctx.aws_securityhub?.finding?.osint instanceof List + processor: + foreach: + field: _ingest._value.related_analytics + ignore_missing: true + processor: + convert: + field: _ingest._value.type_id + tag: convert_osint_related_analytics_type_id_to_string + type: string + ignore_missing: true + - foreach: + field: aws_securityhub.finding.osint + if: ctx.aws_securityhub?.finding?.osint instanceof List + processor: + convert: + field: _ingest._value.reputation.base_score + tag: convert_osint_reputation_base_score_to_float + type: float + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.reputation.base_score + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: aws_securityhub.finding.osint + if: ctx.aws_securityhub?.finding?.osint instanceof List + processor: + convert: + field: _ingest._value.reputation.score_id + tag: convert_osint_reputation_score_id_to_string + type: string + ignore_missing: true + - foreach: + field: aws_securityhub.finding.osint + if: ctx.aws_securityhub?.finding?.osint instanceof List + processor: + convert: + field: _ingest._value.risk_score + tag: convert_osint_risk_score_to_long + type: long + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.risk_score + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: aws_securityhub.finding.osint + if: ctx.aws_securityhub?.finding?.osint instanceof List + processor: + convert: + field: _ingest._value.script.type_id + tag: convert_osint_script_type_id_to_string + type: string + ignore_missing: true + - foreach: + field: aws_securityhub.finding.osint + if: ctx.aws_securityhub?.finding?.osint instanceof List + processor: + convert: + field: _ingest._value.severity_id + tag: convert_osint_severity_id_to_string + type: string + ignore_missing: true + - foreach: + field: aws_securityhub.finding.osint + if: ctx.aws_securityhub?.finding?.osint instanceof List + processor: + foreach: + field: _ingest._value.signatures + ignore_missing: true + processor: + convert: + field: _ingest._value.algorithm_id + tag: convert_osint_signatures_algorithm_id_to_string + type: string + ignore_missing: true + - foreach: + field: aws_securityhub.finding.osint + if: ctx.aws_securityhub?.finding?.osint instanceof List + processor: + foreach: + field: _ingest._value.signatures + ignore_missing: true + processor: + date: + field: _ingest._value.created_time_dt + tag: date_osint_signatures_created_time_dt + target_field: _ingest._value.created_time_dt + formats: + - ISO8601 + - UNIX_MS + - yyyy-MM-dd HH:mm:ss[.SSSSSSSSS][.SSSSSSSS][.SSSSSSS][.SSSSSS][.SSSSS][.SSSS][.SSS][.SS][.S]X + on_failure: + - remove: + field: _ingest._value.created_time_dt + ignore_missing: true + - foreach: + field: aws_securityhub.finding.osint + if: ctx.aws_securityhub?.finding?.osint instanceof List + processor: + foreach: + field: _ingest._value.signatures + ignore_missing: true + processor: + date: + field: _ingest._value.created_time + tag: date_osint_signatures_created_time + target_field: _ingest._value.created_time + formats: + - UNIX_MS + on_failure: + - remove: + field: _ingest._value.created_time + ignore_missing: true + - foreach: + field: aws_securityhub.finding.osint + if: ctx.aws_securityhub?.finding?.osint instanceof List + processor: + foreach: + field: _ingest._value.signatures + ignore_missing: true + processor: + convert: + field: _ingest._value.state_id + tag: convert_osint_signatures_state_id_to_string + type: string + ignore_missing: true + - foreach: + field: aws_securityhub.finding.osint + if: ctx.aws_securityhub?.finding?.osint instanceof List + processor: + convert: + field: _ingest._value.threat_actor.type_id + tag: convert_osint_threat_actor_type_id_to_string + type: string + ignore_missing: true + - foreach: + field: aws_securityhub.finding.osint + if: ctx.aws_securityhub?.finding?.osint instanceof List + processor: + convert: + field: _ingest._value.type_id + tag: convert_osint_type_id_to_string + type: string + ignore_missing: true + - foreach: + field: aws_securityhub.finding.osint + if: ctx.aws_securityhub?.finding?.osint instanceof List + processor: + date: + field: _ingest._value.uploaded_time_dt + tag: date_osint_uploaded_time_dt + target_field: _ingest._value.uploaded_time_dt + formats: + - ISO8601 + - UNIX_MS + - yyyy-MM-dd HH:mm:ss[.SSSSSSSSS][.SSSSSSSS][.SSSSSSS][.SSSSSS][.SSSSS][.SSSS][.SSS][.SS][.S]X + on_failure: + - remove: + field: _ingest._value.uploaded_time_dt + ignore_missing: true + - foreach: + field: aws_securityhub.finding.osint + if: ctx.aws_securityhub?.finding?.osint instanceof List + processor: + date: + field: _ingest._value.uploaded_time + tag: date_osint_uploaded_time + target_field: _ingest._value.uploaded_time + formats: + - UNIX_MS + on_failure: + - remove: + field: _ingest._value.uploaded_time + ignore_missing: true + - foreach: + field: aws_securityhub.finding.osint + if: ctx.aws_securityhub?.finding?.osint instanceof List + processor: + foreach: + field: _ingest._value.vulnerabilities + ignore_missing: true + processor: + date: + field: _ingest._value.exploit_last_seen_time_dt + tag: date_osint_vulnerabilities_exploit_last_seen_time_dt + target_field: _ingest._value.exploit_last_seen_time_dt + formats: + - ISO8601 + - UNIX_MS + - yyyy-MM-dd HH:mm:ss[.SSSSSSSSS][.SSSSSSSS][.SSSSSSS][.SSSSSS][.SSSSS][.SSSS][.SSS][.SS][.S]X + on_failure: + - remove: + field: _ingest._value.exploit_last_seen_time_dt + ignore_missing: true + - foreach: + field: aws_securityhub.finding.osint + if: ctx.aws_securityhub?.finding?.osint instanceof List + processor: + foreach: + field: _ingest._value.vulnerabilities + ignore_missing: true + processor: + date: + field: _ingest._value.exploit_last_seen_time + tag: date_osint_vulnerabilities_exploit_last_seen_time + target_field: _ingest._value.exploit_last_seen_time + formats: + - UNIX_MS + on_failure: + - remove: + field: _ingest._value.exploit_last_seen_time + ignore_missing: true + - foreach: + field: aws_securityhub.finding.osint + if: ctx.aws_securityhub?.finding?.osint instanceof List + processor: + foreach: + field: _ingest._value.vulnerabilities + ignore_missing: true + processor: + date: + field: _ingest._value.first_seen_time_dt + tag: date_osint_vulnerabilities_first_seen_time_dt + target_field: _ingest._value.first_seen_time_dt + formats: + - ISO8601 + - UNIX_MS + - yyyy-MM-dd HH:mm:ss[.SSSSSSSSS][.SSSSSSSS][.SSSSSSS][.SSSSSS][.SSSSS][.SSSS][.SSS][.SS][.S]X + on_failure: + - remove: + field: _ingest._value.first_seen_time_dt + ignore_missing: true + - foreach: + field: aws_securityhub.finding.osint + if: ctx.aws_securityhub?.finding?.osint instanceof List + processor: + foreach: + field: _ingest._value.vulnerabilities + ignore_missing: true + processor: + date: + field: _ingest._value.first_seen_time + tag: date_osint_vulnerabilities_first_seen_time + target_field: _ingest._value.first_seen_time + formats: + - UNIX_MS + on_failure: + - remove: + field: _ingest._value.first_seen_time + ignore_missing: true + - foreach: + field: aws_securityhub.finding.osint + if: ctx.aws_securityhub?.finding?.osint instanceof List + processor: + foreach: + field: _ingest._value.vulnerabilities + ignore_missing: true + processor: + convert: + field: _ingest._value.fix_coverage_id + tag: convert_osint_vulnerabilities_fix_coverage_id_to_string + type: string + ignore_missing: true + - foreach: + field: aws_securityhub.finding.osint + if: ctx.aws_securityhub?.finding?.osint instanceof List + processor: + foreach: + field: _ingest._value.vulnerabilities + ignore_missing: true + processor: + convert: + field: _ingest._value.is_exploit_available + tag: convert_osint_vulnerabilities_is_exploit_available_to_boolean + type: boolean + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.is_exploit_available + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: aws_securityhub.finding.osint + if: ctx.aws_securityhub?.finding?.osint instanceof List + processor: + foreach: + field: _ingest._value.vulnerabilities + ignore_missing: true + processor: + convert: + field: _ingest._value.is_fix_available + tag: convert_osint_vulnerabilities_is_fix_available_to_boolean + type: boolean + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.is_fix_available + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: aws_securityhub.finding.osint + if: ctx.aws_securityhub?.finding?.osint instanceof List + processor: + foreach: + field: _ingest._value.vulnerabilities + ignore_missing: true + processor: + date: + field: _ingest._value.last_seen_time_dt + tag: date_osint_vulnerabilities_last_seen_time_dt + target_field: _ingest._value.last_seen_time_dt + formats: + - ISO8601 + - UNIX_MS + - yyyy-MM-dd HH:mm:ss[.SSSSSSSSS][.SSSSSSSS][.SSSSSSS][.SSSSSS][.SSSSS][.SSSS][.SSS][.SS][.S]X + on_failure: + - remove: + field: _ingest._value.last_seen_time_dt + ignore_missing: true + - foreach: + field: aws_securityhub.finding.osint + if: ctx.aws_securityhub?.finding?.osint instanceof List + processor: + foreach: + field: _ingest._value.vulnerabilities + ignore_missing: true + processor: + date: + field: _ingest._value.last_seen_time + tag: date_osint_vulnerabilities_last_seen_time + target_field: _ingest._value.last_seen_time + formats: + - UNIX_MS + on_failure: + - remove: + field: _ingest._value.last_seen_time + ignore_missing: true + - foreach: + field: aws_securityhub.finding.osint + if: ctx.aws_securityhub?.finding?.osint instanceof List + processor: + date: + field: _ingest._value.whois.created_time_dt + tag: date_osint_whois_created_time_dt + target_field: _ingest._value.whois.created_time_dt + formats: + - ISO8601 + - UNIX_MS + - yyyy-MM-dd HH:mm:ss[.SSSSSSSSS][.SSSSSSSS][.SSSSSSS][.SSSSSS][.SSSSS][.SSSS][.SSS][.SS][.S]X + on_failure: + - remove: + field: _ingest._value.whois.created_time_dt + ignore_missing: true + - foreach: + field: aws_securityhub.finding.osint + if: ctx.aws_securityhub?.finding?.osint instanceof List + processor: + date: + field: _ingest._value.whois.created_time + tag: date_osint_whois_created_time + target_field: _ingest._value.whois.created_time + formats: + - UNIX_MS + on_failure: + - remove: + field: _ingest._value.whois.created_time + ignore_missing: true + - foreach: + field: aws_securityhub.finding.osint + if: ctx.aws_securityhub?.finding?.osint instanceof List + processor: + convert: + field: _ingest._value.whois.dnssec_status_id + tag: convert_osint_whois_dnssec_status_id_to_string + type: string + ignore_missing: true + - foreach: + field: aws_securityhub.finding.osint + if: ctx.aws_securityhub?.finding?.osint instanceof List + processor: + date: + field: _ingest._value.whois.last_seen_time_dt + tag: date_osint_whois_last_seen_time_dt + target_field: _ingest._value.whois.last_seen_time_dt + formats: + - ISO8601 + - UNIX_MS + - yyyy-MM-dd HH:mm:ss[.SSSSSSSSS][.SSSSSSSS][.SSSSSSS][.SSSSSS][.SSSSS][.SSSS][.SSS][.SS][.S]X + on_failure: + - remove: + field: _ingest._value.whois.last_seen_time_dt + ignore_missing: true + - foreach: + field: aws_securityhub.finding.osint + if: ctx.aws_securityhub?.finding?.osint instanceof List + processor: + date: + field: _ingest._value.whois.last_seen_time + tag: date_osint_whois_last_seen_time + target_field: _ingest._value.whois.last_seen_time + formats: + - UNIX_MS + on_failure: + - remove: + field: _ingest._value.whois.last_seen_time + ignore_missing: true +on_failure: + - append: + field: error.message + value: |- + Processor '{{{ _ingest.on_failure_processor_type }}}' + {{{#_ingest.on_failure_processor_tag}}}with tag '{{{ _ingest.on_failure_processor_tag }}}' + {{{/_ingest.on_failure_processor_tag}}}failed with message '{{{ _ingest.on_failure_message }}}' + - set: + field: event.kind + tag: set_pipeline_error_to_event_kind + value: pipeline_error + - append: + field: tags + value: preserve_original_event + allow_duplicates: false diff --git a/packages/aws_securityhub/data_stream/finding/elasticsearch/ingest_pipeline/pipeline_object_resources.yml b/packages/aws_securityhub/data_stream/finding/elasticsearch/ingest_pipeline/pipeline_object_resources.yml new file mode 100644 index 00000000000..84a001e0a08 --- /dev/null +++ b/packages/aws_securityhub/data_stream/finding/elasticsearch/ingest_pipeline/pipeline_object_resources.yml @@ -0,0 +1,342 @@ +--- +description: Pipeline for processing Resource object. +# Resource Details object docs: https://schema.ocsf.io/1.5.0/objects/resource_details +processors: + - foreach: + field: aws_securityhub.finding.resources + if: ctx.aws_securityhub?.finding?.resources instanceof List + processor: + foreach: + field: _ingest._value.agent_list + ignore_missing: true + processor: + convert: + field: _ingest._value.type_id + tag: convert_resources_agent_list_type_id_to_string + type: string + ignore_missing: true + - foreach: + field: aws_securityhub.finding.resources + if: ctx.aws_securityhub?.finding?.resources instanceof List + processor: + date: + field: _ingest._value.created_time_dt + tag: date_resources_created_time_dt + target_field: _ingest._value.created_time_dt + formats: + - ISO8601 + - UNIX_MS + - yyyy-MM-dd HH:mm:ss[.SSSSSSSSS][.SSSSSSSS][.SSSSSSS][.SSSSSS][.SSSSS][.SSSS][.SSS][.SS][.S]X + on_failure: + - remove: + field: _ingest._value.created_time_dt + ignore_missing: true + - foreach: + field: aws_securityhub.finding.resources + if: ctx.aws_securityhub?.finding?.resources instanceof List + processor: + date: + field: _ingest._value.created_time + tag: date_resources_created_time + target_field: _ingest._value.created_time + formats: + - UNIX_MS + on_failure: + - remove: + field: _ingest._value.created_time + ignore_missing: true + - foreach: + field: aws_securityhub.finding.resources + if: ctx.aws_securityhub?.finding?.resources instanceof List + processor: + foreach: + field: _ingest._value.data_classifications + ignore_missing: true + processor: + convert: + field: _ingest._value.category_id + tag: convert_resources_data_classifications_category_id_to_string + type: string + ignore_missing: true + - foreach: + field: aws_securityhub.finding.resources + if: ctx.aws_securityhub?.finding?.resources instanceof List + processor: + foreach: + field: _ingest._value.data_classifications + ignore_missing: true + processor: + convert: + field: _ingest._value.confidentiality_id + tag: convert_resources_data_classifications_confidentiality_id_to_string + type: string + ignore_missing: true + - foreach: + field: aws_securityhub.finding.resources + if: ctx.aws_securityhub?.finding?.resources instanceof List + processor: + foreach: + field: _ingest._value.data_classifications + ignore_missing: true + processor: + convert: + field: _ingest._value.size + tag: convert_resources_data_classifications_size_to_long + type: long + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.size + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: aws_securityhub.finding.resources + if: ctx.aws_securityhub?.finding?.resources instanceof List + processor: + foreach: + field: _ingest._value.data_classifications + ignore_missing: true + processor: + convert: + field: _ingest._value.status_id + tag: convert_resources_data_classifications_status_id_to_string + type: string + ignore_missing: true + - foreach: + field: aws_securityhub.finding.resources + if: ctx.aws_securityhub?.finding?.resources instanceof List + processor: + foreach: + field: _ingest._value.data_classifications + ignore_missing: true + processor: + convert: + field: _ingest._value.total + tag: convert_resources_data_classifications_total_to_long + type: long + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.total + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: aws_securityhub.finding.resources + if: ctx.aws_securityhub?.finding?.resources instanceof List + processor: + convert: + field: _ingest._value.data.awsEc2InstanceDetails.ipV4Addresses + tag: convert_resources_data_awsEc2InstanceDetails_ipV4Addresses_to_ip + type: ip + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.data.awsEc2InstanceDetails.ipV4Addresses + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: aws_securityhub.finding.resources + if: ctx.aws_securityhub?.finding?.resources instanceof List + processor: + convert: + field: _ingest._value.data.awsEc2InstanceDetails.ipV6Addresses + tag: convert_resources_data_awsEc2InstanceDetails_ipV6Addresses_to_ip + type: ip + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.data.awsEc2InstanceDetails.ipV6Addresses + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: aws_securityhub.finding.resources + if: ctx.aws_securityhub?.finding?.resources instanceof List + processor: + date: + field: _ingest._value.data.awsEc2InstanceDetails.launchedAt + tag: date_resources_data_awsEc2InstanceDetails_launchedAt + target_field: _ingest._value.data.awsEc2InstanceDetails.launchedAt + formats: + - ISO8601 + - UNIX_MS + - yyyy-MM-dd HH:mm:ss[.SSSSSSSSS][.SSSSSSSS][.SSSSSSS][.SSSSSS][.SSSSS][.SSSS][.SSS][.SS][.S]X + on_failure: + - remove: + field: _ingest._value.data.awsEc2InstanceDetails.launchedAt + ignore_missing: true + - foreach: + field: aws_securityhub.finding.resources + if: ctx.aws_securityhub?.finding?.resources instanceof List + processor: + date: + field: _ingest._value.data.awsLambdaFunctionDetails.lastModifiedAt + tag: date_resources_data_awsLambdaFunctionDetails_lastModifiedAt + target_field: _ingest._value.data.awsLambdaFunctionDetails.lastModifiedAt + formats: + - ISO8601 + - UNIX_MS + - yyyy-MM-dd HH:mm:ss[.SSSSSSSSS][.SSSSSSSS][.SSSSSSS][.SSSSSS][.SSSSS][.SSSS][.SSS][.SS][.S]X + on_failure: + - remove: + field: _ingest._value.data.awsLambdaFunctionDetails.lastModifiedAt + ignore_missing: true + - foreach: + field: aws_securityhub.finding.resources + if: ctx.aws_securityhub?.finding?.resources instanceof List + processor: + convert: + field: _ingest._value.ip + tag: convert_resources_ip_to_ip + type: ip + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.ip + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: aws_securityhub.finding.resources + if: ctx.aws_securityhub?.finding?.resources instanceof List + processor: + convert: + field: _ingest._value.is_backed_up + tag: convert_resources_is_backed_up_to_boolean + type: boolean + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.is_backed_up + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: aws_securityhub.finding.resources + if: ctx.aws_securityhub?.finding?.resources instanceof List + processor: + date: + field: _ingest._value.modified_time_dt + tag: date_resources_modified_time_dt + target_field: _ingest._value.modified_time_dt + formats: + - ISO8601 + - UNIX_MS + - yyyy-MM-dd HH:mm:ss[.SSSSSSSSS][.SSSSSSSS][.SSSSSSS][.SSSSSS][.SSSSS][.SSSS][.SSS][.SS][.S]X + on_failure: + - remove: + field: _ingest._value.modified_time_dt + ignore_missing: true + - foreach: + field: aws_securityhub.finding.resources + if: ctx.aws_securityhub?.finding?.resources instanceof List + processor: + date: + field: _ingest._value.modified_time + tag: date_resources_modified_time + target_field: _ingest._value.modified_time + formats: + - UNIX_MS + on_failure: + - remove: + field: _ingest._value.modified_time + ignore_missing: true + - foreach: + field: aws_securityhub.finding.resources + if: ctx.aws_securityhub?.finding?.resources instanceof List + processor: + convert: + field: _ingest._value.owner.has_mfa + tag: convert_resources_owner_has_mfa_to_boolean + type: boolean + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.owner.has_mfa + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: aws_securityhub.finding.resources + if: ctx.aws_securityhub?.finding?.resources instanceof List + processor: + convert: + field: _ingest._value.owner.risk_level_id + tag: convert_resources_owner_risk_level_id_to_string + type: string + ignore_missing: true + - foreach: + field: aws_securityhub.finding.resources + if: ctx.aws_securityhub?.finding?.resources instanceof List + processor: + convert: + field: _ingest._value.owner.type_id + tag: convert_resources_owner_type_id_to_string + type: string + ignore_missing: true + - foreach: + field: aws_securityhub.finding.resources + if: ctx.aws_securityhub?.finding?.resources instanceof List + processor: + convert: + field: _ingest._value.owner.risk_score + tag: convert_resources_owner_risk_score_to_long + type: long + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.owner.risk_score + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: aws_securityhub.finding.resources + if: ctx.aws_securityhub?.finding?.resources instanceof List + processor: + convert: + field: _ingest._value.resource_relationship.is_directed + tag: convert_resources_resource_relationship_is_directed_to_boolean + type: boolean + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.resource_relationship.is_directed + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: aws_securityhub.finding.resources + if: ctx.aws_securityhub?.finding?.resources instanceof List + processor: + convert: + field: _ingest._value.resource_relationship.query_language_id + tag: convert_resources_resource_relationship_query_language_id_to_string + type: string + ignore_missing: true +on_failure: + - append: + field: error.message + value: |- + Processor '{{{ _ingest.on_failure_processor_type }}}' + {{{#_ingest.on_failure_processor_tag}}}with tag '{{{ _ingest.on_failure_processor_tag }}}' + {{{/_ingest.on_failure_processor_tag}}}failed with message '{{{ _ingest.on_failure_message }}}' + - set: + field: event.kind + tag: set_pipeline_error_to_event_kind + value: pipeline_error + - append: + field: tags + value: preserve_original_event + allow_duplicates: false diff --git a/packages/aws_securityhub/data_stream/finding/elasticsearch/ingest_pipeline/pipeline_object_vulnerabilities.yml b/packages/aws_securityhub/data_stream/finding/elasticsearch/ingest_pipeline/pipeline_object_vulnerabilities.yml new file mode 100644 index 00000000000..12b359064fb --- /dev/null +++ b/packages/aws_securityhub/data_stream/finding/elasticsearch/ingest_pipeline/pipeline_object_vulnerabilities.yml @@ -0,0 +1,498 @@ +--- +description: Pipeline for processing Vulnerability object. +# Vulnerability object docs: https://schema.ocsf.io/1.5.0/objects/vulnerability +processors: + - foreach: + field: aws_securityhub.finding.vulnerabilities + if: ctx.aws_securityhub?.finding?.vulnerabilities instanceof List + processor: + date: + field: _ingest._value.advisory.created_time_dt + tag: date_vulnerabilities_advisory_created_time_dt + target_field: _ingest._value.advisory.created_time_dt + formats: + - ISO8601 + - UNIX_MS + - yyyy-MM-dd HH:mm:ss[.SSSSSSSSS][.SSSSSSSS][.SSSSSSS][.SSSSSS][.SSSSS][.SSSS][.SSS][.SS][.S]X + on_failure: + - remove: + field: _ingest._value.advisory.created_time_dt + ignore_missing: true + - foreach: + field: aws_securityhub.finding.vulnerabilities + if: ctx.aws_securityhub?.finding?.vulnerabilities instanceof List + processor: + date: + field: _ingest._value.advisory.created_time + tag: date_vulnerabilities_advisory_created_time + target_field: _ingest._value.advisory.created_time + formats: + - UNIX_MS + on_failure: + - remove: + field: _ingest._value.advisory.created_time + ignore_missing: true + - foreach: + field: aws_securityhub.finding.vulnerabilities + if: ctx.aws_securityhub?.finding?.vulnerabilities instanceof List + processor: + convert: + field: _ingest._value.advisory.install_state_id + tag: convert_vulnerabilities_advisory_install_state_id_to_string + type: string + ignore_missing: true + - foreach: + field: aws_securityhub.finding.vulnerabilities + if: ctx.aws_securityhub?.finding?.vulnerabilities instanceof List + processor: + convert: + field: _ingest._value.advisory.is_superseded + tag: convert_vulnerabilities_advisory_is_superseded_to_boolean + type: boolean + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.advisory.is_superseded + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: aws_securityhub.finding.vulnerabilities + if: ctx.aws_securityhub?.finding?.vulnerabilities instanceof List + processor: + date: + field: _ingest._value.advisory.modified_time_dt + tag: date_vulnerabilities_advisory_modified_time_dt + target_field: _ingest._value.advisory.modified_time_dt + formats: + - ISO8601 + - UNIX_MS + - yyyy-MM-dd HH:mm:ss[.SSSSSSSSS][.SSSSSSSS][.SSSSSSS][.SSSSSS][.SSSSS][.SSSS][.SSS][.SS][.S]X + on_failure: + - remove: + field: _ingest._value.advisory.modified_time_dt + ignore_missing: true + - foreach: + field: aws_securityhub.finding.vulnerabilities + if: ctx.aws_securityhub?.finding?.vulnerabilities instanceof List + processor: + date: + field: _ingest._value.advisory.modified_time + tag: date_vulnerabilities_advisory_modified_time + target_field: _ingest._value.advisory.modified_time + formats: + - UNIX_MS + on_failure: + - remove: + field: _ingest._value.advisory.modified_time + ignore_missing: true + - foreach: + field: aws_securityhub.finding.vulnerabilities + if: ctx.aws_securityhub?.finding?.vulnerabilities instanceof List + processor: + convert: + field: _ingest._value.advisory.size + tag: convert_vulnerabilities_advisory_size_to_long + type: long + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.advisory.size + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: aws_securityhub.finding.vulnerabilities + if: ctx.aws_securityhub?.finding?.vulnerabilities instanceof List + processor: + foreach: + field: _ingest._value.affected_code + ignore_missing: true + processor: + convert: + field: _ingest._value.end_column + tag: convert_vulnerabilities_affected_code_end_column_to_long + type: long + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.end_column + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: aws_securityhub.finding.vulnerabilities + if: ctx.aws_securityhub?.finding?.vulnerabilities instanceof List + processor: + foreach: + field: _ingest._value.affected_code + ignore_missing: true + processor: + convert: + field: _ingest._value.end_line + tag: convert_vulnerabilities_affected_code_end_line_to_long + type: long + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.end_line + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: aws_securityhub.finding.vulnerabilities + if: ctx.aws_securityhub?.finding?.vulnerabilities instanceof List + processor: + foreach: + field: _ingest._value.affected_code + ignore_missing: true + processor: + convert: + field: _ingest._value.start_column + tag: convert_vulnerabilities_affected_code_start_column_to_long + type: long + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.start_column + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: aws_securityhub.finding.vulnerabilities + if: ctx.aws_securityhub?.finding?.vulnerabilities instanceof List + processor: + foreach: + field: _ingest._value.affected_code + ignore_missing: true + processor: + convert: + field: _ingest._value.start_line + tag: convert_vulnerabilities_affected_code_start_line_to_long + type: long + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.start_line + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: aws_securityhub.finding.vulnerabilities + if: ctx.aws_securityhub?.finding?.vulnerabilities instanceof List + processor: + foreach: + field: _ingest._value.affected_packages + ignore_missing: true + processor: + convert: + field: _ingest._value.epoch + tag: convert_vulnerabilities_affected_packages_epoch_to_long + type: long + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.epoch + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: aws_securityhub.finding.vulnerabilities + if: ctx.aws_securityhub?.finding?.vulnerabilities instanceof List + processor: + foreach: + field: _ingest._value.affected_packages + ignore_missing: true + processor: + convert: + field: _ingest._value.type_id + tag: convert_vulnerabilities_affected_packages_type_id_to_string + type: string + ignore_missing: true + - foreach: + field: aws_securityhub.finding.vulnerabilities + if: ctx.aws_securityhub?.finding?.vulnerabilities instanceof List + processor: + date: + field: _ingest._value.cve.created_time_dt + tag: date_vulnerabilities_cve_created_time_dt + target_field: _ingest._value.cve.created_time_dt + formats: + - ISO8601 + - UNIX_MS + - yyyy-MM-dd HH:mm:ss[.SSSSSSSSS][.SSSSSSSS][.SSSSSSS][.SSSSSS][.SSSSS][.SSSS][.SSS][.SS][.S]X + on_failure: + - remove: + field: _ingest._value.cve.created_time_dt + ignore_missing: true + - foreach: + field: aws_securityhub.finding.vulnerabilities + if: ctx.aws_securityhub?.finding?.vulnerabilities instanceof List + processor: + date: + field: _ingest._value.cve.created_time + tag: date_vulnerabilities_cve_created_time + target_field: _ingest._value.cve.created_time + formats: + - UNIX_MS + on_failure: + - remove: + field: _ingest._value.cve.created_time + ignore_missing: true + - foreach: + field: aws_securityhub.finding.vulnerabilities + if: ctx.aws_securityhub?.finding?.vulnerabilities instanceof List + processor: + foreach: + field: _ingest._value.cve.cvss + ignore_missing: true + processor: + convert: + field: _ingest._value.base_score + tag: convert_vulnerabilities_cve_cvss_base_score_to_float + type: float + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.base_score + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: aws_securityhub.finding.vulnerabilities + if: ctx.aws_securityhub?.finding?.vulnerabilities instanceof List + processor: + foreach: + field: _ingest._value.cve.cvss + ignore_missing: true + processor: + convert: + field: _ingest._value.overall_score + tag: convert_vulnerabilities_cve_cvss_overall_score_to_float + type: float + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.overall_score + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: aws_securityhub.finding.vulnerabilities + if: ctx.aws_securityhub?.finding?.vulnerabilities instanceof List + processor: + date: + field: _ingest._value.cve.epss.created_time_dt + tag: date_vulnerabilities_cve_epss_created_time_dt + target_field: _ingest._value.cve.epss.created_time_dt + formats: + - ISO8601 + - UNIX_MS + - yyyy-MM-dd HH:mm:ss[.SSSSSSSSS][.SSSSSSSS][.SSSSSSS][.SSSSSS][.SSSSS][.SSSS][.SSS][.SS][.S]X + on_failure: + - remove: + field: _ingest._value.cve.epss.created_time_dt + ignore_missing: true + - foreach: + field: aws_securityhub.finding.vulnerabilities + if: ctx.aws_securityhub?.finding?.vulnerabilities instanceof List + processor: + date: + field: _ingest._value.cve.epss.created_time + tag: date_vulnerabilities_cve_epss_created_time + target_field: _ingest._value.cve.epss.created_time + formats: + - UNIX_MS + on_failure: + - remove: + field: _ingest._value.cve.epss.created_time + ignore_missing: true + - foreach: + field: aws_securityhub.finding.vulnerabilities + if: ctx.aws_securityhub?.finding?.vulnerabilities instanceof List + processor: + convert: + field: _ingest._value.cve.epss.percentile + tag: convert_vulnerabilities_cve_epss_percentile_to_float + type: float + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.cve.epss.percentile + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: aws_securityhub.finding.vulnerabilities + if: ctx.aws_securityhub?.finding?.vulnerabilities instanceof List + processor: + date: + field: _ingest._value.cve.modified_time_dt + tag: date_vulnerabilities_cve_modified_time_dt + target_field: _ingest._value.cve.modified_time_dt + formats: + - ISO8601 + - UNIX_MS + - yyyy-MM-dd HH:mm:ss[.SSSSSSSSS][.SSSSSSSS][.SSSSSSS][.SSSSSS][.SSSSS][.SSSS][.SSS][.SS][.S]X + on_failure: + - remove: + field: _ingest._value.cve.modified_time_dt + ignore_missing: true + - foreach: + field: aws_securityhub.finding.vulnerabilities + if: ctx.aws_securityhub?.finding?.vulnerabilities instanceof List + processor: + date: + field: _ingest._value.cve.modified_time + tag: date_vulnerabilities_cve_modified_time + target_field: _ingest._value.cve.modified_time + formats: + - UNIX_MS + on_failure: + - remove: + field: _ingest._value.cve.modified_time + ignore_missing: true + - foreach: + field: aws_securityhub.finding.vulnerabilities + if: ctx.aws_securityhub?.finding?.vulnerabilities instanceof List + processor: + date: + field: _ingest._value.exploit_last_seen_time_dt + tag: date_vulnerabilities_exploit_last_seen_time_dt + target_field: _ingest._value.exploit_last_seen_time_dt + formats: + - ISO8601 + - UNIX_MS + - yyyy-MM-dd HH:mm:ss[.SSSSSSSSS][.SSSSSSSS][.SSSSSSS][.SSSSSS][.SSSSS][.SSSS][.SSS][.SS][.S]X + on_failure: + - remove: + field: _ingest._value.exploit_last_seen_time_dt + ignore_missing: true + - foreach: + field: aws_securityhub.finding.vulnerabilities + if: ctx.aws_securityhub?.finding?.vulnerabilities instanceof List + processor: + date: + field: _ingest._value.exploit_last_seen_time + tag: date_vulnerabilities_exploit_last_seen_time + target_field: _ingest._value.exploit_last_seen_time + formats: + - UNIX_MS + on_failure: + - remove: + field: _ingest._value.exploit_last_seen_time + ignore_missing: true + - foreach: + field: aws_securityhub.finding.vulnerabilities + if: ctx.aws_securityhub?.finding?.vulnerabilities instanceof List + processor: + date: + field: _ingest._value.first_seen_time_dt + tag: date_vulnerabilities_first_seen_time_dt + target_field: _ingest._value.first_seen_time_dt + formats: + - ISO8601 + - UNIX_MS + - yyyy-MM-dd HH:mm:ss[.SSSSSSSSS][.SSSSSSSS][.SSSSSSS][.SSSSSS][.SSSSS][.SSSS][.SSS][.SS][.S]X + on_failure: + - remove: + field: _ingest._value.first_seen_time_dt + ignore_missing: true + - foreach: + field: aws_securityhub.finding.vulnerabilities + if: ctx.aws_securityhub?.finding?.vulnerabilities instanceof List + processor: + date: + field: _ingest._value.first_seen_time + tag: date_vulnerabilities_first_seen_time + target_field: _ingest._value.first_seen_time + formats: + - UNIX_MS + on_failure: + - remove: + field: _ingest._value.first_seen_time + ignore_missing: true + - foreach: + field: aws_securityhub.finding.vulnerabilities + if: ctx.aws_securityhub?.finding?.vulnerabilities instanceof List + processor: + convert: + field: _ingest._value.fix_coverage_id + tag: convert_vulnerabilities_fix_coverage_id_to_string + type: string + ignore_missing: true + - foreach: + field: aws_securityhub.finding.vulnerabilities + if: ctx.aws_securityhub?.finding?.vulnerabilities instanceof List + processor: + convert: + field: _ingest._value.is_exploit_available + tag: convert_vulnerabilities_is_exploit_available_to_boolean + type: boolean + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.is_exploit_available + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: aws_securityhub.finding.vulnerabilities + if: ctx.aws_securityhub?.finding?.vulnerabilities instanceof List + processor: + convert: + field: _ingest._value.is_fix_available + tag: convert_vulnerabilities_is_fix_available_to_boolean + type: boolean + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.is_fix_available + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: aws_securityhub.finding.vulnerabilities + if: ctx.aws_securityhub?.finding?.vulnerabilities instanceof List + processor: + date: + field: _ingest._value.last_seen_time_dt + tag: date_vulnerabilities_last_seen_time_dt + target_field: _ingest._value.last_seen_time_dt + formats: + - ISO8601 + - UNIX_MS + - yyyy-MM-dd HH:mm:ss[.SSSSSSSSS][.SSSSSSSS][.SSSSSSS][.SSSSSS][.SSSSS][.SSSS][.SSS][.SS][.S]X + on_failure: + - remove: + field: _ingest._value.last_seen_time_dt + ignore_missing: true + - foreach: + field: aws_securityhub.finding.vulnerabilities + if: ctx.aws_securityhub?.finding?.vulnerabilities instanceof List + processor: + date: + field: _ingest._value.last_seen_time + tag: date_vulnerabilities_last_seen_time + target_field: _ingest._value.last_seen_time + formats: + - UNIX_MS + on_failure: + - remove: + field: _ingest._value.last_seen_time + ignore_missing: true +on_failure: + - append: + field: error.message + value: |- + Processor '{{{ _ingest.on_failure_processor_type }}}' + {{{#_ingest.on_failure_processor_tag}}}with tag '{{{ _ingest.on_failure_processor_tag }}}' + {{{/_ingest.on_failure_processor_tag}}}failed with message '{{{ _ingest.on_failure_message }}}' + - set: + field: event.kind + tag: set_pipeline_error_to_event_kind + value: pipeline_error + - append: + field: tags + value: preserve_original_event + allow_duplicates: false diff --git a/packages/aws_securityhub/data_stream/finding/fields/base-fields.yml b/packages/aws_securityhub/data_stream/finding/fields/base-fields.yml new file mode 100644 index 00000000000..1e89c325b0f --- /dev/null +++ b/packages/aws_securityhub/data_stream/finding/fields/base-fields.yml @@ -0,0 +1,16 @@ +- name: data_stream.type + external: ecs +- name: data_stream.dataset + external: ecs +- name: data_stream.namespace + external: ecs +- name: event.module + external: ecs + type: constant_keyword + value: aws_securityhub +- name: event.dataset + external: ecs + type: constant_keyword + value: aws_securityhub.finding +- name: '@timestamp' + external: ecs diff --git a/packages/aws_securityhub/data_stream/finding/fields/beats.yml b/packages/aws_securityhub/data_stream/finding/fields/beats.yml new file mode 100644 index 00000000000..4084f1dc7f5 --- /dev/null +++ b/packages/aws_securityhub/data_stream/finding/fields/beats.yml @@ -0,0 +1,6 @@ +- name: input.type + type: keyword + description: Type of filebeat input. +- name: log.offset + type: long + description: Log offset. diff --git a/packages/aws_securityhub/data_stream/finding/fields/ecs.yml b/packages/aws_securityhub/data_stream/finding/fields/ecs.yml new file mode 100644 index 00000000000..cc61312ef72 --- /dev/null +++ b/packages/aws_securityhub/data_stream/finding/fields/ecs.yml @@ -0,0 +1,7 @@ +# Define ECS constant fields as constant_keyword +- name: observer.vendor + type: constant_keyword + external: ecs +- name: vulnerability.scanner.vendor + type: constant_keyword + external: ecs diff --git a/packages/aws_securityhub/data_stream/finding/fields/fields.yml b/packages/aws_securityhub/data_stream/finding/fields/fields.yml new file mode 100644 index 00000000000..2cf66269dfe --- /dev/null +++ b/packages/aws_securityhub/data_stream/finding/fields/fields.yml @@ -0,0 +1,4615 @@ +- name: aws_securityhub + type: group + fields: + - name: finding + type: group + fields: + - name: action + type: keyword + description: The normalized caption of action_id. + - name: action_id + type: keyword + description: The action taken by a control or other policy-based system leading to an outcome or disposition. + - name: activity_id + type: keyword + description: The normalized identifier of the finding activity. + - name: activity_name + type: keyword + description: The finding activity name, as defined by the activity_id. + - name: actor + type: group + fields: + - name: app_name + type: keyword + description: The client application or service that initiated the activity. + - name: app_uid + type: keyword + description: The unique identifier of the client application or service that initiated the activity. + - name: authorizations + type: group + fields: + - name: decision + type: keyword + description: Authorization Result/outcome. + - name: policy + type: flattened + description: Details about the Identity/Access management policies that are applicable. + - name: idp + type: group + fields: + - name: auth_factors + type: nested + description: The Authentication Factors object describes the different types of Multi-Factor Authentication (MFA) methods and/or devices supported by the Identity Provider. + - name: domain + type: keyword + description: The primary domain associated with the Identity Provider. + - name: fingerprint + type: flattened + description: The fingerprint of the X.509 certificate used by the Identity Provider. + - name: has_mfa + type: boolean + description: The Identity Provider enforces Multi Factor Authentication (MFA). + - name: issuer + type: keyword + description: The unique identifier (often a URL) used by the Identity Provider as its issuer. + - name: name + type: keyword + description: The name of the Identity Provider. + - name: protocol_name + type: keyword + description: The supported protocol of the Identity Provider. + - name: scim + type: flattened + description: The System for Cross-domain Identity Management (SCIM) resource object provides a structured set of attributes related to SCIM protocols used for identity provisioning and management across cloud-based platforms. + - name: sso + type: flattened + description: The Single Sign-On (SSO) object provides a structure for normalizing SSO attributes, configuration, and/or settings from Identity Providers. + - name: state + type: keyword + description: The configuration state of the Identity Provider, normalized to the caption of the state_id value. + - name: state_id + type: keyword + description: The normalized state ID of the Identity Provider to reflect its configuration or activation status. + - name: tenant_uid + type: keyword + description: The tenant ID associated with the Identity Provider. + - name: uid + type: keyword + description: The unique identifier of the Identity Provider. + - name: url_string + type: keyword + description: The URL for accessing the configuration or metadata of the Identity Provider. + - name: process + type: group + fields: + - name: ancestry + type: nested + description: An array of Process Entities describing the extended parentage of this process object. + - name: auid + type: keyword + description: The audit user assigned at login by the audit subsystem. + - name: cmd_line + type: keyword + description: The full command line used to launch an application, service, process, or job. + - name: container + type: flattened + description: The information describing an instance of a container. + - name: cpid + type: keyword + description: A unique process identifier that can be assigned deterministically by multiple system data producers. + - name: created_time + type: date + description: The time when the process was created/started. + - name: created_time_dt + type: date + description: The time when the process was created/started. + - name: egid + type: keyword + description: The effective group under which this process is running. + - name: euid + type: keyword + description: The effective user under which this process is running. + - name: file + type: flattened + description: The process file object. + - name: group + type: flattened + description: The group under which this process is running. + - name: integrity + type: keyword + description: The process integrity level, normalized to the caption of the integrity_id value. + - name: integrity_id + type: keyword + description: The normalized identifier of the process integrity level (Windows only). + - name: loaded_modules + type: keyword + description: The list of loaded module names. + - name: name + type: keyword + description: The friendly name of the process. + - name: namespace_pid + type: long + description: If running under a process namespace (such as in a container), the process identifier within that process namespace. + - name: parent_process + type: flattened + description: The parent process of this process object. + - name: path + type: keyword + description: The process file path. + - name: pid + type: long + description: The process identifier, as reported by the operating system. + - name: sandbox + type: keyword + description: The name of the containment jail. + - name: session + type: flattened + description: The user session under which this process is running. + - name: terminated_time + type: date + description: The time when the process was terminated. + - name: terminated_time_dt + type: date + description: The time when the process was terminated. + - name: tid + type: keyword + description: The Identifier of the thread associated with the event, as returned by the operating system. + - name: uid + type: keyword + description: A unique identifier for this process assigned by the producer (tool). + - name: user + type: flattened + description: The user under which this process is running. + - name: working_directory + type: keyword + description: The working directory of a process. + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs that represent a process extended attribute. + - name: session + type: group + fields: + - name: count + type: long + description: The number of identical sessions spawned from the same source IP, destination IP, application, and content/threat type seen over a period of time. + - name: created_time + type: date + description: The time when the session was created. + - name: created_time_dt + type: date + description: The time when the session was created. + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. + - name: expiration_reason + type: keyword + description: The reason which triggered the session expiration. + - name: expiration_time + type: date + description: The session expiration time. + - name: expiration_time_dt + type: date + description: The session expiration time. + - name: is_mfa + type: boolean + description: Indicates whether Multi Factor Authentication was used during authentication. + - name: is_remote + type: boolean + description: The indication of whether the session is remote. + - name: is_vpn + type: boolean + description: The indication of whether the session is a VPN session. + - name: issuer + type: keyword + description: The identifier of the session issuer. + - name: terminal + type: keyword + description: The Pseudo Terminal associated with the session. + - name: uid + type: keyword + description: The unique identifier of the session. + - name: uid_alt + type: keyword + description: The alternate unique identifier of the session. + - name: uuid + type: keyword + description: The universally unique identifier of the session. + - name: user + type: group + fields: + - name: account + type: flattened + description: The user's account or the account associated with the user. + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. + - name: display_name + type: keyword + description: The display name of the user, as reported by the product. + - name: domain + type: keyword + description: The domain where the user is defined. + - name: email_addr + type: keyword + description: The user's primary email address. + - name: forward_addr + type: keyword + description: The user's forwarding email address. + - name: full_name + type: keyword + description: The full name of the user, as reported by the product. + - name: groups + type: nested + description: The administrative groups to which the user belongs. + - name: has_mfa + type: boolean + description: The user has a multi-factor or secondary-factor device assigned. + - name: ldap_person + type: flattened + description: The additional LDAP attributes that describe a person. + - name: name + type: keyword + description: The username. + - name: org + type: flattened + description: Organization and org unit related to the user. + - name: phone_number + type: keyword + description: The telephone number of the user. + - name: risk_level + type: keyword + description: The risk level, normalized to the caption of the risk_level_id value. + - name: risk_level_id + type: keyword + description: The normalized risk level id. + - name: risk_score + type: long + description: The risk score as reported by the event source. + - name: type + type: keyword + description: The type of the user. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. + - name: uid_alt + type: keyword + description: The alternate user identifier. + - name: anomaly_analyses + type: group + fields: + - name: analysis_targets + type: group + fields: + - name: name + type: keyword + description: The specific name or identifier of the analysis target, such as the username of a User Account, the name of a Kubernetes Cluster, the identifier of a Network Namespace, or the name of an Application Component. + - name: type + type: keyword + description: The category of the analysis target, such as User Account, Kubernetes Cluster, Network Namespace, or Application Component. + - name: anomalies + type: group + fields: + - name: observation_parameter + type: keyword + description: The specific parameter, metric or property where the anomaly was observed. + - name: observation_type + type: keyword + description: The type of analysis methodology used to detect the anomaly. + - name: observations + type: group + fields: + - name: count + type: long + description: Integer representing the total number of times this specific value/event was observed across all occurrences. + - name: observed_pattern + type: keyword + description: The specific pattern identified within the observation type. + - name: timespan + type: flattened + description: The time window when the value or event was first observed. + - name: value + type: keyword + description: The specific value, event, indicator or data point that was observed and recorded. + - name: baselines + type: group + fields: + - name: observation_parameter + type: keyword + description: The specific parameter, metric or property where the anomaly was observed. + - name: observation_type + type: keyword + description: The type of analysis methodology used to detect the anomaly. + - name: observations + type: group + fields: + - name: count + type: long + description: Integer representing the total number of times this specific value/event was observed across all occurrences. + - name: observed_pattern + type: keyword + description: The specific pattern identified within the observation type. + - name: timespan + type: flattened + description: The time window when the value or event was first observed. + - name: value + type: keyword + description: The specific value, event, indicator or data point that was observed and recorded. + - name: api + type: group + fields: + - name: group + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: domain + type: keyword + description: The domain where the group is defined. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. + - name: operation + type: keyword + description: Verb/Operation associated with the request. + - name: request + type: group + fields: + - name: containers + type: nested + description: When working with containerized applications, the set of containers which write to the standard the output of a particular logging driver. + - name: data + type: flattened + description: The additional data that is associated with the api request. + - name: flags + type: keyword + description: The communication flags that are associated with the api request. + - name: uid + type: keyword + description: The unique request identifier. + - name: response + type: group + fields: + - name: code + type: long + description: The numeric response sent to a request. + - name: containers + type: nested + description: When working with containerized applications, the set of containers which write to the standard the output of a particular logging driver. + - name: data + type: flattened + description: The additional data that is associated with the api response. + - name: error + type: keyword + description: Error Code. + - name: error_message + type: keyword + description: Error Message. + - name: flags + type: keyword + description: The communication flags that are associated with the api response. + - name: message + type: keyword + description: The description of the event/finding, as defined by the source. + - name: service + type: group + fields: + - name: labels + type: keyword + description: The list of labels associated with the service. + - name: name + type: keyword + description: The name of the service. + - name: uid + type: keyword + description: The unique identifier of the service. + - name: version + type: keyword + description: The version of the service. + - name: version + type: keyword + description: The version of the API service. + - name: assignee + type: group + fields: + - name: account + type: group + fields: + - name: labels + type: keyword + description: The list of labels associated to the account. + - name: name + type: keyword + description: The name of the account. + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account. + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. + - name: display_name + type: keyword + description: The display name of the user, as reported by the product. + - name: domain + type: keyword + description: The domain where the user is defined. + - name: email_addr + type: keyword + description: The user's primary email address. + - name: forward_addr + type: keyword + description: The user's forwarding email address. + - name: full_name + type: keyword + description: The full name of the user, as reported by the product. + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group privileges. + - name: domain + type: keyword + description: The group description. + - name: name + type: keyword + description: The domain where the group is defined. + - name: privileges + type: keyword + description: The group name. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. + - name: has_mfa + type: boolean + description: The user has a multi-factor or secondary-factor device assigned. + - name: ldap_person + type: group + fields: + - name: cost_center + type: keyword + description: The cost center associated with the assignee. + - name: created_time + type: date + description: The timestamp when the user was created. + - name: created_time_dt + type: date + description: The timestamp when the user was created. + - name: deleted_time + type: date + description: The timestamp when the user was deleted. + - name: deleted_time_dt + type: date + description: The timestamp when the user was deleted. + - name: display_name + type: keyword + description: The display name of the LDAP person. + - name: email_addrs + type: keyword + description: A list of additional email addresses for the assignee. + - name: employee_uid + type: keyword + description: The employee identifier assigned to the user by the organization. + - name: given_name + type: keyword + description: The given or first name of the assignee. + - name: hire_time + type: date + description: The timestamp when the user was or will be hired by the organization. + - name: hire_time_dt + type: date + description: The timestamp when the user was or will be hired by the organization. + - name: job_title + type: keyword + description: The user's job title. + - name: labels + type: keyword + description: The labels associated with the assignee. + - name: last_login_time + type: date + description: The last time when the user logged in. + - name: last_login_time_dt + type: date + description: The last time when the user logged in. + - name: ldap_cn + type: keyword + description: The LDAP and X.500 commonName attribute, typically the full name of the person. + - name: ldap_dn + type: keyword + description: The X.500 Distinguished Name (DN) is a structured string that uniquely identifies an entry, such as a user, in an X.500 directory service. + - name: leave_time + type: date + description: The timestamp when the user left or will be leaving the organization. + - name: leave_time_dt + type: date + description: The timestamp when the user left or will be leaving the organization. + - name: location + type: flattened + description: The geographical location associated with a assignee. + - name: manager + type: flattened + description: The user's manager. + - name: modified_time + type: date + description: The timestamp when the user entry was last modified. + - name: modified_time_dt + type: date + description: The timestamp when the user entry was last modified. + - name: office_location + type: keyword + description: The primary office location associated with the assignee. + - name: phone_number + type: keyword + description: The telephone number of the assignee. + - name: surname + type: keyword + description: The last or family name for the assignee. + - name: name + type: keyword + description: The username. + - name: org + type: group + fields: + - name: name + type: keyword + description: The name of the organization. + - name: ou_name + type: keyword + description: The name of an organizational unit. + - name: ou_uid + type: keyword + description: The unique identifier of an organizational unit. + - name: uid + type: keyword + description: The unique identifier of the organization. + - name: phone_number + type: keyword + description: The telephone number of the assignee. + - name: risk_level + type: keyword + description: The risk level, normalized to the caption of the risk_level_id value. + - name: risk_level_id + type: keyword + description: The normalized risk level id. + - name: risk_score + type: long + description: The risk score as reported by the event source. + - name: type + type: keyword + description: The type of the assignee. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. + - name: uid_alt + type: keyword + description: The alternate user identifier. + - name: assignee_group + type: group + fields: + - name: desc + type: keyword + description: The group privileges. + - name: domain + type: keyword + description: The group description. + - name: name + type: keyword + description: The domain where the group is defined. + - name: privileges + type: keyword + description: The group name. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. + - name: attacks + type: group + fields: + - name: mitigation + type: group + fields: + - name: countermeasures + type: nested + description: The ATT&CK® or ATLAS™ Matrix version. + - name: name + type: keyword + description: The D3FEND countermeasures that are associated with the attack technique. + - name: src_url + type: keyword + description: The Mitigation name that is associated with the attack technique. + - name: uid + type: keyword + description: The versioned permalink of the Mitigation. + - name: version + type: keyword + description: The Mitigation ID that is associated with the attack technique. + - name: sub_technique + type: group + fields: + - name: name + type: keyword + description: The name of the attack sub-technique. + - name: src_url + type: keyword + description: The versioned permalink of the attack sub-technique. + - name: uid + type: keyword + description: The unique identifier of the attack sub-technique. + - name: tactic + type: group + fields: + - name: name + type: keyword + description: The Tactic name that is associated with the attack technique. + - name: src_url + type: keyword + description: The versioned permalink of the Tactic. + - name: uid + type: keyword + description: The Tactic ID that is associated with the attack technique. + - name: technique + type: group + fields: + - name: name + type: keyword + description: The name of the attack technique. + - name: src_url + type: keyword + description: The versioned permalink of the attack technique. + - name: uid + type: keyword + description: The unique identifier of the attack technique. + - name: version + type: keyword + description: The ATT&CK® or ATLAS™ Matrix version. + - name: authorizations + type: group + fields: + - name: decision + type: keyword + description: Authorization Result/outcome. + - name: policy + type: group + fields: + - name: data + type: flattened + description: Additional data about the policy such as the underlying JSON policy itself or other details. + - name: desc + type: keyword + description: The description of the policy. + - name: group + type: flattened + description: The policy group. + - name: is_applied + type: boolean + description: A determination if the content of a policy was applied to a target or request, or not. + - name: name + type: keyword + description: The policy name. + - name: uid + type: keyword + description: A unique identifier of the policy instance. + - name: version + type: keyword + description: The policy version number. + - name: category_name + type: keyword + description: The event category name. + - name: category_uid + type: keyword + description: The category unique identifier of the event. + - name: class_name + type: keyword + description: The event class name. + - name: class_uid + type: keyword + description: The unique identifier of a class. + - name: cloud + type: group + fields: + - name: account + type: group + fields: + - name: labels + type: keyword + description: The list of labels associated to the account. + - name: name + type: keyword + description: The name of the account. + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account. + - name: cloud_partition + type: keyword + description: The canonical cloud partition name to which the region is assigned. + - name: org + type: group + fields: + - name: name + type: keyword + description: The name of the organization. + - name: ou_name + type: keyword + description: The name of an organizational unit. + - name: ou_uid + type: keyword + description: The unique identifier of an organizational unit. + - name: uid + type: keyword + description: The unique identifier of the organization. + - name: provider + type: keyword + description: The unique name of the Cloud services provider. + - name: region + type: keyword + description: The name of the cloud region, as defined by the cloud provider. + - name: zone + type: keyword + description: The availability zone in the cloud region, as defined by the cloud provider. + - name: comment + type: keyword + description: A user provided comment about the finding. + - name: compliance + type: group + fields: + - name: assessments + type: group + fields: + - name: category + type: keyword + description: The category that the assessment is part of. + - name: desc + type: keyword + description: The description of the assessment criteria, or a description of the specific configuration or signal the assessment is targeting. + - name: meets_criteria + type: boolean + description: Determines whether the assessment against the specific configuration or signal meets the assessments criteria. + - name: name + type: keyword + description: 'The name of the configuration or signal being assessed. For example: Kernel Mode Code Integrity (KMCI) or publicAccessibilityState.' + - name: policy + type: group + fields: + - name: data + type: flattened + description: Additional data about the policy such as the underlying JSON policy itself or other details. + - name: desc + type: keyword + description: The description of the policy. + - name: group + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: is_applied + type: boolean + description: A determination if the content of a policy was applied to a target or request, or not. + - name: name + type: keyword + description: The policy name. + - name: uid + type: keyword + description: A unique identifier of the policy instance. + - name: version + type: keyword + description: The policy version number. + - name: uid + type: keyword + description: The unique identifier of the configuration or signal being assessed. + - name: category + type: keyword + description: The category a control framework pertains to, as reported by the source tool, such as Asset Management or Risk Assessment. + - name: checks + type: group + fields: + - name: desc + type: keyword + description: The detailed description of the compliance check, explaining the security requirement, vulnerability, or configuration being assessed. + - name: name + type: keyword + description: The name or title of the compliance check. + - name: severity + type: keyword + description: The severity level as defined in the source document. + - name: severity_id + type: keyword + description: The normalized severity identifier that maps severity levels to standard severity levels. + - name: standards + type: keyword + description: The regulatory or industry standard this check is associated with. + - name: status + type: keyword + description: The resultant status of the compliance check normalized to the caption of the status_id value. + - name: status_id + type: keyword + description: The normalized status identifier of the compliance check. + - name: uid + type: keyword + description: The unique identifier of the compliance check within its standard or framework. + - name: version + type: keyword + description: The check version. + - name: control + type: keyword + description: A Control is a prescriptive, actionable set of specifications that strengthens device posture. + - name: control_parameters + type: nested + description: The list of control parameters evaluated in a Compliance check. + - name: desc + type: keyword + description: The description or criteria of a control. + - name: requirements + type: keyword + description: The specific compliance requirements being evaluated. + - name: standards + type: keyword + description: The regulatory or industry standards being evaluated for compliance. + - name: status + type: keyword + description: The resultant status of the compliance check normalized to the caption of the status_id value. + - name: status_code + type: keyword + description: The resultant status code of the compliance check. + - name: status_details + type: keyword + description: A list of contextual descriptions of the status, status_code values. + - name: status_id + type: keyword + description: The normalized status identifier of the compliance check. + - name: confidence + type: keyword + description: The confidence, normalized to the caption of the confidence_id value. . + - name: confidence_id + type: keyword + description: The normalized confidence refers to the accuracy of the rule that created the finding. + - name: confidence_score + type: long + description: The confidence score as reported by the event source. + - name: count + type: long + description: The number of times that events in the same logical group occurred during the event Start Time to End Time period. + - name: device + type: group + fields: + - name: agent_list + type: group + fields: + - name: name + type: keyword + description: The name of the agent or sensor. + - name: policies + type: nested + description: Describes the various policies that may be applied or enforced by an agent or sensor. + - name: type + type: keyword + description: The normalized caption of the type_id value for the agent or sensor. + - name: type_id + type: keyword + description: The normalized representation of an agent or sensor. + - name: uid + type: keyword + description: The UID of the agent or sensor, sometimes known as a Sensor ID or aid. + - name: uid_alt + type: keyword + description: An alternative or contextual identifier for the agent or sensor. + - name: vendor_name + type: keyword + description: The company or author who created the agent or sensor. + - name: version + type: keyword + description: The semantic version of the agent or sensor. + - name: autoscale_uid + type: keyword + description: The unique identifier of the cloud autoscale configuration. + - name: boot_time + type: date + description: The time the system was booted. + - name: boot_time_dt + type: date + description: The time the system was booted. + - name: boot_uid + type: keyword + description: A unique identifier of the device that changes after every reboot. + - name: container + type: group + fields: + - name: hash + type: flattened + description: Commit hash of image created for docker or the SHA256 hash of the container. + - name: image + type: flattened + description: The container image used as a template to run the container. + - name: labels + type: keyword + description: The list of labels associated to the container. + - name: name + type: keyword + description: The container name. + - name: network_driver + type: keyword + description: The network driver used by the container. + - name: orchestrator + type: keyword + description: The orchestrator managing the container. + - name: pod_uuid + type: keyword + description: The unique identifier of the pod (or equivalent) that the container is executing on. + - name: runtime + type: keyword + description: The backend running the container. + - name: size + type: long + description: The size of the container image. + - name: uid + type: keyword + description: The full container unique identifier for this instantiation of the container. + - name: created_time + type: date + description: The time when the device was known to have been created. + - name: created_time_dt + type: date + description: The time when the device was known to have been created. + - name: desc + type: keyword + description: The description of the device, ordinarily as reported by the operating system. + - name: domain + type: keyword + description: The network domain where the device resides. + - name: eid + type: keyword + description: An Embedded Identity Document, is a unique serial number that identifies an eSIM-enabled device. + - name: first_seen_time + type: date + description: The initial discovery time of the device. + - name: first_seen_time_dt + type: date + description: The initial discovery time of the device. + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group privileges. + - name: domain + type: keyword + description: The group description. + - name: name + type: keyword + description: The domain where the group is defined. + - name: privileges + type: keyword + description: The group name. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. + - name: hostname + type: keyword + description: The device hostname. + - name: hw_info + type: group + fields: + - name: bios_date + type: keyword + description: The BIOS date. + - name: bios_manufacturer + type: keyword + description: The BIOS manufacturer. + - name: bios_ver + type: keyword + description: The BIOS version. + - name: chassis + type: keyword + description: The chassis type describes the system enclosure or physical form factor. + - name: cpu_architecture + type: keyword + description: The CPU architecture, normalized to the caption of the cpu_architecture_id value. + - name: cpu_architecture_id + type: keyword + description: The normalized identifier of the CPU architecture. + - name: cpu_bits + type: long + description: The cpu architecture, the number of bits used for addressing in memory. + - name: cpu_cores + type: long + description: The number of processor cores in all installed processors. + - name: cpu_count + type: long + description: The number of physical processors on a system. + - name: cpu_speed + type: long + description: The speed of the processor in Mhz. + - name: cpu_type + type: keyword + description: The processor type. + - name: desktop_display + type: flattened + description: The desktop display affiliated with the event. + - name: keyboard_info + type: flattened + description: The keyboard detailed information. + - name: ram_size + type: long + description: The total amount of installed RAM, in Megabytes. + - name: serial_number + type: keyword + description: The device manufacturer serial number. + - name: uuid + type: keyword + description: The device manufacturer assigned universally unique hardware identifier. . + - name: vendor_name + type: keyword + description: The device manufacturer. + - name: hypervisor + type: keyword + description: The name of the hypervisor running on the device. + - name: iccid + type: keyword + description: The Integrated Circuit Card Identification of a mobile device. + - name: image + type: group + fields: + - name: labels + type: keyword + description: The list of labels associated to the image. + - name: name + type: keyword + description: The image name. + - name: path + type: keyword + description: The full path to the image file. + - name: uid + type: keyword + description: The unique image ID. + - name: imei_list + type: keyword + description: The International Mobile Equipment Identity values that are associated with the device. + - name: instance_uid + type: keyword + description: The unique identifier of a VM instance. + - name: interface_name + type: keyword + description: The name of the network interface. + - name: interface_uid + type: keyword + description: The unique identifier of the network interface. + - name: ip + type: ip + description: The device IP address. + - name: is_backed_up + type: boolean + description: Indicates whether the device or resource has a backup enabled, such as an automated snapshot or a cloud backup. + - name: is_compliant + type: boolean + description: The event occurred on a compliant device. + - name: is_managed + type: boolean + description: The event occurred on a managed device. + - name: is_mobile_account_active + type: boolean + description: Indicates whether the device has an active mobile account. + - name: is_personal + type: boolean + description: The event occurred on a personal device. + - name: is_shared + type: boolean + description: The event occurred on a shared device. + - name: is_supervised + type: boolean + description: The event occurred on a supervised device. + - name: is_trusted + type: boolean + description: The event occurred on a trusted device. + - name: last_seen_time + type: date + description: The most recent discovery time of the device. + - name: last_seen_time_dt + type: date + description: The most recent discovery time of the device. + - name: location + type: group + fields: + - name: aerial_height + type: keyword + description: Expressed as either height above takeoff location or height above ground level (AGL) for a UAS current location. + - name: city + type: keyword + description: The name of the city. + - name: continent + type: keyword + description: The name of the continent. + - name: country + type: keyword + description: The ISO 3166-1 Alpha-2 country code. + - name: desc + type: keyword + description: The description of the geographical location. + - name: geodetic_altitude + type: keyword + description: The aircraft distance above or below the ellipsoid as measured along a line that passes through the aircraft and is normal to the surface of the WGS-84 ellipsoid. + - name: geodetic_vertical_accuracy + type: keyword + description: Provides quality/containment on geodetic altitude. + - name: geohash + type: keyword + description: Geohash of the geo-coordinates (latitude and longitude). + - name: horizontal_accuracy + type: keyword + description: Provides quality/containment on horizontal position. + - name: is_on_premises + type: boolean + description: The indication of whether the location is on premises. + - name: lat + type: double + description: The geographical Latitude coordinate represented in Decimal Degrees (DD). + - name: long + type: double + description: The geographical Longitude coordinate represented in Decimal Degrees (DD). + - name: postal_code + type: keyword + description: The postal code of the location. + - name: pressure_altitude + type: keyword + description: The uncorrected barometric pressure altitude (based on reference standard 29.92 inHg, 1013.25 mb) provides a reference for algorithms that utilize 'altitude deltas' between aircraft. + - name: provider + type: keyword + description: The provider of the geographical location data. + - name: region + type: keyword + description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. + - name: value + type: geo_point + description: The geographical location. + - name: mac + type: keyword + description: The Media Access Control (MAC) address of the endpoint. + - name: meid + type: keyword + description: The Mobile Equipment Identifier. + - name: model + type: keyword + description: The model of the device. + - name: modified_time + type: date + description: The time when the device was last known to have been modified. + - name: modified_time_dt + type: date + description: The time when the device was last known to have been modified. + - name: name + type: keyword + description: The alternate device name, ordinarily as assigned by an administrator. + - name: namespace_pid + type: long + description: If running under a process namespace (such as in a container), the process identifier within that process namespace. + - name: network_interfaces + type: group + fields: + - name: hostname + type: keyword + description: The hostname associated with the network interface. + - name: ip + type: ip + description: The IP address associated with the network interface. + - name: mac + type: keyword + description: The MAC address of the network interface. + - name: name + type: keyword + description: The name of the network interface. + - name: namespace + type: keyword + description: The namespace is useful in merger or acquisition situations. + - name: subnet_prefix + type: long + description: The subnet prefix length determines the number of bits used to represent the network part of the IP address. + - name: type + type: keyword + description: The type of network interface. + - name: type_id + type: keyword + description: The network interface type identifier. + - name: uid + type: keyword + description: The unique identifier for the network interface. + - name: org + type: group + fields: + - name: name + type: keyword + description: The name of the organization. + - name: ou_name + type: keyword + description: The name of an organizational unit. + - name: ou_uid + type: keyword + description: The unique identifier of an organizational unit. + - name: uid + type: keyword + description: The unique identifier of the organization. + - name: os + type: group + fields: + - name: build + type: keyword + description: The operating system build number. + - name: country + type: keyword + description: The operating system country code, as defined by the ISO 3166-1 standard (Alpha-2 code). + - name: cpe_name + type: keyword + description: The Common Platform Enumeration (CPE) name as described by (NIST). + - name: cpu_bits + type: long + description: The cpu architecture, the number of bits used for addressing in memory. + - name: edition + type: keyword + description: The operating system edition. + - name: kernel_release + type: keyword + description: The kernel release of the operating system. + - name: lang + type: keyword + description: The two letter lower case language codes. + - name: name + type: keyword + description: The operating system name. + - name: sp_name + type: keyword + description: The name of the latest Service Pack. + - name: sp_ver + type: keyword + description: The version number of the latest Service Pack. + - name: type + type: keyword + description: The type of the operating system. . + - name: type_id + type: keyword + description: The type identifier of the operating system. + - name: version + type: keyword + description: The version of the OS running on the device that originated the event. + - name: os_machine_uuid + type: keyword + description: The operating system assigned Machine ID. + - name: owner + type: group + fields: + - name: account + type: flattened + description: The user's account or the account associated with the user. + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. + - name: display_name + type: keyword + description: The display name of the user, as reported by the product. + - name: domain + type: keyword + description: The domain where the user is defined. + - name: email_addr + type: keyword + description: The user's primary email address. + - name: forward_addr + type: keyword + description: The user's forwarding email address. + - name: full_name + type: keyword + description: The full name of the user, as reported by the product. + - name: groups + type: nested + description: The administrative groups to which the user belongs. + - name: has_mfa + type: boolean + description: The user has a multi-factor or secondary-factor device assigned. + - name: ldap_person + type: flattened + description: The additional LDAP attributes that describe a person. + - name: name + type: keyword + description: The username. + - name: org + type: flattened + description: Organization and org unit related to the user. + - name: phone_number + type: keyword + description: The telephone number of the user. + - name: risk_level + type: keyword + description: The risk level, normalized to the caption of the risk_level_id value. + - name: risk_level_id + type: keyword + description: The normalized risk level id. + - name: risk_score + type: long + description: The risk score as reported by the event source. + - name: type + type: keyword + description: The type of the user. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. + - name: uid_alt + type: keyword + description: The alternate user identifier. + - name: region + type: keyword + description: The region where the virtual machine is located. + - name: risk_level + type: keyword + description: The risk level, normalized to the caption of the risk_level_id value. + - name: risk_level_id + type: keyword + description: The normalized risk level id. + - name: risk_score + type: long + description: The risk score as reported by the event source. + - name: subnet + type: keyword + description: The subnet mask. + - name: subnet_uid + type: keyword + description: The unique identifier of a virtual subnet. + - name: type + type: keyword + description: The device type. + - name: type_id + type: keyword + description: The device type ID. + - name: udid + type: keyword + description: The Apple assigned Unique Device Identifier (UDID). + - name: uid + type: keyword + description: The unique identifier of the device. + - name: uid_alt + type: keyword + description: An alternate unique identifier of the device if any. + - name: vendor_name + type: keyword + description: The vendor for the device. + - name: vlan_uid + type: keyword + description: The Virtual LAN identifier. + - name: vpc_uid + type: keyword + description: The unique identifier of the Virtual Private Cloud (VPC). + - name: zone + type: keyword + description: The network zone or LAN segment. + - name: disposition + type: keyword + description: The disposition name, normalized to the caption of the disposition_id value. + - name: disposition_id + type: keyword + description: Describes the outcome or action taken by a security control. + - name: duration + type: long + description: The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds. + - name: end_time + type: date + description: The time of the most recent event included in the finding. + - name: end_time_dt + type: date + description: The time of the most recent event included in the finding. + - name: enrichments + type: group + fields: + - name: created_time + type: date + description: The time when the enrichment data was generated. + - name: created_time_dt + type: date + description: The time when the enrichment data was generated. + - name: data + type: flattened + description: The enrichment data associated with the attribute and value. . + - name: desc + type: keyword + description: A long description of the enrichment data. + - name: name + type: keyword + description: The name of the attribute to which the enriched data pertains. + - name: provider + type: keyword + description: The enrichment data provider name. + - name: reputation + type: group + fields: + - name: base_score + type: double + description: The reputation score as reported by the event source. + - name: provider + type: keyword + description: The provider of the reputation information. + - name: score + type: keyword + description: The reputation score, normalized to the caption of the score_id value. + - name: score_id + type: keyword + description: The normalized reputation score identifier. + - name: short_desc + type: keyword + description: A short description of the enrichment data. + - name: src_url + type: keyword + description: The URL of the source of the enrichment data. + - name: type + type: keyword + description: The enrichment type. + - name: value + type: keyword + description: The value of the attribute to which the enriched data pertains. + - name: evidences + type: group + fields: + - name: actor + type: group + fields: + - name: app_name + type: keyword + description: The client application or service that initiated the activity. + - name: app_uid + type: keyword + description: The unique identifier of the client application or service that initiated the activity. + - name: authorizations + type: group + fields: + - name: decision + type: keyword + description: Authorization Result/outcome. + - name: policy + type: flattened + description: Details about the Identity/Access management policies that are applicable. + - name: idp + type: group + fields: + - name: domain + type: keyword + description: The primary domain associated with the Identity Provider. + - name: fingerprint + type: flattened + description: The fingerprint of the X.509 certificate used by the Identity Provider. + - name: has_mfa + type: boolean + description: The Identity Provider enforces Multi Factor Authentication (MFA). + - name: issuer + type: keyword + description: The unique identifier (often a URL) used by the Identity Provider as its issuer. + - name: name + type: keyword + description: The name of the Identity Provider. + - name: protocol_name + type: keyword + description: The supported protocol of the Identity Provider. + - name: scim + type: flattened + description: The System for Cross-domain Identity Management (SCIM) resource object provides a structured set of attributes related to SCIM protocols used for identity provisioning and management across cloud-based platforms. + - name: sso + type: flattened + description: The Single Sign-On (SSO) object provides a structure for normalizing SSO attributes, configuration, and/or settings from Identity Providers. + - name: state + type: keyword + description: The configuration state of the Identity Provider, normalized to the caption of the state_id value. + - name: state_id + type: keyword + description: The normalized state ID of the Identity Provider to reflect its configuration or activation status. + - name: tenant_uid + type: keyword + description: The tenant ID associated with the Identity Provider. + - name: uid + type: keyword + description: The unique identifier of the Identity Provider. + - name: url_string + type: keyword + description: The URL for accessing the configuration or metadata of the Identity Provider. + - name: process + type: group + fields: + - name: auid + type: keyword + description: The audit user assigned at login by the audit subsystem. + - name: cmd_line + type: keyword + description: The full command line used to launch an application, service, process, or job. + - name: container + type: flattened + description: The information describing an instance of a container. + - name: cpid + type: keyword + description: A unique process identifier that can be assigned deterministically by multiple system data producers. + - name: created_time + type: date + description: The time when the process was created/started. + - name: created_time_dt + type: date + description: The time when the process was created/started. + - name: egid + type: keyword + description: The effective group under which this process is running. + - name: euid + type: keyword + description: The effective user under which this process is running. + - name: file + type: flattened + description: The process file object. + - name: group + type: flattened + description: The group under which this process is running. + - name: integrity + type: keyword + description: The process integrity level, normalized to the caption of the integrity_id value. + - name: integrity_id + type: keyword + description: The normalized identifier of the process integrity level (Windows only). + - name: loaded_modules + type: keyword + description: The list of loaded module names. + - name: name + type: keyword + description: The friendly name of the process. + - name: namespace_pid + type: long + description: If running under a process namespace (such as in a container), the process identifier within that process namespace. + - name: parent_process + type: flattened + description: The parent process of this process object. + - name: path + type: keyword + description: The process file path. + - name: pid + type: long + description: The process identifier, as reported by the operating system. + - name: sandbox + type: keyword + description: The name of the containment jail. + - name: session + type: flattened + description: The user session under which this process is running. + - name: terminated_time + type: date + description: The time when the process was terminated. + - name: terminated_time_dt + type: date + description: The time when the process was terminated. + - name: tid + type: keyword + description: The Identifier of the thread associated with the event, as returned by the operating system. + - name: uid + type: keyword + description: A unique identifier for this process assigned by the producer (tool). + - name: user + type: flattened + description: The user under which this process is running. + - name: working_directory + type: keyword + description: The working directory of a process. + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs that represent a process extended attribute. + - name: session + type: group + fields: + - name: count + type: long + description: The number of identical sessions spawned from the same source IP, destination IP, application, and content/threat type seen over a period of time. + - name: created_time + type: date + description: The time when the session was created. + - name: created_time_dt + type: date + description: The time when the session was created. + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. + - name: expiration_reason + type: keyword + description: The reason which triggered the session expiration. + - name: expiration_time + type: date + description: The session expiration time. + - name: expiration_time_dt + type: date + description: The session expiration time. + - name: is_mfa + type: boolean + description: Indicates whether Multi Factor Authentication was used during authentication. + - name: is_remote + type: boolean + description: The indication of whether the session is remote. + - name: is_vpn + type: boolean + description: The indication of whether the session is a VPN session. + - name: issuer + type: keyword + description: The identifier of the session issuer. + - name: terminal + type: keyword + description: The Pseudo Terminal associated with the session. + - name: uid + type: keyword + description: The unique identifier of the session. + - name: uid_alt + type: keyword + description: The alternate unique identifier of the session. + - name: uuid + type: keyword + description: The universally unique identifier of the session. + - name: user + type: group + fields: + - name: account + type: flattened + description: The user's account or the account associated with the user. + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. + - name: display_name + type: keyword + description: The display name of the user, as reported by the product. + - name: domain + type: keyword + description: The domain where the user is defined. + - name: email_addr + type: keyword + description: The user's primary email address. + - name: forward_addr + type: keyword + description: The user's forwarding email address. + - name: full_name + type: keyword + description: The full name of the user, as reported by the product. + - name: groups + type: nested + description: The administrative groups to which the user belongs. + - name: has_mfa + type: boolean + description: The user has a multi-factor or secondary-factor device assigned. + - name: ldap_person + type: flattened + description: The additional LDAP attributes that describe a person. + - name: name + type: keyword + description: The username. + - name: org + type: flattened + description: Organization and org unit related to the user. + - name: phone_number + type: keyword + description: The telephone number of the user. + - name: risk_level + type: keyword + description: The risk level, normalized to the caption of the risk_level_id value. + - name: risk_level_id + type: keyword + description: The normalized risk level id. + - name: risk_score + type: long + description: The risk score as reported by the event source. + - name: type + type: keyword + description: The type of the user. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. + - name: uid_alt + type: keyword + description: The alternate user identifier. + - name: api + type: group + fields: + - name: group + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: domain + type: keyword + description: The domain where the group is defined. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. + - name: operation + type: keyword + description: Verb/Operation associated with the request. + - name: request + type: group + fields: + - name: containers + type: nested + description: When working with containerized applications, the set of containers which write to the standard the output of a particular logging driver. + - name: data + type: flattened + description: The additional data that is associated with the api request. + - name: flags + type: keyword + description: The communication flags that are associated with the api request. + - name: uid + type: keyword + description: The unique request identifier. + - name: response + type: group + fields: + - name: code + type: long + description: The numeric response sent to a request. + - name: containers + type: nested + description: When working with containerized applications, the set of containers which write to the standard the output of a particular logging driver. + - name: data + type: flattened + description: The additional data that is associated with the api response. + - name: error + type: keyword + description: Error Code. + - name: error_message + type: keyword + description: Error Message. + - name: flags + type: keyword + description: The communication flags that are associated with the api response. + - name: message + type: keyword + description: The description of the event/finding, as defined by the source. + - name: service + type: group + fields: + - name: labels + type: keyword + description: The list of labels associated with the service. + - name: name + type: keyword + description: The name of the service. + - name: uid + type: keyword + description: The unique identifier of the service. + - name: version + type: keyword + description: The version of the service. + - name: version + type: keyword + description: The version of the API service. + - name: connection_info + type: group + fields: + - name: boundary + type: keyword + description: The boundary of the connection, normalized to the caption of 'boundary_id'. + - name: boundary_id + type: keyword + description: The normalized identifier of the boundary of the connection. + - name: community_uid + type: keyword + description: The Community ID of the network connection. + - name: direction + type: keyword + description: The direction of the initiated connection, traffic, or email, normalized to the caption of the direction_id value. + - name: direction_id + type: keyword + description: The normalized identifier of the direction of the initiated connection, traffic, or email. + - name: flag_history + type: keyword + description: The Connection Flag History summarizes events in a network connection. + - name: protocol_name + type: keyword + description: The IP protocol name in lowercase, as defined by the Internet Assigned Numbers Authority (IANA). + - name: protocol_num + type: long + description: The IP protocol number, as defined by the Internet Assigned Numbers Authority (IANA). + - name: protocol_ver + type: keyword + description: The Internet Protocol version. + - name: protocol_ver_id + type: keyword + description: The Internet Protocol version identifier. + - name: session + type: flattened + description: The authenticated user or service session. + - name: tcp_flags + type: long + description: The network connection TCP header flags (i.e., control bits). + - name: uid + type: keyword + description: The unique identifier of the connection. + - name: container + type: flattened + description: Describes details about the container associated to the activity that triggered the detection. + - name: data + type: flattened + description: Additional evidence data that is not accounted for in the specific evidence attributes. + - name: database + type: flattened + description: Describes details about the database associated to the activity that triggered the detection. + - name: databucket + type: flattened + description: Describes details about the databucket associated to the activity that triggered the detection. + - name: device + type: flattened + description: An addressable device, computer system or host associated to the activity that triggered the detection. + - name: dst_endpoint + type: flattened + description: Describes details about the destination of the network activity that triggered the detection. + - name: email + type: flattened + description: The email object associated to the activity that triggered the detection. + - name: file + type: flattened + description: Describes details about the file associated to the activity that triggered the detection. + - name: http_request + type: flattened + description: Describes details about the http request associated to the activity that triggered the detection. + - name: http_response + type: flattened + description: Describes details about the http response associated to the activity that triggered the detection. + - name: ja4_fingerprint_list + type: nested + description: Describes details about the JA4+ fingerprints that triggered the detection. + - name: job + type: flattened + description: Describes details about the scheduled job that was associated with the activity that triggered the detection. + - name: name + type: keyword + description: The naming convention or type identifier of the evidence associated with the security detection. + - name: process + type: group + fields: + - name: ancestry + type: nested + description: An array of Process Entities describing the extended parentage of this process object. + - name: auid + type: keyword + description: The audit user assigned at login by the audit subsystem. + - name: cmd_line + type: keyword + description: The full command line used to launch an application, service, process, or job. + - name: container + type: flattened + description: The information describing an instance of a container. + - name: cpid + type: keyword + description: A unique process identifier that can be assigned deterministically by multiple system data producers. + - name: created_time + type: date + description: The time when the process was created/started. + - name: created_time_dt + type: date + description: The time when the process was created/started. + - name: egid + type: keyword + description: The effective group under which this process is running. + - name: environment_variables + type: nested + description: Environment variables associated with the process. + - name: euid + type: keyword + description: The effective user under which this process is running. + - name: file + type: flattened + description: The process file object. + - name: group + type: flattened + description: The group under which this process is running. + - name: integrity + type: keyword + description: The process integrity level, normalized to the caption of the integrity_id value. + - name: integrity_id + type: keyword + description: The normalized identifier of the process integrity level (Windows only). + - name: loaded_modules + type: keyword + description: The list of loaded module names. + - name: name + type: keyword + description: The friendly name of the process. + - name: namespace_pid + type: long + description: If running under a process namespace (such as in a container), the process identifier within that process namespace. + - name: parent_process + type: flattened + description: The parent process of this process object. + - name: path + type: keyword + description: The process file path. + - name: pid + type: long + description: The process identifier, as reported by the operating system. + - name: sandbox + type: keyword + description: The name of the containment jail. + - name: session + type: flattened + description: The user session under which this process is running. + - name: terminated_time + type: date + description: The time when the process was terminated. + - name: terminated_time_dt + type: date + description: The time when the process was terminated. + - name: tid + type: keyword + description: The Identifier of the thread associated with the event, as returned by the operating system. + - name: uid + type: keyword + description: A unique identifier for this process assigned by the producer (tool). + - name: user + type: flattened + description: The user under which this process is running. + - name: working_directory + type: keyword + description: The working directory of a process. + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs that represent a process extended attribute. + - name: query + type: group + fields: + - name: class + type: keyword + description: The class of resource records being queried. + - name: hostname + type: keyword + description: The hostname or domain being queried. + - name: opcode + type: keyword + description: The DNS opcode specifies the type of the query message. + - name: opcode_id + type: keyword + description: The DNS opcode ID specifies the normalized query message type as defined in RFC-5395. + - name: packet_uid + type: keyword + description: The DNS packet identifier assigned by the program that generated the query. + - name: type + type: keyword + description: The type of resource records being queried. + - name: reg_key + type: flattened + description: Describes details about the registry key that triggered the detection. + - name: reg_value + type: flattened + description: Describes details about the registry value that triggered the detection. + - name: resources + type: nested + description: Describes details about the cloud resources directly related to activity that triggered the detection. + - name: script + type: flattened + description: Describes details about the script that was associated with the activity that triggered the detection. + - name: src_endpoint + type: group + fields: + - name: agent_list + type: nested + description: A list of agent objects associated with a device, endpoint, or resource. + - name: autonomous_system + type: flattened + description: The Autonomous System details associated with an IP address. + - name: container + type: flattened + description: The information describing an instance of a container. + - name: domain + type: keyword + description: The name of the domain that the endpoint belongs to or that corresponds to the endpoint. + - name: hostname + type: keyword + description: The fully qualified name of the endpoint. + - name: hw_info + type: flattened + description: The endpoint hardware information. + - name: instance_uid + type: keyword + description: The unique identifier of a VM instance. + - name: interface_name + type: keyword + description: The name of the network interface (e.g. eth2). + - name: interface_uid + type: keyword + description: The unique identifier of the network interface. + - name: intermediate_ips + type: ip + description: The intermediate IP Addresses. + - name: ip + type: ip + description: The IP address of the endpoint, in either IPv4 or IPv6 format. + - name: isp + type: keyword + description: The name of the Internet Service Provider (ISP). + - name: isp_org + type: keyword + description: The organization name of the Internet Service Provider (ISP). + - name: location + type: flattened + description: The geographical location of the endpoint. + - name: mac + type: keyword + description: The Media Access Control (MAC) address of the endpoint. + - name: name + type: keyword + description: The short name of the endpoint. + - name: namespace_pid + type: long + description: If running under a process namespace (such as in a container), the process identifier within that process namespace. + - name: os + type: flattened + description: The endpoint operating system. + - name: owner + type: flattened + description: The identity of the service or user account that owns the endpoint or was last logged into it. + - name: port + type: long + description: The port used for communication within the network connection. + - name: proxy_endpoint + type: flattened + description: The network proxy information pertaining to a specific endpoint. + - name: subnet_uid + type: keyword + description: The unique identifier of a virtual subnet. + - name: svc_name + type: keyword + description: The service name in service-to-service connections. + - name: type + type: keyword + description: The network endpoint type. + - name: type_id + type: keyword + description: The network endpoint type ID. + - name: uid + type: keyword + description: The unique identifier of the endpoint. + - name: vlan_uid + type: keyword + description: The Virtual LAN identifier. + - name: vpc_uid + type: keyword + description: The unique identifier of the Virtual Private Cloud (VPC). + - name: zone + type: keyword + description: The network zone or LAN segment. + - name: tls + type: flattened + description: Describes details about the Transport Layer Security (TLS) activity that triggered the detection. + - name: uid + type: keyword + description: The unique identifier of the evidence associated with the security detection. + - name: url + type: flattened + description: The URL object that pertains to the event or object associated to the activity that triggered the detection. + - name: user + type: flattened + description: Describes details about the user that was the target or somehow else associated with the activity that triggered the detection. + - name: verdict + type: keyword + description: The normalized verdict of the evidence associated with the security detection. + - name: verdict_id + type: keyword + description: The normalized verdict (or status) ID of the evidence associated with the security detection. + - name: win_service + type: flattened + description: Describes details about the Windows service that triggered the detection. + - name: finding_info + type: group + fields: + - name: analytic + type: group + fields: + - name: algorithm + type: keyword + description: The algorithm used by the underlying analytic to generate the finding. + - name: category + type: keyword + description: The analytic category. + - name: desc + type: keyword + description: The description of the analytic that generated the finding. + - name: name + type: keyword + description: The name of the analytic that generated the finding. + - name: type + type: keyword + description: The analytic type. + - name: type_id + type: keyword + description: The analytic type ID. + - name: uid + type: keyword + description: The unique identifier of the analytic that generated the finding. + - name: version + type: keyword + description: The analytic version. + - name: attacks + type: group + fields: + - name: mitigation + type: flattened + description: The Mitigation object describes the MITRE ATT&CK® or ATLAS™ Mitigation ID and/or name that is associated to an attack. + - name: sub_technique + type: flattened + description: The Sub-technique object describes the MITRE ATT&CK® or ATLAS™ Sub-technique ID and/or name associated to an attack. + - name: tactic + type: flattened + description: The Tactic object describes the MITRE ATT&CK® or ATLAS™ Tactic ID and/or name that is associated to an attack. + - name: technique + type: flattened + description: The Technique object describes the MITRE ATT&CK® or ATLAS™ Technique ID and/or name associated to an attack. + - name: version + type: keyword + description: The ATT&CK® or ATLAS™ Matrix version. + - name: created_time + type: date + description: The time when the finding was created. + - name: created_time_dt + type: date + description: The time when the finding was created. + - name: data_sources + type: keyword + description: A list of data sources utilized in generation of the finding. + - name: desc + type: keyword + description: The description of the reported finding. + - name: first_seen_time + type: date + description: The time when the finding was first observed. + - name: first_seen_time_dt + type: date + description: The time when the finding was first observed. + - name: kill_chain + type: group + fields: + - name: phase + type: keyword + description: The cyber kill chain phase. + - name: phase_id + type: keyword + description: The cyber kill chain phase identifier. + - name: last_seen_time + type: date + description: The time when the finding was most recently observed. + - name: last_seen_time_dt + type: date + description: The time when the finding was most recently observed. + - name: modified_time + type: date + description: The time when the finding was last modified. + - name: modified_time_dt + type: date + description: The time when the finding was last modified. + - name: product + type: group + fields: + - name: cpe_name + type: keyword + description: The Common Platform Enumeration (CPE) name as described by (NIST). + - name: data_classifications + type: nested + description: A list of Data Classification objects. + - name: feature + type: group + fields: + - name: name + type: keyword + description: The name of the feature. + - name: uid + type: keyword + description: The unique identifier of the feature. + - name: version + type: keyword + description: The version of the feature. + - name: lang + type: keyword + description: The two letter lower case language codes. + - name: name + type: keyword + description: The name of the product. + - name: path + type: keyword + description: The installation path of the product. + - name: uid + type: keyword + description: The unique identifier of the product. + - name: url_string + type: keyword + description: The URL pointing towards the product. + - name: vendor_name + type: keyword + description: The name of the vendor of the product. + - name: version + type: keyword + description: The version of the product. + - name: related_analytics + type: group + fields: + - name: algorithm + type: keyword + description: The algorithm used by the underlying analytic to generate the finding. + - name: category + type: keyword + description: The analytic category. + - name: desc + type: keyword + description: The description of the analytic that generated the finding. + - name: name + type: keyword + description: The name of the analytic that generated the finding. + - name: type + type: keyword + description: The analytic type. + - name: type_id + type: keyword + description: The analytic type ID. + - name: uid + type: keyword + description: The unique identifier of the analytic that generated the finding. + - name: vendor_name + type: keyword + description: The name of the vendor of the product. + - name: version + type: keyword + description: The analytic version. + - name: related_events + type: group + fields: + - name: attacks + type: nested + description: An array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. + - name: count + type: long + description: The number of times that activity in the same logical group occurred, as reported by the related Finding. + - name: created_time + type: date + description: The time when the related event/finding was created. + - name: created_time_dt + type: date + description: The time when the related event/finding was created. + - name: desc + type: keyword + description: A description of the related event/finding. + - name: first_seen_time + type: date + description: The time when the finding was first observed. + - name: first_seen_time_dt + type: date + description: The time when the finding was first observed. + - name: kill_chain + type: nested + description: The Cyber Kill Chain® provides a detailed description of each phase and its associated activities within the broader context of a cyber attack. + - name: last_seen_time + type: date + description: The time when the finding was most recently observed. + - name: last_seen_time_dt + type: date + description: The time when the finding was most recently observed. + - name: modified_time + type: date + description: The time when the related event/finding was last modified. + - name: modified_time_dt + type: date + description: The time when the related event/finding was last modified. + - name: observables + type: nested + description: The observables associated with the event or a finding. + - name: product + type: flattened + description: Details about the product that reported the related event/finding. + - name: severity + type: keyword + description: The event/finding severity, normalized to the caption of the severity_id value. + - name: severity_id + type: keyword + description: The normalized identifier of the event/finding severity. + - name: title + type: keyword + description: A title or a brief phrase summarizing the related event/finding. + - name: traits + type: nested + description: The list of key traits or characteristics extracted from the related event/finding that influenced or contributed to the overall finding's outcome. + - name: type + type: keyword + description: The type of the related event/finding. + - name: type_name + type: keyword + description: The type of the related OCSF event, as defined by type_uid. + - name: type_uid + type: keyword + description: The unique identifier of the related OCSF event type. + - name: uid + type: keyword + description: The unique identifier of the related event/finding. + - name: related_events_count + type: long + description: Number of related events or findings. + - name: src_url + type: keyword + description: The URL pointing to the source of the finding. + - name: title + type: keyword + description: A title or a brief phrase summarizing the reported finding. + - name: traits + type: group + fields: + - name: category + type: keyword + description: The high-level grouping or classification this trait belongs to. + - name: name + type: keyword + description: The name of the trait. + - name: type + type: keyword + description: The type of the trait. + - name: uid + type: keyword + description: The unique identifier of the trait. + - name: values + type: keyword + description: The values of the trait. + - name: types + type: keyword + description: One or more types of the reported finding. + - name: uid + type: keyword + description: The unique identifier of the reported finding. + - name: uid_alt + type: keyword + description: The alternative unique identifier of the reported finding. + - name: firewall_rule + type: group + fields: + - name: category + type: keyword + description: The rule category. + - name: condition + type: keyword + description: The rule trigger condition for the rule. + - name: desc + type: keyword + description: The description of the rule that generated the event. + - name: duration + type: long + description: The rule response time duration, usually used for challenge completion time. + - name: match_details + type: keyword + description: The data in a request that rule matched. + - name: match_location + type: keyword + description: The location of the matched data in the source which resulted in the triggered firewall rule. + - name: name + type: keyword + description: The name of the rule that generated the event. + - name: rate_limit + type: long + description: The rate limit for a rate-based rule. + - name: sensitivity + type: keyword + description: The sensitivity of the firewall rule in the matched event. + - name: type + type: keyword + description: The rule type. + - name: uid + type: keyword + description: The unique identifier of the rule that generated the event. + - name: version + type: keyword + description: The rule version. + - name: impact + type: keyword + description: The impact , normalized to the caption of the impact_id value. + - name: impact_id + type: keyword + description: The normalized impact of the incident or finding. + - name: impact_score + type: long + description: The impact as an integer value of the finding. + - name: is_alert + type: boolean + description: Indicates that the event is considered to be an alertable signal. + - name: is_suspected_breach + type: boolean + description: A determination based on analytics as to whether a potential breach was found. + - name: malware + type: group + fields: + - name: classification_ids + type: keyword + description: The list of normalized identifiers of the malware classifications. + - name: classifications + type: keyword + description: The list of malware classifications, normalized to the captions of the classification_ids values. + - name: cves + type: group + fields: + - name: created_time + type: date + description: The Record Creation Date identifies when the CVE ID was issued to a CVE Numbering Authority (CNA) or the CVE Record was published on the CVE List. + - name: created_time_dt + type: date + description: The Record Creation Date identifies when the CVE ID was issued to a CVE Numbering Authority (CNA) or the CVE Record was published on the CVE List. + - name: cvss + type: group + fields: + - name: base_score + type: double + description: The CVSS base score. + - name: depth + type: keyword + description: The CVSS depth represents a depth of the equation used to calculate CVSS score. + - name: metrics + type: group + fields: + - name: name + type: keyword + description: The Common Vulnerability Scoring System metrics. + - name: value + type: keyword + description: The Common Vulnerability Scoring System metrics. + - name: overall_score + type: double + description: The CVSS overall score, impacted by base, temporal, and environmental metrics. + - name: severity + type: keyword + description: The Common Vulnerability Scoring System (CVSS) Qualitative Severity Rating. + - name: src_url + type: keyword + description: The source URL for the CVSS score. + - name: vector_string + type: keyword + description: The CVSS vector string is a text representation of a set of CVSS metrics. + - name: vendor_name + type: keyword + description: The vendor that provided the CVSS score. + - name: version + type: keyword + description: The CVSS version. + - name: desc + type: keyword + description: A brief description of the CVE Record. + - name: epss + type: flattened + description: The Exploit Prediction Scoring System (EPSS) object describes the estimated probability a vulnerability will be exploited. + - name: modified_time + type: date + description: The Record Modified Date identifies when the CVE record was last updated. + - name: modified_time_dt + type: date + description: The Record Modified Date identifies when the CVE record was last updated. + - name: product + type: flattened + description: The product where the vulnerability was discovered. + - name: references + type: keyword + description: A list of reference URLs with additional information about the CVE Record. + - name: related_cwes + type: nested + description: Describes the Common Weakness Enumeration (CWE) details related to the CVE Record. + - name: title + type: keyword + description: A title or a brief phrase summarizing the CVE record. + - name: type + type: keyword + description: The vulnerability type as selected from a large dropdown menu during CVE refinement. + - name: uid + type: keyword + description: The Common Vulnerabilities and Exposures unique number assigned to a specific computer vulnerability. + - name: files + type: group + fields: + - name: accessed_time + type: date + description: The time when the file was last accessed. + - name: accessed_time_dt + type: date + description: The time when the file was last accessed. + - name: accessor + type: flattened + description: The name of the user who last accessed the object. + - name: attributes + type: long + description: The bitmask value that represents the file attributes. + - name: company_name + type: keyword + description: The name of the company that published the file. + - name: confidentiality + type: keyword + description: The file content confidentiality, normalized to the confidentiality_id value. + - name: confidentiality_id + type: keyword + description: The normalized identifier of the file content confidentiality indicator. + - name: created_time + type: date + description: The time when the file was created. + - name: created_time_dt + type: date + description: The time when the file was created. + - name: creator + type: flattened + description: The user that created the file. + - name: data_classifications + type: nested + description: A list of Data Classification objects, that include information about data classification levels and data category types, indentified by a classifier. + - name: desc + type: keyword + description: The description of the file, as returned by file system. + - name: drive_type + type: keyword + description: The drive type, normalized to the caption of the drive_type_id value. + - name: drive_type_id + type: keyword + description: Identifies the type of a disk drive. + - name: encryption_details + type: flattened + description: The encryption details of the file. + - name: ext + type: keyword + description: The extension of the file, excluding the leading dot. + - name: hashes + type: nested + description: An array of hash attributes. + - name: internal_name + type: keyword + description: The name of the file as identified within the file itself. + - name: is_deleted + type: boolean + description: Indicates if the file was deleted from the filesystem. + - name: is_encrypted + type: boolean + description: Indicates if the file is encrypted. + - name: is_system + type: boolean + description: The indication of whether the object is part of the operating system. + - name: mime_type + type: keyword + description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. + - name: modified_time + type: date + description: The time when the file was last modified. + - name: modified_time_dt + type: date + description: The time when the file was last modified. + - name: modifier + type: flattened + description: The user that last modified the file. + - name: name + type: keyword + description: The name of the file. + - name: owner + type: flattened + description: The user that owns the file/object. + - name: parent_folder + type: keyword + description: The parent folder in which the file resides. + - name: path + type: keyword + description: The full path to the file. + - name: product + type: flattened + description: The product that created or installed the file. + - name: security_descriptor + type: keyword + description: The object security descriptor. + - name: signature + type: flattened + description: The digital signature of the file. + - name: size + type: long + description: The size of data, in bytes. + - name: type + type: keyword + description: The file type. + - name: type_id + type: keyword + description: The file type ID. + - name: uid + type: keyword + description: The unique identifier of the file as defined by the storage system. + - name: uri + type: keyword + description: The file URI. + - name: url + type: flattened + description: The URL of the file. + - name: version + type: keyword + description: The file version. + - name: volume + type: keyword + description: The volume on the storage device where the file is located. + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. + - name: name + type: keyword + description: The malware name, as reported by the detection engine. + - name: num_infected + type: long + description: The number of files that were identified to be infected by the malware. + - name: provider + type: keyword + description: The name or identifier of the security solution or service that provided the malware detection information. + - name: severity + type: keyword + description: The severity of the malware, normalized to the captions of the severity_id values. + - name: severity_id + type: keyword + description: The normalized identifier of the malware severity. + - name: uid + type: keyword + description: A unique identifier for the specific malware instance, as assigned by the detection engine. + - name: malware_scan_info + type: group + fields: + - name: end_time + type: date + description: The timestamp indicating when the scan job completed execution. + - name: end_time_dt + type: date + description: The timestamp indicating when the scan job completed execution. + - name: name + type: keyword + description: The administrator-supplied or application-generated name of the scan. + - name: num_files + type: long + description: The total number of files analyzed during the scan. + - name: num_infected + type: long + description: The total number of files identified as infected with malware during the scan. + - name: num_volumes + type: long + description: The total number of storage volumes examined during the malware scan. + - name: size + type: long + description: The total size in bytes of all files that were scanned. + - name: start_time + type: date + description: The timestamp indicating when the scan job began execution. + - name: start_time_dt + type: date + description: The timestamp indicating when the scan job began execution. + - name: type + type: keyword + description: The type of scan. + - name: type_id + type: keyword + description: The type id of the scan. + - name: uid + type: keyword + description: The application-defined unique identifier assigned to an instance of a scan. + - name: unique_malware_count + type: long + description: The number of unique malware detected across all infected files. + - name: message + type: keyword + description: The description of the event/finding, as defined by the source. + - name: metadata + type: group + fields: + - name: correlation_uid + type: keyword + description: The unique identifier used to correlate events. + - name: data_classifications + type: group + fields: + - name: category + type: keyword + description: The name of the data classification category that data matched into. + - name: category_id + type: keyword + description: The normalized identifier of the data classification category. + - name: classifier_details + type: flattened + description: Describes details about the classifier used for data classification. + - name: confidentiality + type: keyword + description: The file content confidentiality, normalized to the confidentiality_id value. + - name: confidentiality_id + type: keyword + description: The normalized identifier of the file content confidentiality indicator. + - name: discovery_details + type: nested + description: Details about the data discovered by classification job. + - name: policy + type: flattened + description: Details about the data policy that governs data handling and security measures related to classification. + - name: size + type: long + description: Size of the data classified. + - name: src_url + type: keyword + description: The source URL pointing towards the full classifcation job details. + - name: status + type: keyword + description: The resultant status of the classification job normalized to the caption of the status_id value. + - name: status_details + type: keyword + description: The contextual description of the status, status_id value. + - name: status_id + type: keyword + description: The normalized status identifier of the classification job. + - name: total + type: long + description: The total count of discovered entities, by the classification job. + - name: uid + type: keyword + description: The unique identifier of the classification job. + - name: debug + type: keyword + description: Debug information about non-fatal issues with this OCSF event. + - name: event_code + type: keyword + description: The Event ID, Code, or Name that the product uses to primarily identify the event. + - name: extensions + type: group + fields: + - name: name + type: keyword + description: The schema extension name. + - name: uid + type: keyword + description: The schema extension unique identifier. + - name: version + type: keyword + description: The schema extension version. + - name: labels + type: keyword + description: The list of labels attached to the event. + - name: log_level + type: keyword + description: The audit level at which an event was generated. + - name: log_name + type: keyword + description: The event log name. + - name: log_provider + type: keyword + description: The logging provider or logging service that logged the event. + - name: log_version + type: keyword + description: The event log schema version that specifies the format of the original event. For example syslog version or Cisco Log Schema Version. + - name: logged_time + type: date + description: The time when the logging system collected and logged the event. + - name: logged_time_dt + type: date + description: The time when the logging system collected and logged the event. + - name: loggers + type: group + fields: + - name: device + type: flattened + description: The device where the events are logged. + - name: event_uid + type: keyword + description: The unique identifier of the event assigned by the logger. + - name: log_level + type: keyword + description: The audit level at which an event was generated. + - name: log_name + type: keyword + description: The event log name. + - name: log_provider + type: keyword + description: The logging provider or logging service that logged the event. + - name: log_version + type: keyword + description: The event log schema version that specifies the format of the original event. + - name: logged_time + type: date + description: The time when the logging system collected and logged the event. + - name: logged_time_dt + type: date + description: The time when the logging system collected and logged the event. + - name: name + type: keyword + description: The name of the logging product instance. + - name: product + type: flattened + description: The product logging the event. + - name: transmit_time + type: date + description: The time when the event was transmitted from the logging device to it's next destination. + - name: transmit_time_dt + type: date + description: The time when the event was transmitted from the logging device to it's next destination. + - name: uid + type: keyword + description: The unique identifier of the logging product instance. + - name: version + type: keyword + description: The version of the logging product. + - name: modified_time + type: date + description: The time when the event was last modified or enriched. + - name: modified_time_dt + type: date + description: The time when the event was last modified or enriched. + - name: original_time + type: keyword + description: The original event time as reported by the event source. + - name: processed_time + type: date + description: The event processed time. + - name: processed_time_dt + type: date + description: The event processed time. + - name: product + type: group + fields: + - name: cpe_name + type: keyword + description: The Common Platform Enumeration (CPE) name as described by (NIST). + - name: data_classifications + type: nested + description: A list of Data Classification objects. + - name: feature + type: group + fields: + - name: name + type: keyword + description: The name of the feature. + - name: uid + type: keyword + description: The unique identifier of the feature. + - name: version + type: keyword + description: The version of the feature. + - name: lang + type: keyword + description: The two letter lower case language codes. + - name: name + type: keyword + description: The name of the product. + - name: path + type: keyword + description: The installation path of the product. + - name: uid + type: keyword + description: The unique identifier of the product. + - name: url_string + type: keyword + description: The URL pointing towards the product. + - name: vendor_name + type: keyword + description: The name of the vendor of the product. + - name: version + type: keyword + description: The version of the product. + - name: profiles + type: keyword + description: The list of profiles used to create the event. + - name: sequence + type: long + description: Sequence number of the event. + - name: tenant_uid + type: keyword + description: The unique tenant identifier. + - name: transformation_info_list + type: group + fields: + - name: lang + type: keyword + description: The transformation language used to transform the data. + - name: name + type: keyword + description: The name of the transformation or mapping. + - name: product + type: flattened + description: The product or instance used to make the transformation. + - name: time + type: date + description: Time of the transformation. + - name: time_dt + type: date + description: Time of the transformation. + - name: uid + type: keyword + description: The unique identifier of the mapping or transformation. + - name: url_string + type: keyword + description: The Uniform Resource Locator String where the mapping or transformation exists. + - name: uid + type: keyword + description: The logging system-assigned unique identifier of an event instance. + - name: version + type: keyword + description: The version of the OCSF schema, using Semantic Versioning Specification (SemVer). + - name: observables + type: group + fields: + - name: name + type: keyword + description: The full name of the observable attribute. + - name: reputation + type: group + fields: + - name: base_score + type: double + description: The reputation score as reported by the event source. + - name: provider + type: keyword + description: The provider of the reputation information. + - name: score + type: keyword + description: The reputation score, normalized to the caption of the score_id value. + - name: score_id + type: keyword + description: The normalized reputation score identifier. + - name: type + type: keyword + description: The observable value type name. + - name: type_id + type: keyword + description: The observable value type identifier. + - name: value + type: keyword + description: The value associated with the observable attribute. + - name: osint + type: group + fields: + - name: answers + type: group + fields: + - name: class + type: keyword + description: The class of DNS data contained in this resource record. + - name: flag_ids + type: keyword + description: The list of DNS answer header flag IDs. + - name: flags + type: keyword + description: The list of DNS answer header flags. + - name: packet_uid + type: keyword + description: The DNS packet identifier assigned by the program that generated the query. + - name: rdata + type: keyword + description: The data describing the DNS resource. + - name: ttl + type: long + description: The time interval that the resource record may be cached. + - name: type + type: keyword + description: The type of data contained in this resource record. + - name: attacks + type: group + fields: + - name: mitigation + type: flattened + description: The Mitigation object describes the MITRE ATT&CK® or ATLAS™ Mitigation ID and/or name that is associated to an attack. + - name: sub_technique + type: flattened + description: The Sub-technique object describes the MITRE ATT&CK® or ATLAS™ Sub-technique ID and/or name associated to an attack. + - name: tactic + type: flattened + description: The Tactic object describes the MITRE ATT&CK® or ATLAS™ Tactic ID and/or name that is associated to an attack. + - name: technique + type: flattened + description: The Technique object describes the MITRE ATT&CK® or ATLAS™ Technique ID and/or name associated to an attack. + - name: version + type: keyword + description: The ATT&CK® or ATLAS™ Matrix version. + - name: autonomous_system + type: group + fields: + - name: name + type: keyword + description: Organization name for the Autonomous System. + - name: number + type: long + description: Unique number that the AS is identified by. + - name: campaign + type: group + fields: + - name: name + type: keyword + description: The name of a specific campaign associated with a cyber threat. + - name: category + type: keyword + description: Categorizes the threat indicator based on its functional or operational role. + - name: comment + type: keyword + description: Analyst commentary or source commentary about an indicator or OSINT analysis. + - name: confidence + type: keyword + description: The confidence of an indicator being malicious and/or pertinent, normalized to the caption of the confidence_id value. + - name: confidence_id + type: keyword + description: The normalized confidence refers to the accuracy of collected information related to the OSINT or how pertinent an indicator or analysis is to a specific event or finding. + - name: created_time + type: date + description: The timestamp when the indicator was initially created or identified. + - name: created_time_dt + type: date + description: The timestamp when the indicator was initially created or identified. + - name: creator + type: group + fields: + - name: account + type: flattened + description: The user's account or the account associated with the user. + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. + - name: display_name + type: keyword + description: The display name of the user, as reported by the product. + - name: domain + type: keyword + description: The domain where the user is defined. + - name: email_addr + type: keyword + description: The user's primary email address. + - name: forward_addr + type: keyword + description: The user's forwarding email address. + - name: full_name + type: keyword + description: The full name of the user, as reported by the product. + - name: groups + type: nested + description: The administrative groups to which the user belongs. + - name: has_mfa + type: boolean + description: The user has a multi-factor or secondary-factor device assigned. + - name: ldap_person + type: flattened + description: The additional LDAP attributes that describe a person. + - name: name + type: keyword + description: The username. + - name: org + type: flattened + description: Organization and org unit related to the user. + - name: phone_number + type: keyword + description: The telephone number of the user. + - name: risk_level + type: keyword + description: The risk level, normalized to the caption of the risk_level_id value. + - name: risk_level_id + type: keyword + description: The normalized risk level id. + - name: risk_score + type: long + description: The risk score as reported by the event source. + - name: type + type: keyword + description: The type of the user. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. + - name: uid_alt + type: keyword + description: The alternate user identifier. + - name: desc + type: keyword + description: A detailed explanation of the indicator, including its context, purpose, and relevance. + - name: detection_pattern + type: keyword + description: The specific detection pattern or signature associated with the indicator. + - name: detection_pattern_type + type: keyword + description: The detection pattern type, normalized to the caption of the detection_pattern_type_id value. + - name: detection_pattern_type_id + type: keyword + description: Specifies the type of detection pattern used to identify the associated threat indicator. + - name: email + type: group + fields: + - name: cc + type: keyword + description: The machine-readable email header Cc values. + - name: cc_mailboxes + type: keyword + description: The human-readable email header Cc Mailbox values. + - name: data_classifications + type: nested + description: A list of Data Classification objects, that include information about data classification levels and data category types, indentified by a classifier. + - name: delivered_to_list + type: keyword + description: The machine-readable Delivered-To email header values. + - name: files + type: nested + description: The files embedded or attached to the email. + - name: from + type: keyword + description: The machine-readable email header From values. + - name: from_mailbox + type: keyword + description: The human-readable email header From Mailbox value. + - name: http_headers + type: nested + description: Additional HTTP headers of an HTTP request or response. + - name: is_read + type: boolean + description: The indication of whether the email has been read. + - name: message_uid + type: keyword + description: The email header Message-ID value. + - name: raw_header + type: keyword + description: The email authentication header. + - name: reply_to_mailboxes + type: keyword + description: The human-readable email header Reply To Mailbox values. + - name: size + type: long + description: The size in bytes of the email, including attachments. + - name: subject + type: keyword + description: The email header Subject value. + - name: to + type: keyword + description: The machine-readable email header To values. + - name: to_mailboxes + type: keyword + description: The human-readable email header To Mailbox values. + - name: uid + type: keyword + description: The unique identifier of the email thread. + - name: urls + type: nested + description: The URLs embedded in the email. + - name: x_originating_ip + type: ip + description: The X-Originating-IP header identifying the emails originating IP address(es). + - name: email_auth + type: group + fields: + - name: dkim + type: keyword + description: The DomainKeys Identified Mail (DKIM) status of the email. + - name: dkim_domain + type: keyword + description: The DomainKeys Identified Mail (DKIM) status of the email. + - name: dkim_signature + type: keyword + description: The DomainKeys Identified Mail (DKIM) signature used by the sending/receiving system. + - name: dmarc + type: keyword + description: The Domain-based Message Authentication, Reporting and Conformance (DMARC) status of the email. + - name: dmarc_override + type: keyword + description: The Domain-based Message Authentication, Reporting and Conformance (DMARC) override action. + - name: dmarc_policy + type: keyword + description: The Domain-based Message Authentication, Reporting and Conformance (DMARC) policy status. + - name: spf + type: keyword + description: The Sender Policy Framework (SPF) status of the email. + - name: expiration_time + type: date + description: The expiration date of the indicator, after which it is no longer considered reliable. + - name: expiration_time_dt + type: date + description: The expiration date of the indicator, after which it is no longer considered reliable. + - name: external_uid + type: keyword + description: A unique identifier assigned by an external system for cross-referencing. + - name: file + type: group + fields: + - name: accessed_time + type: date + description: The time when the file was last accessed. + - name: accessed_time_dt + type: date + description: The time when the file was last accessed. + - name: accessor + type: flattened + description: The name of the user who last accessed the object. + - name: attributes + type: long + description: The bitmask value that represents the file attributes. + - name: company_name + type: keyword + description: The name of the company that published the file. + - name: confidentiality + type: keyword + description: The file content confidentiality, normalized to the confidentiality_id value. + - name: confidentiality_id + type: keyword + description: The normalized identifier of the file content confidentiality indicator. + - name: created_time + type: date + description: The time when the file was created. + - name: created_time_dt + type: date + description: The time when the file was created. + - name: creator + type: flattened + description: The user that created the file. + - name: data_classifications + type: nested + description: A list of Data Classification objects, that include information about data classification levels and data category types, indentified by a classifier. + - name: desc + type: keyword + description: The description of the file, as returned by file system. + - name: drive_type + type: keyword + description: The drive type, normalized to the caption of the drive_type_id value. + - name: drive_type_id + type: keyword + description: Identifies the type of a disk drive. + - name: encryption_details + type: flattened + description: The encryption details of the file. + - name: ext + type: keyword + description: The extension of the file, excluding the leading dot. + - name: hashes + type: nested + description: An array of hash attributes. + - name: internal_name + type: keyword + description: The name of the file as identified within the file itself. + - name: is_deleted + type: boolean + description: Indicates if the file was deleted from the filesystem. + - name: is_encrypted + type: boolean + description: Indicates if the file is encrypted. + - name: is_system + type: boolean + description: The indication of whether the object is part of the operating system. + - name: mime_type + type: keyword + description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. + - name: modified_time + type: date + description: The time when the file was last modified. + - name: modified_time_dt + type: date + description: The time when the file was last modified. + - name: modifier + type: flattened + description: The user that last modified the file. + - name: name + type: keyword + description: The name of the file. + - name: owner + type: flattened + description: The user that owns the file/object. + - name: parent_folder + type: keyword + description: The parent folder in which the file resides. + - name: path + type: keyword + description: The full path to the file. + - name: product + type: flattened + description: The product that created or installed the file. + - name: security_descriptor + type: keyword + description: The object security descriptor. + - name: signature + type: flattened + description: The digital signature of the file. + - name: size + type: long + description: The size of data, in bytes. + - name: type + type: keyword + description: The file type. + - name: type_id + type: keyword + description: The file type ID. + - name: uid + type: keyword + description: The unique identifier of the file as defined by the storage system. + - name: uri + type: keyword + description: The file URI. + - name: url + type: flattened + description: The URL of the file. + - name: version + type: keyword + description: The file version. + - name: volume + type: keyword + description: The volume on the storage device where the file is located. + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. + - name: intrusion_sets + type: keyword + description: A grouping of adversarial behaviors and resources believed to be associated with specific threat actors or campaigns. + - name: kill_chain + type: group + fields: + - name: phase + type: keyword + description: The cyber kill chain phase. + - name: phase_id + type: keyword + description: The cyber kill chain phase identifier. + - name: labels + type: keyword + description: Tags or keywords associated with the indicator to enhance searchability. + - name: location + type: group + fields: + - name: aerial_height + type: keyword + description: Expressed as either height above takeoff location or height above ground level (AGL) for a UAS current location. + - name: city + type: keyword + description: The name of the city. + - name: continent + type: keyword + description: The name of the continent. + - name: country + type: keyword + description: The ISO 3166-1 Alpha-2 country code. + - name: desc + type: keyword + description: The description of the geographical location. + - name: geodetic_altitude + type: keyword + description: The aircraft distance above or below the ellipsoid as measured along a line that passes through the aircraft and is normal to the surface of the WGS-84 ellipsoid. + - name: geodetic_vertical_accuracy + type: keyword + description: Provides quality/containment on geodetic altitude. + - name: geohash + type: keyword + description: Geohash of the geo-coordinates (latitude and longitude). + - name: horizontal_accuracy + type: keyword + description: Provides quality/containment on horizontal position. + - name: is_on_premises + type: boolean + description: The indication of whether the location is on premises. + - name: lat + type: double + description: The geographical Latitude coordinate represented in Decimal Degrees (DD). + - name: long + type: double + description: The geographical Longitude coordinate represented in Decimal Degrees (DD). + - name: postal_code + type: keyword + description: The postal code of the location. + - name: pressure_altitude + type: keyword + description: The uncorrected barometric pressure altitude (based on reference standard 29.92 inHg, 1013.25 mb) provides a reference for algorithms that utilize 'altitude deltas' between aircraft. + - name: provider + type: keyword + description: The provider of the geographical location data. + - name: region + type: keyword + description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. + - name: malware + type: group + fields: + - name: classification_ids + type: keyword + description: The list of normalized identifiers of the malware classifications. + - name: classifications + type: keyword + description: The list of malware classifications, normalized to the captions of the classification_ids values. + - name: cves + type: nested + description: The list of Common Vulnerabilities and Exposures (CVE) identifiers associated with the malware. + - name: files + type: nested + description: The list of file objects representing files that were identified as infected by the malware. + - name: name + type: keyword + description: The malware name, as reported by the detection engine. + - name: num_infected + type: long + description: The number of files that were identified to be infected by the malware. + - name: provider + type: keyword + description: The name or identifier of the security solution or service that provided the malware detection information. + - name: severity + type: keyword + description: The severity of the malware, normalized to the captions of the severity_id values. + - name: severity_id + type: keyword + description: The normalized identifier of the malware severity. + - name: uid + type: keyword + description: A unique identifier for the specific malware instance, as assigned by the detection engine. + - name: modified_time + type: date + description: The timestamp of the last modification or update to the indicator. + - name: modified_time_dt + type: date + description: The timestamp of the last modification or update to the indicator. + - name: name + type: keyword + description: The name is a pointer/reference to an attribute within the OCSF event data. + - name: references + type: keyword + description: Provides a reference to an external source of information related to the CTI being represented. + - name: related_analytics + type: group + fields: + - name: algorithm + type: keyword + description: The algorithm used by the underlying analytic to generate the finding. + - name: category + type: keyword + description: The analytic category. + - name: desc + type: keyword + description: The description of the analytic that generated the finding. + - name: name + type: keyword + description: The name of the analytic that generated the finding. + - name: type + type: keyword + description: The analytic type. + - name: type_id + type: keyword + description: The analytic type ID. + - name: uid + type: keyword + description: The unique identifier of the analytic that generated the finding. + - name: version + type: keyword + description: The analytic version. + - name: reputation + type: group + fields: + - name: base_score + type: double + description: The reputation score as reported by the event source. + - name: provider + type: keyword + description: The provider of the reputation information. + - name: score + type: keyword + description: The reputation score, normalized to the caption of the score_id value. + - name: score_id + type: keyword + description: The normalized reputation score identifier. + - name: risk_score + type: long + description: A numerical representation of the threat indicator’s risk level. + - name: script + type: group + fields: + - name: file + type: flattened + description: Present if this script is associated with a file. + - name: hashes + type: nested + description: An array of the script's cryptographic hashes. + - name: name + type: keyword + description: Unique identifier for the script or macro, independent of the containing file, used for tracking, auditing, and security analysis. + - name: parent_uid + type: keyword + description: This attribute relates a sub-script to a parent script having the matching uid attribute. + - name: script_content + type: flattened + description: The script content, normalized to UTF-8 encoding irrespective of its original encoding. + - name: type + type: keyword + description: The script type, normalized to the caption of the type_id value. + - name: type_id + type: keyword + description: The normalized script type ID. + - name: uid + type: keyword + description: Some script engines assign a unique ID to each individual execution of a given script. + - name: severity + type: keyword + description: Represents the severity level of the threat indicator, typically reflecting its potential impact or damage. + - name: severity_id + type: keyword + description: The normalized severity level of the threat indicator, typically reflecting its potential impact or damage. + - name: signatures + type: group + fields: + - name: algorithm + type: keyword + description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. + - name: algorithm_id + type: keyword + description: The identifier of the normalized digital signature algorithm. + - name: certificate + type: flattened + description: The certificate object containing information about the digital certificate. + - name: created_time + type: date + description: The time when the digital signature was created. + - name: created_time_dt + type: date + description: The time when the digital signature was created. + - name: developer_uid + type: keyword + description: The developer ID on the certificate that signed the file. + - name: digest + type: flattened + description: The message digest attribute contains the fixed length message hash representation and the corresponding hashing algorithm information. + - name: state + type: keyword + description: The digital signature state defines the signature state, normalized to the caption of 'state_id'. + - name: state_id + type: keyword + description: The normalized identifier of the signature state. + - name: src_url + type: keyword + description: The source URL of an indicator or OSINT analysis. + - name: subdomains + type: keyword + description: Any pertinent subdomain information. + - name: subnet + type: keyword + description: A CIDR or network block related to an indicator or OSINT analysis. + - name: threat_actor + type: group + fields: + - name: name + type: keyword + description: The name of the threat actor. + - name: type + type: keyword + description: The classification of the threat actor based on their motivations, capabilities, or affiliations. Common types include nation-state actors, cybercriminal groups, hacktivists, or insider threats. + - name: type_id + type: keyword + description: The normalized datastore resource type identifier. + - name: tlp + type: keyword + description: The Traffic Light Protocol was created to facilitate greater sharing of potentially sensitive information and more effective collaboration. + - name: type + type: keyword + description: The OSINT indicator type. + - name: type_id + type: keyword + description: The OSINT indicator type ID. + - name: uid + type: keyword + description: The unique identifier for the OSINT object. + - name: uploaded_time + type: date + description: The timestamp indicating when the associated indicator or intelligence was added to the system or repository. + - name: uploaded_time_dt + type: date + description: The timestamp indicating when the associated indicator or intelligence was added to the system or repository. + - name: value + type: keyword + description: The actual indicator value in scope. + - name: vendor_name + type: keyword + description: The vendor name of a tool which generates intelligence or provides indicators. + - name: vulnerabilities + type: group + fields: + - name: advisory + type: flattened + description: Detail about the security advisory, that is used to publicly disclose cybersecurity vulnerabilities by a vendor. + - name: affected_code + type: nested + description: List of Affected Code objects that describe details about code blocks identified as vulnerable. + - name: affected_packages + type: nested + description: List of software packages identified as affected by a vulnerability/vulnerabilities. + - name: category + type: keyword + description: The category of a vulnerability or weakness, as reported by the source tool, such as Container Security or Open Source Security. + - name: cve + type: flattened + description: Describes the Common Vulnerabilities and Exposures (CVE) details related to the vulnerability. + - name: cwe + type: flattened + description: Describes the Common Weakness Enumeration (CWE) details related to the vulnerability. + - name: dependency_chain + type: keyword + description: Information about the chain of dependencies related to the issue as reported by an Application Security or Vulnerability Management tool. + - name: desc + type: keyword + description: The description of the vulnerability. + - name: exploit_last_seen_time + type: date + description: The time when the exploit was most recently observed. + - name: exploit_last_seen_time_dt + type: date + description: The time when the exploit was most recently observed. + - name: exploit_ref_url + type: keyword + description: The URL of the exploit code or Proof-of-Concept (PoC). + - name: exploit_requirement + type: keyword + description: The requirement description related to any constraints around exploit execution. + - name: exploit_type + type: keyword + description: The categorization or type of Exploit. + - name: first_seen_time + type: date + description: The time when the vulnerability was first observed. + - name: first_seen_time_dt + type: date + description: The time when the vulnerability was first observed. + - name: fix_coverage + type: keyword + description: The fix coverage, normalized to the caption of the fix_coverage_id value. + - name: fix_coverage_id + type: keyword + description: The normalized identifier for fix coverage, applicable to this vulnerability. + - name: is_exploit_available + type: boolean + description: Indicates if an exploit or a PoC (proof-of-concept) is available for the reported vulnerability. + - name: is_fix_available + type: boolean + description: Indicates if a fix is available for the reported vulnerability. + - name: last_seen_time + type: date + description: The time when the vulnerability was most recently observed. + - name: last_seen_time_dt + type: date + description: The time when the vulnerability was most recently observed. + - name: references + type: keyword + description: A list of reference URLs with additional information about the vulnerability. + - name: related_vulnerabilities + type: keyword + description: List of vulnerability IDs (e.g. CVE ID) that are related to this vulnerability. + - name: remediation + type: flattened + description: The remediation recommendations on how to mitigate the identified vulnerability. + - name: severity + type: keyword + description: The vendor assigned severity of the vulnerability. + - name: title + type: keyword + description: A title or a brief phrase summarizing the discovered vulnerability. + - name: vendor_name + type: keyword + description: The name of the vendor that identified the vulnerability. + - name: whois + type: group + fields: + - name: autonomous_system + type: flattened + description: The autonomous system information associated with a domain. + - name: created_time + type: date + description: When the domain was registered or WHOIS entry was created. + - name: created_time_dt + type: date + description: When the domain was registered or WHOIS entry was created. + - name: dnssec_status + type: keyword + description: The normalized value of dnssec_status_id. + - name: dnssec_status_id + type: keyword + description: Describes the normalized status of DNS Security Extensions (DNSSEC) for a domain. + - name: domain + type: keyword + description: The domain name corresponding to the WHOIS record. + - name: domain_contacts + type: nested + description: An array of Domain Contact objects. + - name: email_addr + type: keyword + description: The email address for the registrar's abuse contact. + - name: isp + type: keyword + description: The name of the Internet Service Provider (ISP). + - name: isp_org + type: keyword + description: The organization name of the Internet Service Provider (ISP). + - name: last_seen_time + type: date + description: When the WHOIS record was last updated or seen at. + - name: last_seen_time_dt + type: date + description: When the WHOIS record was last updated or seen at. + - name: name_servers + type: keyword + description: A collection of name servers related to a domain registration or other record. + - name: phone_number + type: keyword + description: The phone number for the registrar's abuse contact. + - name: registrar + type: keyword + description: The domain registrar. + - name: status + type: keyword + description: The status of a domain and its ability to be transferred. + - name: subdomains + type: keyword + description: An array of subdomain strings. + - name: subnet + type: keyword + description: The IP address block (CIDR) associated with a domain. + - name: policy + type: group + fields: + - name: data + type: flattened + description: Additional data about the policy such as the underlying JSON policy itself or other details. + - name: desc + type: keyword + description: The description of the policy. + - name: group + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: domain + type: keyword + description: The domain where the group is defined. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. + - name: is_applied + type: boolean + description: A determination if the content of a policy was applied to a target or request, or not. + - name: name + type: keyword + description: The policy name. + - name: uid + type: keyword + description: A unique identifier of the policy instance. + - name: version + type: keyword + description: The policy version number. + - name: priority + type: keyword + description: The priority, normalized to the caption of the priority_id value. + - name: priority_id + type: keyword + description: The normalized priority. + - name: raw_data + type: keyword + description: The raw event/finding data as received from the source. + - name: raw_data_size + type: long + description: The size of the raw data which was transformed into an OCSF event. + - name: remediation + type: group + fields: + - name: cis_controls + type: group + fields: + - name: desc + type: keyword + description: The CIS Control description. + - name: name + type: keyword + description: The CIS Control name. + - name: version + type: keyword + description: The CIS Control version. + - name: desc + type: keyword + description: The description of the remediation strategy. + - name: kb_article_list + type: group + fields: + - name: avg_timespan + type: flattened + description: The average time to patch. + - name: bulletin + type: keyword + description: The kb article bulletin identifier. + - name: classification + type: keyword + description: The vendors classification of the kb article. + - name: created_time + type: date + description: The date the kb article was released by the vendor. + - name: created_time_dt + type: date + description: The date the kb article was released by the vendor. + - name: install_state + type: keyword + description: The install state of the kb article. + - name: install_state_id + type: keyword + description: The normalized install state ID of the kb article. + - name: is_superseded + type: boolean + description: The kb article has been replaced by another. + - name: os + type: flattened + description: The operating system the kb article applies. + - name: product + type: flattened + description: The product details the kb article applies. + - name: severity + type: keyword + description: The severity of the kb article. + - name: size + type: long + description: The size in bytes for the kb article. + - name: src_url + type: keyword + description: The kb article link from the source vendor. + - name: title + type: keyword + description: The title of the kb article. + - name: uid + type: keyword + description: The unique identifier for the kb article. + - name: references + type: keyword + description: A list of supporting URL/s, references that help describe the remediation strategy. + - name: resources + type: group + fields: + - name: agent_list + type: group + fields: + - name: name + type: keyword + description: The name of the agent or sensor. + - name: policies + type: nested + description: Describes the various policies that may be applied or enforced by an agent or sensor. + - name: type + type: keyword + description: The normalized caption of the type_id value for the agent or sensor. + - name: type_id + type: keyword + description: The normalized representation of an agent or sensor. + - name: uid + type: keyword + description: The UID of the agent or sensor, sometimes known as a Sensor ID or aid. + - name: uid_alt + type: keyword + description: An alternative or contextual identifier for the agent or sensor, such as a configuration, organization, or license UID. + - name: vendor_name + type: keyword + description: The company or author who created the agent or sensor. + - name: version + type: keyword + description: The semantic version of the agent or sensor. + - name: cloud_partition + type: keyword + description: The canonical cloud partition name to which the region is assigned. + - name: created_time + type: date + description: The time when the resource was created. + - name: created_time_dt + type: date + description: The time when the resource was created. + - name: criticality + type: keyword + description: The criticality of the resource as defined by the event source. + - name: data + type: group + description: Additional data describing the resource. + fields: + - name: awsEc2InstanceDetails + type: group + fields: + - name: iamInstanceProfileArn + type: keyword + - name: imageId + type: keyword + - name: ipV4Addresses + type: ip + - name: launchedAt + type: date + - name: platform + type: keyword + - name: subnetId + type: keyword + - name: type + type: keyword + - name: vpcId + type: keyword + - name: awsLambdaFunctionDetails + type: group + fields: + - name: architectures + type: keyword + - name: codeSha256 + type: keyword + - name: executionRoleArn + type: keyword + - name: functionName + type: keyword + - name: lastModifiedAt + type: date + - name: layers + type: keyword + - name: packageType + type: keyword + - name: runtime + type: keyword + - name: version + type: keyword + - name: data_classifications + type: group + fields: + - name: category + type: keyword + description: The name of the data classification category that data matched into. + - name: category_id + type: keyword + description: The normalized identifier of the data classification category. + - name: classifier_details + type: flattened + description: Describes details about the classifier used for data classification. + - name: confidentiality + type: keyword + description: The file content confidentiality, normalized to the confidentiality_id value. + - name: confidentiality_id + type: keyword + description: The normalized identifier of the file content confidentiality indicator. + - name: discovery_details + type: nested + description: Details about the data discovered by classification job. + - name: policy + type: flattened + description: Details about the data policy that governs data handling and security measures related to classification. + - name: size + type: long + description: Size of the data classified. + - name: src_url + type: keyword + description: The source URL pointing towards the full classifcation job details. + - name: status + type: keyword + description: The resultant status of the classification job normalized to the caption of the status_id value. + - name: status_details + type: keyword + description: The contextual description of the status, status_id value. + - name: status_id + type: keyword + description: The normalized status identifier of the classification job. + - name: total + type: long + description: The total count of discovered entities, by the classification job. + - name: uid + type: keyword + description: The unique identifier of the classification job. + - name: group + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: domain + type: keyword + description: The domain where the group is defined. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. + - name: hostname + type: keyword + description: The fully qualified name of the resource. + - name: ip + type: ip + description: The IP address of the resource, in either IPv4 or IPv6 format. + - name: is_backed_up + type: boolean + description: Indicates whether the device or resource has a backup enabled, such as an automated snapshot or a cloud backup. + - name: labels + type: keyword + description: The list of labels associated to the resource. + - name: modified_time + type: date + description: The time when the resource was last modified. + - name: modified_time_dt + type: date + description: The time when the resource was last modified. + - name: name + type: keyword + description: The name of the resource. + - name: namespace + type: keyword + description: The namespace is useful when similar entities exist that you need to keep separate. + - name: owner + type: group + fields: + - name: account + type: flattened + description: The user's account or the account associated with the user. + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. + - name: display_name + type: keyword + description: The display name of the user, as reported by the product. + - name: domain + type: keyword + description: The domain where the user is defined. + - name: email_addr + type: keyword + description: The user's primary email address. + - name: forward_addr + type: keyword + description: The user's forwarding email address. + - name: full_name + type: keyword + description: The full name of the user, as reported by the product. + - name: groups + type: nested + description: The administrative groups to which the user belongs. + - name: has_mfa + type: boolean + description: The user has a multi-factor or secondary-factor device assigned. + - name: ldap_person + type: flattened + description: The additional LDAP attributes that describe a person. + - name: name + type: keyword + description: The username. + - name: org + type: flattened + description: Organization and org unit related to the user. + - name: phone_number + type: keyword + description: The telephone number of the user. + - name: risk_level + type: keyword + description: The risk level, normalized to the caption of the risk_level_id value. + - name: risk_level_id + type: keyword + description: The normalized risk level id. + - name: risk_score + type: long + description: The risk score as reported by the event source. + - name: type + type: keyword + description: The type of the user. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. + - name: uid_alt + type: keyword + description: The alternate user identifier. + - name: region + type: keyword + description: The cloud region of the resource. + - name: resource_relationship + type: group + fields: + - name: desc + type: keyword + description: The graph description - provides additional details about the graph's purpose and contents. + - name: edges + type: nested + description: The edges/connections between nodes in the graph - contains the collection of edge objects defining relationships between nodes. + - name: is_directed + type: boolean + description: Indicates if the graph is directed (true) or undirected (false). + - name: name + type: keyword + description: The graph name - a human readable identifier for the graph. + - name: nodes + type: flattened + description: The nodes/vertices of the graph - contains the collection of node objects that make up the graph. + - name: query_language + type: keyword + description: The graph query language, normalized to the caption of the query_language_id value. + - name: query_language_id + type: keyword + description: The normalized identifier of a graph query language that can be used to interact with the graph. + - name: type + type: keyword + description: The graph type. Typically useful to represent the specifc type of graph that is used. + - name: uid + type: keyword + description: Unique identifier of the graph - a unique ID to reference this specific graph. + - name: tags.* + type: object + description: The list of tags. + object_type: keyword + object_type_mapping_type: '*' + - name: type + type: keyword + description: The resource type as defined by the event source. + - name: uid + type: keyword + description: The unique identifier of the resource. + - name: uid_alt + type: keyword + description: The alternative unique identifier of the resource. + - name: version + type: keyword + description: The version of the resource. + - name: zone + type: keyword + description: The specific availability zone within a cloud region where the resource is located. + - name: risk_details + type: keyword + description: Describes the risk associated with the finding. + - name: risk_level + type: keyword + description: The risk level, normalized to the caption of the risk_level_id value. + - name: risk_level_id + type: keyword + description: The normalized risk level id. + - name: risk_score + type: long + description: The risk score as reported by the event source. + - name: severity + type: keyword + description: The event/finding severity, normalized to the caption of the severity_id value. + - name: severity_id + type: keyword + description: The normalized identifier of the event/finding severity. + - name: src_url + type: keyword + description: A Url link used to access the original incident. + - name: start_time + type: date + description: The time of the least recent event included in the finding. + - name: start_time_dt + type: date + description: The time of the least recent event included in the finding. + - name: status + type: keyword + description: The normalized status of the Finding set by the consumer normalized to the caption of the status_id value. + - name: status_code + type: keyword + description: The event status code, as reported by the event source. + - name: status_detail + type: keyword + description: The status detail contains additional information about the event/finding outcome. + - name: status_id + type: keyword + description: The normalized status identifier of the Finding. + - name: tickets + type: group + fields: + - name: src_url + type: keyword + description: The url of a ticket in the ticket system. + - name: status + type: keyword + description: The status of the ticket normalized to the caption of the status_id value. In the case of 99, this value should as defined by the source. + - name: status_details + type: keyword + description: A list of contextual descriptions of the status, status_id values. + - name: status_id + type: keyword + description: The normalized identifier for the ticket status. + - name: title + type: keyword + description: The title of the ticket. + - name: type + type: keyword + description: The linked ticket type determines whether the ticket is internal or in an external ticketing system. + - name: type_id + type: keyword + description: The normalized identifier for the ticket type. + - name: uid + type: keyword + description: Unique identifier of the ticket. + - name: time + type: date + description: The normalized event occurrence time or the finding creation time. + - name: time_dt + type: date + description: The normalized event occurrence time or the finding creation time. + - name: timezone_offset + type: long + description: The number of minutes that the reported event time is ahead or behind UTC. + - name: type_name + type: keyword + description: The event/finding type name, as defined by the type_uid. + - name: type_uid + type: keyword + description: The event/finding type ID. + - name: unmapped + type: flattened + description: The attributes that are not mapped to the event schema. + - name: vendor_attributes + type: group + fields: + - name: severity + type: keyword + description: The finding severity, as reported by the Vendor. + - name: severity_id + type: keyword + description: The finding severity ID, as reported by the Vendor. + - name: verdict + type: keyword + description: The verdict assigned to an Incident finding. + - name: verdict_id + type: keyword + description: The normalized verdict of an Incident. + - name: vulnerabilities + type: group + fields: + - name: advisory + type: group + fields: + - name: avg_timespan + type: flattened + description: The average time to patch. + - name: bulletin + type: keyword + description: The Advisory bulletin identifier. + - name: classification + type: keyword + description: The vendors classification of the Advisory. + - name: created_time + type: date + description: The time when the Advisory record was created. + - name: created_time_dt + type: date + description: The time when the Advisory record was created. + - name: desc + type: keyword + description: A brief description of the Advisory Record. + - name: install_state + type: keyword + description: The install state of the Advisory. + - name: install_state_id + type: keyword + description: The normalized install state ID of the Advisory. + - name: is_superseded + type: boolean + description: The Advisory has been replaced by another. + - name: modified_time + type: date + description: The time when the Advisory record was last updated. + - name: modified_time_dt + type: date + description: The time when the Advisory record was last updated. + - name: os + type: flattened + description: The operating system the Advisory applies to. + - name: product + type: flattened + description: The product where the vulnerability was discovered. + - name: references + type: keyword + description: A list of reference URLs with additional information about the vulnerabilities disclosed in the Advisory. + - name: related_cves + type: nested + description: A list of Common Vulnerabilities and Exposures (CVE) identifiers related to the vulnerabilities disclosed in the Advisory. + - name: related_cwes + type: nested + description: A list of Common Weakness Enumeration (CWE) identifiers related to the vulnerabilities disclosed in the Advisory. + - name: size + type: long + description: The size in bytes for the Advisory. Usually populated for a KB Article patch. + - name: src_url + type: keyword + description: The Advisory link from the source vendor. + - name: title + type: keyword + description: A title or a brief phrase summarizing the Advisory. + - name: uid + type: keyword + description: The unique identifier assigned to the advisory or disclosed vulnerability. + - name: affected_code + type: group + fields: + - name: end_column + type: long + description: The column number of the last part of the assessed code identified as vulnerable. + - name: end_line + type: long + description: The line number of the last line of code block identified as vulnerable. + - name: file + type: flattened + description: Details about the file that contains the affected code block. + - name: owner + type: flattened + description: Details about the user that owns the affected file. + - name: remediation + type: flattened + description: Describes the recommended remediation steps to address identified issue(s). + - name: rule + type: flattened + description: Details about the specific rule. + - name: start_column + type: long + description: The column number of the first part of the assessed code identified as vulnerable. + - name: start_line + type: long + description: The line number of the first line of code block identified as vulnerable. + - name: affected_packages + type: group + fields: + - name: architecture + type: keyword + description: Architecture is a shorthand name describing the type of computer hardware the packaged software is meant to run on. + - name: cpe_name + type: keyword + description: The Common Platform Enumeration (CPE) name as described by (NIST). + - name: epoch + type: long + description: The software package epoch. Epoch is a way to define weighted dependencies based on version numbers. + - name: fixed_in_version + type: keyword + description: The software package version in which a reported vulnerability was patched/fixed. + - name: hash + type: flattened + description: Cryptographic hash to identify the binary instance of a software component. + - name: license + type: keyword + description: The software license applied to this package. + - name: license_url + type: keyword + description: The URL pointing to the license applied on package or software. + - name: name + type: keyword + description: The software package name. + - name: package_manager + type: keyword + description: The software packager manager utilized to manage a package on a system. + - name: package_manager_url + type: keyword + description: The URL of the package or library at the package manager, or the specific URL or URI of an internal package manager link. + - name: path + type: keyword + description: The installation path of the affected package. + - name: purl + type: keyword + description: A purl is a URL keyword used to identify and locate a software package in a mostly universal and uniform way across programming languages, package managers, packaging conventions, tools, APIs and databases. + - name: release + type: keyword + description: Release is the number of times a version of the software has been packaged. + - name: remediation + type: flattened + description: Describes the recommended remediation steps to address identified issue(s). + - name: src_url + type: keyword + description: The link to the specific library or package such as within GitHub, this is different from the link to the package manager where the library or package is hosted. + - name: type + type: keyword + description: The type of software package, normalized to the caption of the type_id value. + - name: type_id + type: keyword + description: The type of software package. + - name: uid + type: keyword + description: A unique identifier for the package or library reported by the source tool. + - name: vendor_name + type: keyword + description: The name of the vendor who published the software package. + - name: version + type: keyword + description: The software package version. + - name: category + type: keyword + description: The category of a vulnerability or weakness, as reported by the source tool, such as Container Security or Open Source Security. + - name: cve + type: group + fields: + - name: created_time + type: date + description: The Record Creation Date identifies when the CVE ID was issued to a CVE Numbering Authority (CNA) or the CVE Record was published on the CVE List. + - name: created_time_dt + type: date + description: The Record Creation Date identifies when the CVE ID was issued to a CVE Numbering Authority (CNA) or the CVE Record was published on the CVE List. + - name: cvss + type: group + fields: + - name: base_score + type: double + description: The CVSS base score. + - name: depth + type: keyword + description: The CVSS depth represents a depth of the equation used to calculate CVSS score. + - name: metrics + type: group + fields: + - name: name + type: keyword + description: The Common Vulnerability Scoring System metrics. + - name: value + type: keyword + description: The Common Vulnerability Scoring System metrics. + - name: overall_score + type: double + description: The CVSS overall score, impacted by base, temporal, and environmental metrics. + - name: severity + type: keyword + description: The Common Vulnerability Scoring System (CVSS) Qualitative Severity Rating. + - name: src_url + type: keyword + description: The source URL for the CVSS score. + - name: vector_string + type: keyword + description: The CVSS vector string is a text representation of a set of CVSS metrics. + - name: vendor_name + type: keyword + description: The vendor that provided the CVSS score. + - name: version + type: keyword + description: The CVSS version. + - name: desc + type: keyword + description: A brief description of the CVE Record. + - name: epss + type: group + fields: + - name: created_time + type: date + description: The timestamp indicating when the EPSS score was calculated. + - name: created_time_dt + type: date + description: The timestamp indicating when the EPSS score was calculated. + - name: percentile + type: double + description: The EPSS score's percentile representing relative importance and ranking of the score in the larger EPSS dataset. + - name: score + type: keyword + description: The EPSS score representing the probability [0-1] of exploitation in the wild in the next 30 days (following score publication). + - name: version + type: keyword + description: The version of the EPSS model used to calculate the score. + - name: modified_time + type: date + description: The Record Modified Date identifies when the CVE record was last updated. + - name: modified_time_dt + type: date + description: The Record Modified Date identifies when the CVE record was last updated. + - name: product + type: flattened + description: The product where the vulnerability was discovered. + - name: references + type: keyword + description: A list of reference URLs with additional information about the CVE Record. + - name: related_cwes + type: nested + description: Describes the Common Weakness Enumeration (CWE) details related to the CVE Record. + - name: title + type: keyword + description: A title or a brief phrase summarizing the CVE record. + - name: type + type: keyword + description: The vulnerability type as selected from a large dropdown menu during CVE refinement. + - name: uid + type: keyword + description: The Common Vulnerabilities and Exposures unique number assigned to a specific computer vulnerability. + - name: cwe + type: group + fields: + - name: caption + type: keyword + description: The caption assigned to the Common Weakness Enumeration unique identifier. + - name: src_url + type: keyword + description: URL pointing to the CWE Specification. For more information see CWE. + - name: uid + type: keyword + description: The Common Weakness Enumeration unique number assigned to a specific weakness. + - name: dependency_chain + type: keyword + description: Information about the chain of dependencies related to the issue as reported by an Application Security or Vulnerability Management tool. + - name: desc + type: keyword + description: The description of the vulnerability. + - name: exploit_last_seen_time + type: date + description: The time when the exploit was most recently observed. + - name: exploit_last_seen_time_dt + type: date + description: The time when the exploit was most recently observed. + - name: exploit_ref_url + type: keyword + description: The URL of the exploit code or Proof-of-Concept (PoC). + - name: exploit_requirement + type: keyword + description: The requirement description related to any constraints around exploit execution. + - name: exploit_type + type: keyword + description: The categorization or type of Exploit. + - name: first_seen_time + type: date + description: The time when the vulnerability was first observed. + - name: first_seen_time_dt + type: date + description: The time when the vulnerability was first observed. + - name: fix_coverage + type: keyword + description: The fix coverage, normalized to the caption of the fix_coverage_id value. + - name: fix_coverage_id + type: keyword + description: The normalized identifier for fix coverage, applicable to this vulnerability. + - name: is_exploit_available + type: boolean + description: Indicates if an exploit or a PoC (proof-of-concept) is available for the reported vulnerability. + - name: is_fix_available + type: boolean + description: Indicates if a fix is available for the reported vulnerability. + - name: last_seen_time + type: date + description: The time when the vulnerability was most recently observed. + - name: last_seen_time_dt + type: date + description: The time when the vulnerability was most recently observed. + - name: references + type: keyword + description: A list of reference URLs with additional information about the vulnerability. + - name: related_vulnerabilities + type: keyword + description: List of vulnerability IDs (e.g. CVE ID) that are related to this vulnerability. + - name: remediation + type: group + fields: + - name: cis_controls + type: nested + description: An array of Center for Internet Security (CIS) Controls that can be optionally mapped to provide additional remediation details. + - name: desc + type: keyword + description: The description of the remediation strategy. + - name: kb_article_list + type: nested + description: A list of KB articles or patches related to an endpoint. A KB Article contains metadata that describes the patch or an update. + - name: references + type: keyword + description: A list of supporting URL/s, references that help describe the remediation strategy. + - name: severity + type: keyword + description: The vendor assigned severity of the vulnerability. + - name: title + type: keyword + description: A title or a brief phrase summarizing the discovered vulnerability. + - name: vendor_name + type: keyword + description: The name of the vendor that identified the vulnerability. diff --git a/packages/aws_securityhub/data_stream/finding/fields/package.yml b/packages/aws_securityhub/data_stream/finding/fields/package.yml new file mode 100644 index 00000000000..592d9cde4a0 --- /dev/null +++ b/packages/aws_securityhub/data_stream/finding/fields/package.yml @@ -0,0 +1,6 @@ +- name: package + type: group + fields: + - name: fixed_version + type: keyword + description: In which version of the package the vulnerability was fixed. diff --git a/packages/aws_securityhub/data_stream/finding/fields/resource.yml b/packages/aws_securityhub/data_stream/finding/fields/resource.yml new file mode 100644 index 00000000000..9d1b905c724 --- /dev/null +++ b/packages/aws_securityhub/data_stream/finding/fields/resource.yml @@ -0,0 +1,12 @@ +- name: resource + type: group + fields: + - name: id + type: keyword + description: The ID of the resource. + - name: name + type: keyword + description: The name of the resource. + - name: type + type: keyword + description: The type of the resource. diff --git a/packages/aws_securityhub/data_stream/finding/fields/result.yml b/packages/aws_securityhub/data_stream/finding/fields/result.yml new file mode 100644 index 00000000000..aa0a3ab2afd --- /dev/null +++ b/packages/aws_securityhub/data_stream/finding/fields/result.yml @@ -0,0 +1,6 @@ +- name: result + type: group + fields: + - name: evaluation + type: keyword + description: The result of the evaluation. diff --git a/packages/aws_securityhub/data_stream/finding/fields/rule.yml b/packages/aws_securityhub/data_stream/finding/fields/rule.yml new file mode 100644 index 00000000000..fcf7b7a18af --- /dev/null +++ b/packages/aws_securityhub/data_stream/finding/fields/rule.yml @@ -0,0 +1,6 @@ +- name: rule + type: group + fields: + - name: remediation + type: keyword + description: The remediation actions for the rule. diff --git a/packages/aws_securityhub/data_stream/finding/fields/vulnerability.yml b/packages/aws_securityhub/data_stream/finding/fields/vulnerability.yml new file mode 100644 index 00000000000..2f60449e636 --- /dev/null +++ b/packages/aws_securityhub/data_stream/finding/fields/vulnerability.yml @@ -0,0 +1,12 @@ +- name: vulnerability + type: group + fields: + - name: cve + type: keyword + description: The CVE id of the vulnerability. + - name: published_date + type: date + description: When the vulnerability was published. + - name: title + type: keyword + description: The human readable title of the vulnerability. diff --git a/packages/aws_securityhub/data_stream/finding/manifest.yml b/packages/aws_securityhub/data_stream/finding/manifest.yml new file mode 100644 index 00000000000..e1263f6cca4 --- /dev/null +++ b/packages/aws_securityhub/data_stream/finding/manifest.yml @@ -0,0 +1,123 @@ +title: Finding +type: logs +elasticsearch: + index_template: + settings: + index: + mapping: + total_fields: + limit: 2000 +streams: + - input: cel + title: Finding + description: Collecting findings via API. + template_path: cel.yml.hbs + vars: + - name: aws_region + type: text + title: AWS Region + description: AWS Region. + multi: false + required: true + show_user: true + - name: tld + type: text + title: Top Level Domain + multi: false + required: true + show_user: false + default: amazonaws.com + - name: initial_interval + type: duration + title: Initial Interval + multi: false + required: true + show_user: true + default: 24h + max_duration: 2160h + description: How far back to pull the findings from AWS Security Hub API. Supported units for this parameter are h/m/s. + - name: interval + type: duration + title: Interval + description: Duration between requests to the AWS Security Hub API. Supported units for this parameter are h/m/s. + default: 1h + max_duration: 24h + multi: false + required: true + show_user: true + - name: batch_size + type: text + title: Batch Size + multi: false + required: true + show_user: false + description: Batch size for the response of the AWS Security Hub API. The maximum batch size supported for finding is 100. + default: 100 + - name: http_client_timeout + type: text + title: HTTP Client Timeout + description: Duration before declaring that the HTTP client connection has timed out. Supported time units are ns, us, ms, s, m, h. + multi: false + required: true + show_user: false + default: 30s + - name: resource_rate_limit_limit + type: text + title: Resource Rate Limit + description: The value of the response that specifies the maximum overall resource request rate. This controls the polling frequency. + show_user: false + multi: false + required: false + - name: resource_rate_limit_burst + type: integer + title: Resource Rate Limit Burst + description: The maximum burst size. Burst is the maximum number of resource requests that can be made above the overall rate limit. + show_user: false + multi: false + required: false + - name: enable_request_tracer + type: bool + title: Enable request tracing + default: false + multi: false + required: false + show_user: false + description: >- + The request tracer logs requests and responses to the agent's local file-system for debugging configurations. + Enabling this request tracing compromises security and should only be used for debugging. Disabling the request + tracer will delete any stored traces. + See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_enable) + for details. + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - aws_securityhub-finding + - name: preserve_original_event + required: false + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original`. + type: bool + multi: false + default: false + - name: preserve_duplicate_custom_fields + required: false + show_user: false + title: Preserve duplicate custom fields + description: Preserve aws_securityhub.finding fields that were copied to Elastic Common Schema (ECS) fields. + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. diff --git a/packages/aws_securityhub/docs/README.md b/packages/aws_securityhub/docs/README.md new file mode 100644 index 00000000000..c37119f13c0 --- /dev/null +++ b/packages/aws_securityhub/docs/README.md @@ -0,0 +1,1535 @@ +# AWS Security Hub Integration for Elastic + +## Overview +The AWS Security Hub integration with Elastic enables the collection of findings for monitoring and analysis. This valuable data can be leveraged within Elastic to analyze security signals from multiple sources, such as posture management, vulnerability management (Amazon Inspector), sensitive data identification (Amazon Macie), and threat detection (Amazon GuardDuty). + +This integration utilizes the AWS Security Hub API to collect Findings in the OCSF format. + +### Compatibility + +The AWS Security Hub integration uses the REST API. It uses the `GetFindingsV2` to collect findings in OCSF format. + +### How it works + +The **finding** data stream uses the `/findingsv2` endpoint to gather all findings starting from the configured initial interval. Subsequently, it fetches the recent findings available at each specified interval. + +## What data does this integration collect? + +The AWS Security Hub integration collects log messages of the following types: + +- `Finding`: Returns a list of findings in OCSF format. Refer to the [GetFindingsV2 API Reference](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_GetFindingsV2.html). + +### Supported use cases +Integrating AWS Security Hub with Elastic SIEM provides a comprehensive view of the security state of your AWS resources. Leveraging AWS Security Hub integration helps you analyze security trends to identify and prioritize security issues across your AWS environment. + +## What do I need to use this integration? + +### From Elastic + +AWS Security Hub integration adds [Elastic latest transforms](https://www.elastic.co/docs/explore-analyze/transforms/transform-overview#latest-transform-overview). For more details, check the [Transform](https://www.elastic.co/docs/explore-analyze/transforms/transform-setup) setup and requirements. + +### From AWS Security Hub + +Enable AWS Security Hub in your environment. For more detail, refer to the link [here](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-v2-enable.html). + +#### Collecting data from AWS Security Hub API + +Users can authenticate using permanent security credentials, as well as temporary security credentials. They can also select `shared_credential_file`, `credential_profile_name` to retrieve credentials. Additionally, they can use `role_arn` to specify which AWS IAM role to assume for generating temporary credentials. An `external_id` can also be provided when assuming a role in another account. + +The credentials must have permission to perform the **securityhub:GetFindings** action. + +## How do I deploy this integration? + +### Agent-based deployment + +Elastic Agent must be installed. For more details, check the Elastic Agent [installation instructions](docs-content://reference/fleet/install-elastic-agents.md). You can install only one Elastic Agent per host. + +Elastic Agent is required to stream data from the syslog or log file receiver and ship the data to Elastic, where the events will then be processed via the integration's ingest pipelines. + +### Agentless deployment + +Agentless deployments are only supported in Elastic Serverless and Elastic Cloud environments. Agentless deployments provide a means to ingest data while avoiding the orchestration, management, and maintenance needs associated with standard ingest infrastructure. Using an agentless deployment makes manual agent deployment unnecessary, allowing you to focus on your data instead of the agent that collects it. + +For more information, refer to [Agentless integrations](https://www.elastic.co/guide/en/serverless/current/security-agentless-integrations.html) and [Agentless integrations FAQ](https://www.elastic.co/guide/en/serverless/current/agentless-integration-troubleshooting.html) + +### Onboard / configure + +1. In the top search bar in Kibana, search for **Integrations**. +2. In the search bar, type **AWS Security Hub**. +3. Select the **AWS Security Hub** integration from the search results. +4. Select **Add AWS Security Hubs** to add the integration. +5. Enable and configure **Collect AWS Security Hub logs via API**: + + - Configure AWS Authentication parameters and set the **AWS Region** and **Top Level Domain**. Adjust the integration configuration parameters as needed, including the **Initial Interval**, **Interval**, **Batch Size** etc. to enable data collection. + +6. Select **Save and continue** to save the integration. + +### Validation + +#### Transforms healthy + +1. In the top search bar in Kibana, search for **Transforms**. +2. Select the **Data / Transforms** from the search results. +3. In the search bar, type **aws_securityhub**. +4. All transforms from the search results should indicate **Healthy** under the **Health** column. + +## Troubleshooting + +For help with Elastic ingest tools, check [Common problems](https://www.elastic.co/docs/troubleshoot/ingest/fleet/common-problems). + +## Scaling + +For more information on architectures that can be used for scaling this integration, check the [Ingest Architectures](https://www.elastic.co/docs/manage-data/ingest/ingest-reference-architectures) documentation. + +## Reference + +### ECS field reference + +#### Finding + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | +| aws_securityhub.finding.action | The normalized caption of action_id. | keyword | +| aws_securityhub.finding.action_id | The action taken by a control or other policy-based system leading to an outcome or disposition. | keyword | +| aws_securityhub.finding.activity_id | The normalized identifier of the finding activity. | keyword | +| aws_securityhub.finding.activity_name | The finding activity name, as defined by the activity_id. | keyword | +| aws_securityhub.finding.actor.app_name | The client application or service that initiated the activity. | keyword | +| aws_securityhub.finding.actor.app_uid | The unique identifier of the client application or service that initiated the activity. | keyword | +| aws_securityhub.finding.actor.authorizations.decision | Authorization Result/outcome. | keyword | +| aws_securityhub.finding.actor.authorizations.policy | Details about the Identity/Access management policies that are applicable. | flattened | +| aws_securityhub.finding.actor.idp.auth_factors | The Authentication Factors object describes the different types of Multi-Factor Authentication (MFA) methods and/or devices supported by the Identity Provider. | nested | +| aws_securityhub.finding.actor.idp.domain | The primary domain associated with the Identity Provider. | keyword | +| aws_securityhub.finding.actor.idp.fingerprint | The fingerprint of the X.509 certificate used by the Identity Provider. | flattened | +| aws_securityhub.finding.actor.idp.has_mfa | The Identity Provider enforces Multi Factor Authentication (MFA). | boolean | +| aws_securityhub.finding.actor.idp.issuer | The unique identifier (often a URL) used by the Identity Provider as its issuer. | keyword | +| aws_securityhub.finding.actor.idp.name | The name of the Identity Provider. | keyword | +| aws_securityhub.finding.actor.idp.protocol_name | The supported protocol of the Identity Provider. | keyword | +| aws_securityhub.finding.actor.idp.scim | The System for Cross-domain Identity Management (SCIM) resource object provides a structured set of attributes related to SCIM protocols used for identity provisioning and management across cloud-based platforms. | flattened | +| aws_securityhub.finding.actor.idp.sso | The Single Sign-On (SSO) object provides a structure for normalizing SSO attributes, configuration, and/or settings from Identity Providers. | flattened | +| aws_securityhub.finding.actor.idp.state | The configuration state of the Identity Provider, normalized to the caption of the state_id value. | keyword | +| aws_securityhub.finding.actor.idp.state_id | The normalized state ID of the Identity Provider to reflect its configuration or activation status. | keyword | +| aws_securityhub.finding.actor.idp.tenant_uid | The tenant ID associated with the Identity Provider. | keyword | +| aws_securityhub.finding.actor.idp.uid | The unique identifier of the Identity Provider. | keyword | +| aws_securityhub.finding.actor.idp.url_string | The URL for accessing the configuration or metadata of the Identity Provider. | keyword | +| aws_securityhub.finding.actor.process.ancestry | An array of Process Entities describing the extended parentage of this process object. | nested | +| aws_securityhub.finding.actor.process.auid | The audit user assigned at login by the audit subsystem. | keyword | +| aws_securityhub.finding.actor.process.cmd_line | The full command line used to launch an application, service, process, or job. | keyword | +| aws_securityhub.finding.actor.process.container | The information describing an instance of a container. | flattened | +| aws_securityhub.finding.actor.process.cpid | A unique process identifier that can be assigned deterministically by multiple system data producers. | keyword | +| aws_securityhub.finding.actor.process.created_time | The time when the process was created/started. | date | +| aws_securityhub.finding.actor.process.created_time_dt | The time when the process was created/started. | date | +| aws_securityhub.finding.actor.process.egid | The effective group under which this process is running. | keyword | +| aws_securityhub.finding.actor.process.euid | The effective user under which this process is running. | keyword | +| aws_securityhub.finding.actor.process.file | The process file object. | flattened | +| aws_securityhub.finding.actor.process.group | The group under which this process is running. | flattened | +| aws_securityhub.finding.actor.process.integrity | The process integrity level, normalized to the caption of the integrity_id value. | keyword | +| aws_securityhub.finding.actor.process.integrity_id | The normalized identifier of the process integrity level (Windows only). | keyword | +| aws_securityhub.finding.actor.process.loaded_modules | The list of loaded module names. | keyword | +| aws_securityhub.finding.actor.process.name | The friendly name of the process. | keyword | +| aws_securityhub.finding.actor.process.namespace_pid | If running under a process namespace (such as in a container), the process identifier within that process namespace. | long | +| aws_securityhub.finding.actor.process.parent_process | The parent process of this process object. | flattened | +| aws_securityhub.finding.actor.process.path | The process file path. | keyword | +| aws_securityhub.finding.actor.process.pid | The process identifier, as reported by the operating system. | long | +| aws_securityhub.finding.actor.process.sandbox | The name of the containment jail. | keyword | +| aws_securityhub.finding.actor.process.session | The user session under which this process is running. | flattened | +| aws_securityhub.finding.actor.process.terminated_time | The time when the process was terminated. | date | +| aws_securityhub.finding.actor.process.terminated_time_dt | The time when the process was terminated. | date | +| aws_securityhub.finding.actor.process.tid | The Identifier of the thread associated with the event, as returned by the operating system. | keyword | +| aws_securityhub.finding.actor.process.uid | A unique identifier for this process assigned by the producer (tool). | keyword | +| aws_securityhub.finding.actor.process.user | The user under which this process is running. | flattened | +| aws_securityhub.finding.actor.process.working_directory | The working directory of a process. | keyword | +| aws_securityhub.finding.actor.process.xattributes | An unordered collection of zero or more name/value pairs that represent a process extended attribute. | flattened | +| aws_securityhub.finding.actor.session.count | The number of identical sessions spawned from the same source IP, destination IP, application, and content/threat type seen over a period of time. | long | +| aws_securityhub.finding.actor.session.created_time | The time when the session was created. | date | +| aws_securityhub.finding.actor.session.created_time_dt | The time when the session was created. | date | +| aws_securityhub.finding.actor.session.credential_uid | The unique identifier of the user's credential. | keyword | +| aws_securityhub.finding.actor.session.expiration_reason | The reason which triggered the session expiration. | keyword | +| aws_securityhub.finding.actor.session.expiration_time | The session expiration time. | date | +| aws_securityhub.finding.actor.session.expiration_time_dt | The session expiration time. | date | +| aws_securityhub.finding.actor.session.is_mfa | Indicates whether Multi Factor Authentication was used during authentication. | boolean | +| aws_securityhub.finding.actor.session.is_remote | The indication of whether the session is remote. | boolean | +| aws_securityhub.finding.actor.session.is_vpn | The indication of whether the session is a VPN session. | boolean | +| aws_securityhub.finding.actor.session.issuer | The identifier of the session issuer. | keyword | +| aws_securityhub.finding.actor.session.terminal | The Pseudo Terminal associated with the session. | keyword | +| aws_securityhub.finding.actor.session.uid | The unique identifier of the session. | keyword | +| aws_securityhub.finding.actor.session.uid_alt | The alternate unique identifier of the session. | keyword | +| aws_securityhub.finding.actor.session.uuid | The universally unique identifier of the session. | keyword | +| aws_securityhub.finding.actor.user.account | The user's account or the account associated with the user. | flattened | +| aws_securityhub.finding.actor.user.credential_uid | The unique identifier of the user's credential. | keyword | +| aws_securityhub.finding.actor.user.display_name | The display name of the user, as reported by the product. | keyword | +| aws_securityhub.finding.actor.user.domain | The domain where the user is defined. | keyword | +| aws_securityhub.finding.actor.user.email_addr | The user's primary email address. | keyword | +| aws_securityhub.finding.actor.user.forward_addr | The user's forwarding email address. | keyword | +| aws_securityhub.finding.actor.user.full_name | The full name of the user, as reported by the product. | keyword | +| aws_securityhub.finding.actor.user.groups | The administrative groups to which the user belongs. | nested | +| aws_securityhub.finding.actor.user.has_mfa | The user has a multi-factor or secondary-factor device assigned. | boolean | +| aws_securityhub.finding.actor.user.ldap_person | The additional LDAP attributes that describe a person. | flattened | +| aws_securityhub.finding.actor.user.name | The username. | keyword | +| aws_securityhub.finding.actor.user.org | Organization and org unit related to the user. | flattened | +| aws_securityhub.finding.actor.user.phone_number | The telephone number of the user. | keyword | +| aws_securityhub.finding.actor.user.risk_level | The risk level, normalized to the caption of the risk_level_id value. | keyword | +| aws_securityhub.finding.actor.user.risk_level_id | The normalized risk level id. | keyword | +| aws_securityhub.finding.actor.user.risk_score | The risk score as reported by the event source. | long | +| aws_securityhub.finding.actor.user.type | The type of the user. | keyword | +| aws_securityhub.finding.actor.user.type_id | The account type identifier. | keyword | +| aws_securityhub.finding.actor.user.uid | The unique user identifier. | keyword | +| aws_securityhub.finding.actor.user.uid_alt | The alternate user identifier. | keyword | +| aws_securityhub.finding.anomaly_analyses.analysis_targets.name | The specific name or identifier of the analysis target, such as the username of a User Account, the name of a Kubernetes Cluster, the identifier of a Network Namespace, or the name of an Application Component. | keyword | +| aws_securityhub.finding.anomaly_analyses.analysis_targets.type | The category of the analysis target, such as User Account, Kubernetes Cluster, Network Namespace, or Application Component. | keyword | +| aws_securityhub.finding.anomaly_analyses.anomalies.observation_parameter | The specific parameter, metric or property where the anomaly was observed. | keyword | +| aws_securityhub.finding.anomaly_analyses.anomalies.observation_type | The type of analysis methodology used to detect the anomaly. | keyword | +| aws_securityhub.finding.anomaly_analyses.anomalies.observations.count | Integer representing the total number of times this specific value/event was observed across all occurrences. | long | +| aws_securityhub.finding.anomaly_analyses.anomalies.observations.observed_pattern | The specific pattern identified within the observation type. | keyword | +| aws_securityhub.finding.anomaly_analyses.anomalies.observations.timespan | The time window when the value or event was first observed. | flattened | +| aws_securityhub.finding.anomaly_analyses.anomalies.observations.value | The specific value, event, indicator or data point that was observed and recorded. | keyword | +| aws_securityhub.finding.anomaly_analyses.baselines.observation_parameter | The specific parameter, metric or property where the anomaly was observed. | keyword | +| aws_securityhub.finding.anomaly_analyses.baselines.observation_type | The type of analysis methodology used to detect the anomaly. | keyword | +| aws_securityhub.finding.anomaly_analyses.baselines.observations.count | Integer representing the total number of times this specific value/event was observed across all occurrences. | long | +| aws_securityhub.finding.anomaly_analyses.baselines.observations.observed_pattern | The specific pattern identified within the observation type. | keyword | +| aws_securityhub.finding.anomaly_analyses.baselines.observations.timespan | The time window when the value or event was first observed. | flattened | +| aws_securityhub.finding.anomaly_analyses.baselines.observations.value | The specific value, event, indicator or data point that was observed and recorded. | keyword | +| aws_securityhub.finding.api.group.desc | The group description. | keyword | +| aws_securityhub.finding.api.group.domain | The domain where the group is defined. | keyword | +| aws_securityhub.finding.api.group.name | The group name. | keyword | +| aws_securityhub.finding.api.group.privileges | The group privileges. | keyword | +| aws_securityhub.finding.api.group.type | The type of the group or account. | keyword | +| aws_securityhub.finding.api.group.uid | The unique identifier of the group. | keyword | +| aws_securityhub.finding.api.operation | Verb/Operation associated with the request. | keyword | +| aws_securityhub.finding.api.request.containers | When working with containerized applications, the set of containers which write to the standard the output of a particular logging driver. | nested | +| aws_securityhub.finding.api.request.data | The additional data that is associated with the api request. | flattened | +| aws_securityhub.finding.api.request.flags | The communication flags that are associated with the api request. | keyword | +| aws_securityhub.finding.api.request.uid | The unique request identifier. | keyword | +| aws_securityhub.finding.api.response.code | The numeric response sent to a request. | long | +| aws_securityhub.finding.api.response.containers | When working with containerized applications, the set of containers which write to the standard the output of a particular logging driver. | nested | +| aws_securityhub.finding.api.response.data | The additional data that is associated with the api response. | flattened | +| aws_securityhub.finding.api.response.error | Error Code. | keyword | +| aws_securityhub.finding.api.response.error_message | Error Message. | keyword | +| aws_securityhub.finding.api.response.flags | The communication flags that are associated with the api response. | keyword | +| aws_securityhub.finding.api.response.message | The description of the event/finding, as defined by the source. | keyword | +| aws_securityhub.finding.api.service.labels | The list of labels associated with the service. | keyword | +| aws_securityhub.finding.api.service.name | The name of the service. | keyword | +| aws_securityhub.finding.api.service.uid | The unique identifier of the service. | keyword | +| aws_securityhub.finding.api.service.version | The version of the service. | keyword | +| aws_securityhub.finding.api.version | The version of the API service. | keyword | +| aws_securityhub.finding.assignee.account.labels | The list of labels associated to the account. | keyword | +| aws_securityhub.finding.assignee.account.name | The name of the account. | keyword | +| aws_securityhub.finding.assignee.account.type | The account type, normalized to the caption of 'account_type_id'. | keyword | +| aws_securityhub.finding.assignee.account.type_id | The normalized account type identifier. | keyword | +| aws_securityhub.finding.assignee.account.uid | The unique identifier of the account. | keyword | +| aws_securityhub.finding.assignee.credential_uid | The unique identifier of the user's credential. | keyword | +| aws_securityhub.finding.assignee.display_name | The display name of the user, as reported by the product. | keyword | +| aws_securityhub.finding.assignee.domain | The domain where the user is defined. | keyword | +| aws_securityhub.finding.assignee.email_addr | The user's primary email address. | keyword | +| aws_securityhub.finding.assignee.forward_addr | The user's forwarding email address. | keyword | +| aws_securityhub.finding.assignee.full_name | The full name of the user, as reported by the product. | keyword | +| aws_securityhub.finding.assignee.groups.desc | The group privileges. | keyword | +| aws_securityhub.finding.assignee.groups.domain | The group description. | keyword | +| aws_securityhub.finding.assignee.groups.name | The domain where the group is defined. | keyword | +| aws_securityhub.finding.assignee.groups.privileges | The group name. | keyword | +| aws_securityhub.finding.assignee.groups.type | The type of the group or account. | keyword | +| aws_securityhub.finding.assignee.groups.uid | The unique identifier of the group. | keyword | +| aws_securityhub.finding.assignee.has_mfa | The user has a multi-factor or secondary-factor device assigned. | boolean | +| aws_securityhub.finding.assignee.ldap_person.cost_center | The cost center associated with the assignee. | keyword | +| aws_securityhub.finding.assignee.ldap_person.created_time | The timestamp when the user was created. | date | +| aws_securityhub.finding.assignee.ldap_person.created_time_dt | The timestamp when the user was created. | date | +| aws_securityhub.finding.assignee.ldap_person.deleted_time | The timestamp when the user was deleted. | date | +| aws_securityhub.finding.assignee.ldap_person.deleted_time_dt | The timestamp when the user was deleted. | date | +| aws_securityhub.finding.assignee.ldap_person.display_name | The display name of the LDAP person. | keyword | +| aws_securityhub.finding.assignee.ldap_person.email_addrs | A list of additional email addresses for the assignee. | keyword | +| aws_securityhub.finding.assignee.ldap_person.employee_uid | The employee identifier assigned to the user by the organization. | keyword | +| aws_securityhub.finding.assignee.ldap_person.given_name | The given or first name of the assignee. | keyword | +| aws_securityhub.finding.assignee.ldap_person.hire_time | The timestamp when the user was or will be hired by the organization. | date | +| aws_securityhub.finding.assignee.ldap_person.hire_time_dt | The timestamp when the user was or will be hired by the organization. | date | +| aws_securityhub.finding.assignee.ldap_person.job_title | The user's job title. | keyword | +| aws_securityhub.finding.assignee.ldap_person.labels | The labels associated with the assignee. | keyword | +| aws_securityhub.finding.assignee.ldap_person.last_login_time | The last time when the user logged in. | date | +| aws_securityhub.finding.assignee.ldap_person.last_login_time_dt | The last time when the user logged in. | date | +| aws_securityhub.finding.assignee.ldap_person.ldap_cn | The LDAP and X.500 commonName attribute, typically the full name of the person. | keyword | +| aws_securityhub.finding.assignee.ldap_person.ldap_dn | The X.500 Distinguished Name (DN) is a structured string that uniquely identifies an entry, such as a user, in an X.500 directory service. | keyword | +| aws_securityhub.finding.assignee.ldap_person.leave_time | The timestamp when the user left or will be leaving the organization. | date | +| aws_securityhub.finding.assignee.ldap_person.leave_time_dt | The timestamp when the user left or will be leaving the organization. | date | +| aws_securityhub.finding.assignee.ldap_person.location | The geographical location associated with a assignee. | flattened | +| aws_securityhub.finding.assignee.ldap_person.manager | The user's manager. | flattened | +| aws_securityhub.finding.assignee.ldap_person.modified_time | The timestamp when the user entry was last modified. | date | +| aws_securityhub.finding.assignee.ldap_person.modified_time_dt | The timestamp when the user entry was last modified. | date | +| aws_securityhub.finding.assignee.ldap_person.office_location | The primary office location associated with the assignee. | keyword | +| aws_securityhub.finding.assignee.ldap_person.phone_number | The telephone number of the assignee. | keyword | +| aws_securityhub.finding.assignee.ldap_person.surname | The last or family name for the assignee. | keyword | +| aws_securityhub.finding.assignee.name | The username. | keyword | +| aws_securityhub.finding.assignee.org.name | The name of the organization. | keyword | +| aws_securityhub.finding.assignee.org.ou_name | The name of an organizational unit. | keyword | +| aws_securityhub.finding.assignee.org.ou_uid | The unique identifier of an organizational unit. | keyword | +| aws_securityhub.finding.assignee.org.uid | The unique identifier of the organization. | keyword | +| aws_securityhub.finding.assignee.phone_number | The telephone number of the assignee. | keyword | +| aws_securityhub.finding.assignee.risk_level | The risk level, normalized to the caption of the risk_level_id value. | keyword | +| aws_securityhub.finding.assignee.risk_level_id | The normalized risk level id. | keyword | +| aws_securityhub.finding.assignee.risk_score | The risk score as reported by the event source. | long | +| aws_securityhub.finding.assignee.type | The type of the assignee. | keyword | +| aws_securityhub.finding.assignee.type_id | The account type identifier. | keyword | +| aws_securityhub.finding.assignee.uid | The unique user identifier. | keyword | +| aws_securityhub.finding.assignee.uid_alt | The alternate user identifier. | keyword | +| aws_securityhub.finding.assignee_group.desc | The group privileges. | keyword | +| aws_securityhub.finding.assignee_group.domain | The group description. | keyword | +| aws_securityhub.finding.assignee_group.name | The domain where the group is defined. | keyword | +| aws_securityhub.finding.assignee_group.privileges | The group name. | keyword | +| aws_securityhub.finding.assignee_group.type | The type of the group or account. | keyword | +| aws_securityhub.finding.assignee_group.uid | The unique identifier of the group. | keyword | +| aws_securityhub.finding.attacks.mitigation.countermeasures | The ATT&CK® or ATLAS™ Matrix version. | nested | +| aws_securityhub.finding.attacks.mitigation.name | The D3FEND countermeasures that are associated with the attack technique. | keyword | +| aws_securityhub.finding.attacks.mitigation.src_url | The Mitigation name that is associated with the attack technique. | keyword | +| aws_securityhub.finding.attacks.mitigation.uid | The versioned permalink of the Mitigation. | keyword | +| aws_securityhub.finding.attacks.mitigation.version | The Mitigation ID that is associated with the attack technique. | keyword | +| aws_securityhub.finding.attacks.sub_technique.name | The name of the attack sub-technique. | keyword | +| aws_securityhub.finding.attacks.sub_technique.src_url | The versioned permalink of the attack sub-technique. | keyword | +| aws_securityhub.finding.attacks.sub_technique.uid | The unique identifier of the attack sub-technique. | keyword | +| aws_securityhub.finding.attacks.tactic.name | The Tactic name that is associated with the attack technique. | keyword | +| aws_securityhub.finding.attacks.tactic.src_url | The versioned permalink of the Tactic. | keyword | +| aws_securityhub.finding.attacks.tactic.uid | The Tactic ID that is associated with the attack technique. | keyword | +| aws_securityhub.finding.attacks.technique.name | The name of the attack technique. | keyword | +| aws_securityhub.finding.attacks.technique.src_url | The versioned permalink of the attack technique. | keyword | +| aws_securityhub.finding.attacks.technique.uid | The unique identifier of the attack technique. | keyword | +| aws_securityhub.finding.attacks.version | The ATT&CK® or ATLAS™ Matrix version. | keyword | +| aws_securityhub.finding.authorizations.decision | Authorization Result/outcome. | keyword | +| aws_securityhub.finding.authorizations.policy.data | Additional data about the policy such as the underlying JSON policy itself or other details. | flattened | +| aws_securityhub.finding.authorizations.policy.desc | The description of the policy. | keyword | +| aws_securityhub.finding.authorizations.policy.group | The policy group. | flattened | +| aws_securityhub.finding.authorizations.policy.is_applied | A determination if the content of a policy was applied to a target or request, or not. | boolean | +| aws_securityhub.finding.authorizations.policy.name | The policy name. | keyword | +| aws_securityhub.finding.authorizations.policy.uid | A unique identifier of the policy instance. | keyword | +| aws_securityhub.finding.authorizations.policy.version | The policy version number. | keyword | +| aws_securityhub.finding.category_name | The event category name. | keyword | +| aws_securityhub.finding.category_uid | The category unique identifier of the event. | keyword | +| aws_securityhub.finding.class_name | The event class name. | keyword | +| aws_securityhub.finding.class_uid | The unique identifier of a class. | keyword | +| aws_securityhub.finding.cloud.account.labels | The list of labels associated to the account. | keyword | +| aws_securityhub.finding.cloud.account.name | The name of the account. | keyword | +| aws_securityhub.finding.cloud.account.type | The account type, normalized to the caption of 'account_type_id'. | keyword | +| aws_securityhub.finding.cloud.account.type_id | The normalized account type identifier. | keyword | +| aws_securityhub.finding.cloud.account.uid | The unique identifier of the account. | keyword | +| aws_securityhub.finding.cloud.cloud_partition | The canonical cloud partition name to which the region is assigned. | keyword | +| aws_securityhub.finding.cloud.org.name | The name of the organization. | keyword | +| aws_securityhub.finding.cloud.org.ou_name | The name of an organizational unit. | keyword | +| aws_securityhub.finding.cloud.org.ou_uid | The unique identifier of an organizational unit. | keyword | +| aws_securityhub.finding.cloud.org.uid | The unique identifier of the organization. | keyword | +| aws_securityhub.finding.cloud.provider | The unique name of the Cloud services provider. | keyword | +| aws_securityhub.finding.cloud.region | The name of the cloud region, as defined by the cloud provider. | keyword | +| aws_securityhub.finding.cloud.zone | The availability zone in the cloud region, as defined by the cloud provider. | keyword | +| aws_securityhub.finding.comment | A user provided comment about the finding. | keyword | +| aws_securityhub.finding.compliance.assessments.category | The category that the assessment is part of. | keyword | +| aws_securityhub.finding.compliance.assessments.desc | The description of the assessment criteria, or a description of the specific configuration or signal the assessment is targeting. | keyword | +| aws_securityhub.finding.compliance.assessments.meets_criteria | Determines whether the assessment against the specific configuration or signal meets the assessments criteria. | boolean | +| aws_securityhub.finding.compliance.assessments.name | The name of the configuration or signal being assessed. For example: Kernel Mode Code Integrity (KMCI) or publicAccessibilityState. | keyword | +| aws_securityhub.finding.compliance.assessments.policy.data | Additional data about the policy such as the underlying JSON policy itself or other details. | flattened | +| aws_securityhub.finding.compliance.assessments.policy.desc | The description of the policy. | keyword | +| aws_securityhub.finding.compliance.assessments.policy.group.desc | The group description. | keyword | +| aws_securityhub.finding.compliance.assessments.policy.is_applied | A determination if the content of a policy was applied to a target or request, or not. | boolean | +| aws_securityhub.finding.compliance.assessments.policy.name | The policy name. | keyword | +| aws_securityhub.finding.compliance.assessments.policy.uid | A unique identifier of the policy instance. | keyword | +| aws_securityhub.finding.compliance.assessments.policy.version | The policy version number. | keyword | +| aws_securityhub.finding.compliance.assessments.uid | The unique identifier of the configuration or signal being assessed. | keyword | +| aws_securityhub.finding.compliance.category | The category a control framework pertains to, as reported by the source tool, such as Asset Management or Risk Assessment. | keyword | +| aws_securityhub.finding.compliance.checks.desc | The detailed description of the compliance check, explaining the security requirement, vulnerability, or configuration being assessed. | keyword | +| aws_securityhub.finding.compliance.checks.name | The name or title of the compliance check. | keyword | +| aws_securityhub.finding.compliance.checks.severity | The severity level as defined in the source document. | keyword | +| aws_securityhub.finding.compliance.checks.severity_id | The normalized severity identifier that maps severity levels to standard severity levels. | keyword | +| aws_securityhub.finding.compliance.checks.standards | The regulatory or industry standard this check is associated with. | keyword | +| aws_securityhub.finding.compliance.checks.status | The resultant status of the compliance check normalized to the caption of the status_id value. | keyword | +| aws_securityhub.finding.compliance.checks.status_id | The normalized status identifier of the compliance check. | keyword | +| aws_securityhub.finding.compliance.checks.uid | The unique identifier of the compliance check within its standard or framework. | keyword | +| aws_securityhub.finding.compliance.checks.version | The check version. | keyword | +| aws_securityhub.finding.compliance.control | A Control is a prescriptive, actionable set of specifications that strengthens device posture. | keyword | +| aws_securityhub.finding.compliance.control_parameters | The list of control parameters evaluated in a Compliance check. | nested | +| aws_securityhub.finding.compliance.desc | The description or criteria of a control. | keyword | +| aws_securityhub.finding.compliance.requirements | The specific compliance requirements being evaluated. | keyword | +| aws_securityhub.finding.compliance.standards | The regulatory or industry standards being evaluated for compliance. | keyword | +| aws_securityhub.finding.compliance.status | The resultant status of the compliance check normalized to the caption of the status_id value. | keyword | +| aws_securityhub.finding.compliance.status_code | The resultant status code of the compliance check. | keyword | +| aws_securityhub.finding.compliance.status_details | A list of contextual descriptions of the status, status_code values. | keyword | +| aws_securityhub.finding.compliance.status_id | The normalized status identifier of the compliance check. | keyword | +| aws_securityhub.finding.confidence | The confidence, normalized to the caption of the confidence_id value. . | keyword | +| aws_securityhub.finding.confidence_id | The normalized confidence refers to the accuracy of the rule that created the finding. | keyword | +| aws_securityhub.finding.confidence_score | The confidence score as reported by the event source. | long | +| aws_securityhub.finding.count | The number of times that events in the same logical group occurred during the event Start Time to End Time period. | long | +| aws_securityhub.finding.device.agent_list.name | The name of the agent or sensor. | keyword | +| aws_securityhub.finding.device.agent_list.policies | Describes the various policies that may be applied or enforced by an agent or sensor. | nested | +| aws_securityhub.finding.device.agent_list.type | The normalized caption of the type_id value for the agent or sensor. | keyword | +| aws_securityhub.finding.device.agent_list.type_id | The normalized representation of an agent or sensor. | keyword | +| aws_securityhub.finding.device.agent_list.uid | The UID of the agent or sensor, sometimes known as a Sensor ID or aid. | keyword | +| aws_securityhub.finding.device.agent_list.uid_alt | An alternative or contextual identifier for the agent or sensor. | keyword | +| aws_securityhub.finding.device.agent_list.vendor_name | The company or author who created the agent or sensor. | keyword | +| aws_securityhub.finding.device.agent_list.version | The semantic version of the agent or sensor. | keyword | +| aws_securityhub.finding.device.autoscale_uid | The unique identifier of the cloud autoscale configuration. | keyword | +| aws_securityhub.finding.device.boot_time | The time the system was booted. | date | +| aws_securityhub.finding.device.boot_time_dt | The time the system was booted. | date | +| aws_securityhub.finding.device.boot_uid | A unique identifier of the device that changes after every reboot. | keyword | +| aws_securityhub.finding.device.container.hash | Commit hash of image created for docker or the SHA256 hash of the container. | flattened | +| aws_securityhub.finding.device.container.image | The container image used as a template to run the container. | flattened | +| aws_securityhub.finding.device.container.labels | The list of labels associated to the container. | keyword | +| aws_securityhub.finding.device.container.name | The container name. | keyword | +| aws_securityhub.finding.device.container.network_driver | The network driver used by the container. | keyword | +| aws_securityhub.finding.device.container.orchestrator | The orchestrator managing the container. | keyword | +| aws_securityhub.finding.device.container.pod_uuid | The unique identifier of the pod (or equivalent) that the container is executing on. | keyword | +| aws_securityhub.finding.device.container.runtime | The backend running the container. | keyword | +| aws_securityhub.finding.device.container.size | The size of the container image. | long | +| aws_securityhub.finding.device.container.uid | The full container unique identifier for this instantiation of the container. | keyword | +| aws_securityhub.finding.device.created_time | The time when the device was known to have been created. | date | +| aws_securityhub.finding.device.created_time_dt | The time when the device was known to have been created. | date | +| aws_securityhub.finding.device.desc | The description of the device, ordinarily as reported by the operating system. | keyword | +| aws_securityhub.finding.device.domain | The network domain where the device resides. | keyword | +| aws_securityhub.finding.device.eid | An Embedded Identity Document, is a unique serial number that identifies an eSIM-enabled device. | keyword | +| aws_securityhub.finding.device.first_seen_time | The initial discovery time of the device. | date | +| aws_securityhub.finding.device.first_seen_time_dt | The initial discovery time of the device. | date | +| aws_securityhub.finding.device.groups.desc | The group privileges. | keyword | +| aws_securityhub.finding.device.groups.domain | The group description. | keyword | +| aws_securityhub.finding.device.groups.name | The domain where the group is defined. | keyword | +| aws_securityhub.finding.device.groups.privileges | The group name. | keyword | +| aws_securityhub.finding.device.groups.type | The type of the group or account. | keyword | +| aws_securityhub.finding.device.groups.uid | The unique identifier of the group. | keyword | +| aws_securityhub.finding.device.hostname | The device hostname. | keyword | +| aws_securityhub.finding.device.hw_info.bios_date | The BIOS date. | keyword | +| aws_securityhub.finding.device.hw_info.bios_manufacturer | The BIOS manufacturer. | keyword | +| aws_securityhub.finding.device.hw_info.bios_ver | The BIOS version. | keyword | +| aws_securityhub.finding.device.hw_info.chassis | The chassis type describes the system enclosure or physical form factor. | keyword | +| aws_securityhub.finding.device.hw_info.cpu_architecture | The CPU architecture, normalized to the caption of the cpu_architecture_id value. | keyword | +| aws_securityhub.finding.device.hw_info.cpu_architecture_id | The normalized identifier of the CPU architecture. | keyword | +| aws_securityhub.finding.device.hw_info.cpu_bits | The cpu architecture, the number of bits used for addressing in memory. | long | +| aws_securityhub.finding.device.hw_info.cpu_cores | The number of processor cores in all installed processors. | long | +| aws_securityhub.finding.device.hw_info.cpu_count | The number of physical processors on a system. | long | +| aws_securityhub.finding.device.hw_info.cpu_speed | The speed of the processor in Mhz. | long | +| aws_securityhub.finding.device.hw_info.cpu_type | The processor type. | keyword | +| aws_securityhub.finding.device.hw_info.desktop_display | The desktop display affiliated with the event. | flattened | +| aws_securityhub.finding.device.hw_info.keyboard_info | The keyboard detailed information. | flattened | +| aws_securityhub.finding.device.hw_info.ram_size | The total amount of installed RAM, in Megabytes. | long | +| aws_securityhub.finding.device.hw_info.serial_number | The device manufacturer serial number. | keyword | +| aws_securityhub.finding.device.hw_info.uuid | The device manufacturer assigned universally unique hardware identifier. . | keyword | +| aws_securityhub.finding.device.hw_info.vendor_name | The device manufacturer. | keyword | +| aws_securityhub.finding.device.hypervisor | The name of the hypervisor running on the device. | keyword | +| aws_securityhub.finding.device.iccid | The Integrated Circuit Card Identification of a mobile device. | keyword | +| aws_securityhub.finding.device.image.labels | The list of labels associated to the image. | keyword | +| aws_securityhub.finding.device.image.name | The image name. | keyword | +| aws_securityhub.finding.device.image.path | The full path to the image file. | keyword | +| aws_securityhub.finding.device.image.uid | The unique image ID. | keyword | +| aws_securityhub.finding.device.imei_list | The International Mobile Equipment Identity values that are associated with the device. | keyword | +| aws_securityhub.finding.device.instance_uid | The unique identifier of a VM instance. | keyword | +| aws_securityhub.finding.device.interface_name | The name of the network interface. | keyword | +| aws_securityhub.finding.device.interface_uid | The unique identifier of the network interface. | keyword | +| aws_securityhub.finding.device.ip | The device IP address. | ip | +| aws_securityhub.finding.device.is_backed_up | Indicates whether the device or resource has a backup enabled, such as an automated snapshot or a cloud backup. | boolean | +| aws_securityhub.finding.device.is_compliant | The event occurred on a compliant device. | boolean | +| aws_securityhub.finding.device.is_managed | The event occurred on a managed device. | boolean | +| aws_securityhub.finding.device.is_mobile_account_active | Indicates whether the device has an active mobile account. | boolean | +| aws_securityhub.finding.device.is_personal | The event occurred on a personal device. | boolean | +| aws_securityhub.finding.device.is_shared | The event occurred on a shared device. | boolean | +| aws_securityhub.finding.device.is_supervised | The event occurred on a supervised device. | boolean | +| aws_securityhub.finding.device.is_trusted | The event occurred on a trusted device. | boolean | +| aws_securityhub.finding.device.last_seen_time | The most recent discovery time of the device. | date | +| aws_securityhub.finding.device.last_seen_time_dt | The most recent discovery time of the device. | date | +| aws_securityhub.finding.device.location.aerial_height | Expressed as either height above takeoff location or height above ground level (AGL) for a UAS current location. | keyword | +| aws_securityhub.finding.device.location.city | The name of the city. | keyword | +| aws_securityhub.finding.device.location.continent | The name of the continent. | keyword | +| aws_securityhub.finding.device.location.country | The ISO 3166-1 Alpha-2 country code. | keyword | +| aws_securityhub.finding.device.location.desc | The description of the geographical location. | keyword | +| aws_securityhub.finding.device.location.geodetic_altitude | The aircraft distance above or below the ellipsoid as measured along a line that passes through the aircraft and is normal to the surface of the WGS-84 ellipsoid. | keyword | +| aws_securityhub.finding.device.location.geodetic_vertical_accuracy | Provides quality/containment on geodetic altitude. | keyword | +| aws_securityhub.finding.device.location.geohash | Geohash of the geo-coordinates (latitude and longitude). | keyword | +| aws_securityhub.finding.device.location.horizontal_accuracy | Provides quality/containment on horizontal position. | keyword | +| aws_securityhub.finding.device.location.is_on_premises | The indication of whether the location is on premises. | boolean | +| aws_securityhub.finding.device.location.lat | The geographical Latitude coordinate represented in Decimal Degrees (DD). | double | +| aws_securityhub.finding.device.location.long | The geographical Longitude coordinate represented in Decimal Degrees (DD). | double | +| aws_securityhub.finding.device.location.postal_code | The postal code of the location. | keyword | +| aws_securityhub.finding.device.location.pressure_altitude | The uncorrected barometric pressure altitude (based on reference standard 29.92 inHg, 1013.25 mb) provides a reference for algorithms that utilize 'altitude deltas' between aircraft. | keyword | +| aws_securityhub.finding.device.location.provider | The provider of the geographical location data. | keyword | +| aws_securityhub.finding.device.location.region | The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. | keyword | +| aws_securityhub.finding.device.location.value | The geographical location. | geo_point | +| aws_securityhub.finding.device.mac | The Media Access Control (MAC) address of the endpoint. | keyword | +| aws_securityhub.finding.device.meid | The Mobile Equipment Identifier. | keyword | +| aws_securityhub.finding.device.model | The model of the device. | keyword | +| aws_securityhub.finding.device.modified_time | The time when the device was last known to have been modified. | date | +| aws_securityhub.finding.device.modified_time_dt | The time when the device was last known to have been modified. | date | +| aws_securityhub.finding.device.name | The alternate device name, ordinarily as assigned by an administrator. | keyword | +| aws_securityhub.finding.device.namespace_pid | If running under a process namespace (such as in a container), the process identifier within that process namespace. | long | +| aws_securityhub.finding.device.network_interfaces.hostname | The hostname associated with the network interface. | keyword | +| aws_securityhub.finding.device.network_interfaces.ip | The IP address associated with the network interface. | ip | +| aws_securityhub.finding.device.network_interfaces.mac | The MAC address of the network interface. | keyword | +| aws_securityhub.finding.device.network_interfaces.name | The name of the network interface. | keyword | +| aws_securityhub.finding.device.network_interfaces.namespace | The namespace is useful in merger or acquisition situations. | keyword | +| aws_securityhub.finding.device.network_interfaces.subnet_prefix | The subnet prefix length determines the number of bits used to represent the network part of the IP address. | long | +| aws_securityhub.finding.device.network_interfaces.type | The type of network interface. | keyword | +| aws_securityhub.finding.device.network_interfaces.type_id | The network interface type identifier. | keyword | +| aws_securityhub.finding.device.network_interfaces.uid | The unique identifier for the network interface. | keyword | +| aws_securityhub.finding.device.org.name | The name of the organization. | keyword | +| aws_securityhub.finding.device.org.ou_name | The name of an organizational unit. | keyword | +| aws_securityhub.finding.device.org.ou_uid | The unique identifier of an organizational unit. | keyword | +| aws_securityhub.finding.device.org.uid | The unique identifier of the organization. | keyword | +| aws_securityhub.finding.device.os.build | The operating system build number. | keyword | +| aws_securityhub.finding.device.os.country | The operating system country code, as defined by the ISO 3166-1 standard (Alpha-2 code). | keyword | +| aws_securityhub.finding.device.os.cpe_name | The Common Platform Enumeration (CPE) name as described by (NIST). | keyword | +| aws_securityhub.finding.device.os.cpu_bits | The cpu architecture, the number of bits used for addressing in memory. | long | +| aws_securityhub.finding.device.os.edition | The operating system edition. | keyword | +| aws_securityhub.finding.device.os.kernel_release | The kernel release of the operating system. | keyword | +| aws_securityhub.finding.device.os.lang | The two letter lower case language codes. | keyword | +| aws_securityhub.finding.device.os.name | The operating system name. | keyword | +| aws_securityhub.finding.device.os.sp_name | The name of the latest Service Pack. | keyword | +| aws_securityhub.finding.device.os.sp_ver | The version number of the latest Service Pack. | keyword | +| aws_securityhub.finding.device.os.type | The type of the operating system. . | keyword | +| aws_securityhub.finding.device.os.type_id | The type identifier of the operating system. | keyword | +| aws_securityhub.finding.device.os.version | The version of the OS running on the device that originated the event. | keyword | +| aws_securityhub.finding.device.os_machine_uuid | The operating system assigned Machine ID. | keyword | +| aws_securityhub.finding.device.owner.account | The user's account or the account associated with the user. | flattened | +| aws_securityhub.finding.device.owner.credential_uid | The unique identifier of the user's credential. | keyword | +| aws_securityhub.finding.device.owner.display_name | The display name of the user, as reported by the product. | keyword | +| aws_securityhub.finding.device.owner.domain | The domain where the user is defined. | keyword | +| aws_securityhub.finding.device.owner.email_addr | The user's primary email address. | keyword | +| aws_securityhub.finding.device.owner.forward_addr | The user's forwarding email address. | keyword | +| aws_securityhub.finding.device.owner.full_name | The full name of the user, as reported by the product. | keyword | +| aws_securityhub.finding.device.owner.groups | The administrative groups to which the user belongs. | nested | +| aws_securityhub.finding.device.owner.has_mfa | The user has a multi-factor or secondary-factor device assigned. | boolean | +| aws_securityhub.finding.device.owner.ldap_person | The additional LDAP attributes that describe a person. | flattened | +| aws_securityhub.finding.device.owner.name | The username. | keyword | +| aws_securityhub.finding.device.owner.org | Organization and org unit related to the user. | flattened | +| aws_securityhub.finding.device.owner.phone_number | The telephone number of the user. | keyword | +| aws_securityhub.finding.device.owner.risk_level | The risk level, normalized to the caption of the risk_level_id value. | keyword | +| aws_securityhub.finding.device.owner.risk_level_id | The normalized risk level id. | keyword | +| aws_securityhub.finding.device.owner.risk_score | The risk score as reported by the event source. | long | +| aws_securityhub.finding.device.owner.type | The type of the user. | keyword | +| aws_securityhub.finding.device.owner.type_id | The account type identifier. | keyword | +| aws_securityhub.finding.device.owner.uid | The unique user identifier. | keyword | +| aws_securityhub.finding.device.owner.uid_alt | The alternate user identifier. | keyword | +| aws_securityhub.finding.device.region | The region where the virtual machine is located. | keyword | +| aws_securityhub.finding.device.risk_level | The risk level, normalized to the caption of the risk_level_id value. | keyword | +| aws_securityhub.finding.device.risk_level_id | The normalized risk level id. | keyword | +| aws_securityhub.finding.device.risk_score | The risk score as reported by the event source. | long | +| aws_securityhub.finding.device.subnet | The subnet mask. | keyword | +| aws_securityhub.finding.device.subnet_uid | The unique identifier of a virtual subnet. | keyword | +| aws_securityhub.finding.device.type | The device type. | keyword | +| aws_securityhub.finding.device.type_id | The device type ID. | keyword | +| aws_securityhub.finding.device.udid | The Apple assigned Unique Device Identifier (UDID). | keyword | +| aws_securityhub.finding.device.uid | The unique identifier of the device. | keyword | +| aws_securityhub.finding.device.uid_alt | An alternate unique identifier of the device if any. | keyword | +| aws_securityhub.finding.device.vendor_name | The vendor for the device. | keyword | +| aws_securityhub.finding.device.vlan_uid | The Virtual LAN identifier. | keyword | +| aws_securityhub.finding.device.vpc_uid | The unique identifier of the Virtual Private Cloud (VPC). | keyword | +| aws_securityhub.finding.device.zone | The network zone or LAN segment. | keyword | +| aws_securityhub.finding.disposition | The disposition name, normalized to the caption of the disposition_id value. | keyword | +| aws_securityhub.finding.disposition_id | Describes the outcome or action taken by a security control. | keyword | +| aws_securityhub.finding.duration | The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds. | long | +| aws_securityhub.finding.end_time | The time of the most recent event included in the finding. | date | +| aws_securityhub.finding.end_time_dt | The time of the most recent event included in the finding. | date | +| aws_securityhub.finding.enrichments.created_time | The time when the enrichment data was generated. | date | +| aws_securityhub.finding.enrichments.created_time_dt | The time when the enrichment data was generated. | date | +| aws_securityhub.finding.enrichments.data | The enrichment data associated with the attribute and value. . | flattened | +| aws_securityhub.finding.enrichments.desc | A long description of the enrichment data. | keyword | +| aws_securityhub.finding.enrichments.name | The name of the attribute to which the enriched data pertains. | keyword | +| aws_securityhub.finding.enrichments.provider | The enrichment data provider name. | keyword | +| aws_securityhub.finding.enrichments.reputation.base_score | The reputation score as reported by the event source. | double | +| aws_securityhub.finding.enrichments.reputation.provider | The provider of the reputation information. | keyword | +| aws_securityhub.finding.enrichments.reputation.score | The reputation score, normalized to the caption of the score_id value. | keyword | +| aws_securityhub.finding.enrichments.reputation.score_id | The normalized reputation score identifier. | keyword | +| aws_securityhub.finding.enrichments.short_desc | A short description of the enrichment data. | keyword | +| aws_securityhub.finding.enrichments.src_url | The URL of the source of the enrichment data. | keyword | +| aws_securityhub.finding.enrichments.type | The enrichment type. | keyword | +| aws_securityhub.finding.enrichments.value | The value of the attribute to which the enriched data pertains. | keyword | +| aws_securityhub.finding.evidences.actor.app_name | The client application or service that initiated the activity. | keyword | +| aws_securityhub.finding.evidences.actor.app_uid | The unique identifier of the client application or service that initiated the activity. | keyword | +| aws_securityhub.finding.evidences.actor.authorizations.decision | Authorization Result/outcome. | keyword | +| aws_securityhub.finding.evidences.actor.authorizations.policy | Details about the Identity/Access management policies that are applicable. | flattened | +| aws_securityhub.finding.evidences.actor.idp.domain | The primary domain associated with the Identity Provider. | keyword | +| aws_securityhub.finding.evidences.actor.idp.fingerprint | The fingerprint of the X.509 certificate used by the Identity Provider. | flattened | +| aws_securityhub.finding.evidences.actor.idp.has_mfa | The Identity Provider enforces Multi Factor Authentication (MFA). | boolean | +| aws_securityhub.finding.evidences.actor.idp.issuer | The unique identifier (often a URL) used by the Identity Provider as its issuer. | keyword | +| aws_securityhub.finding.evidences.actor.idp.name | The name of the Identity Provider. | keyword | +| aws_securityhub.finding.evidences.actor.idp.protocol_name | The supported protocol of the Identity Provider. | keyword | +| aws_securityhub.finding.evidences.actor.idp.scim | The System for Cross-domain Identity Management (SCIM) resource object provides a structured set of attributes related to SCIM protocols used for identity provisioning and management across cloud-based platforms. | flattened | +| aws_securityhub.finding.evidences.actor.idp.sso | The Single Sign-On (SSO) object provides a structure for normalizing SSO attributes, configuration, and/or settings from Identity Providers. | flattened | +| aws_securityhub.finding.evidences.actor.idp.state | The configuration state of the Identity Provider, normalized to the caption of the state_id value. | keyword | +| aws_securityhub.finding.evidences.actor.idp.state_id | The normalized state ID of the Identity Provider to reflect its configuration or activation status. | keyword | +| aws_securityhub.finding.evidences.actor.idp.tenant_uid | The tenant ID associated with the Identity Provider. | keyword | +| aws_securityhub.finding.evidences.actor.idp.uid | The unique identifier of the Identity Provider. | keyword | +| aws_securityhub.finding.evidences.actor.idp.url_string | The URL for accessing the configuration or metadata of the Identity Provider. | keyword | +| aws_securityhub.finding.evidences.actor.process.auid | The audit user assigned at login by the audit subsystem. | keyword | +| aws_securityhub.finding.evidences.actor.process.cmd_line | The full command line used to launch an application, service, process, or job. | keyword | +| aws_securityhub.finding.evidences.actor.process.container | The information describing an instance of a container. | flattened | +| aws_securityhub.finding.evidences.actor.process.cpid | A unique process identifier that can be assigned deterministically by multiple system data producers. | keyword | +| aws_securityhub.finding.evidences.actor.process.created_time | The time when the process was created/started. | date | +| aws_securityhub.finding.evidences.actor.process.created_time_dt | The time when the process was created/started. | date | +| aws_securityhub.finding.evidences.actor.process.egid | The effective group under which this process is running. | keyword | +| aws_securityhub.finding.evidences.actor.process.euid | The effective user under which this process is running. | keyword | +| aws_securityhub.finding.evidences.actor.process.file | The process file object. | flattened | +| aws_securityhub.finding.evidences.actor.process.group | The group under which this process is running. | flattened | +| aws_securityhub.finding.evidences.actor.process.integrity | The process integrity level, normalized to the caption of the integrity_id value. | keyword | +| aws_securityhub.finding.evidences.actor.process.integrity_id | The normalized identifier of the process integrity level (Windows only). | keyword | +| aws_securityhub.finding.evidences.actor.process.loaded_modules | The list of loaded module names. | keyword | +| aws_securityhub.finding.evidences.actor.process.name | The friendly name of the process. | keyword | +| aws_securityhub.finding.evidences.actor.process.namespace_pid | If running under a process namespace (such as in a container), the process identifier within that process namespace. | long | +| aws_securityhub.finding.evidences.actor.process.parent_process | The parent process of this process object. | flattened | +| aws_securityhub.finding.evidences.actor.process.path | The process file path. | keyword | +| aws_securityhub.finding.evidences.actor.process.pid | The process identifier, as reported by the operating system. | long | +| aws_securityhub.finding.evidences.actor.process.sandbox | The name of the containment jail. | keyword | +| aws_securityhub.finding.evidences.actor.process.session | The user session under which this process is running. | flattened | +| aws_securityhub.finding.evidences.actor.process.terminated_time | The time when the process was terminated. | date | +| aws_securityhub.finding.evidences.actor.process.terminated_time_dt | The time when the process was terminated. | date | +| aws_securityhub.finding.evidences.actor.process.tid | The Identifier of the thread associated with the event, as returned by the operating system. | keyword | +| aws_securityhub.finding.evidences.actor.process.uid | A unique identifier for this process assigned by the producer (tool). | keyword | +| aws_securityhub.finding.evidences.actor.process.user | The user under which this process is running. | flattened | +| aws_securityhub.finding.evidences.actor.process.working_directory | The working directory of a process. | keyword | +| aws_securityhub.finding.evidences.actor.process.xattributes | An unordered collection of zero or more name/value pairs that represent a process extended attribute. | flattened | +| aws_securityhub.finding.evidences.actor.session.count | The number of identical sessions spawned from the same source IP, destination IP, application, and content/threat type seen over a period of time. | long | +| aws_securityhub.finding.evidences.actor.session.created_time | The time when the session was created. | date | +| aws_securityhub.finding.evidences.actor.session.created_time_dt | The time when the session was created. | date | +| aws_securityhub.finding.evidences.actor.session.credential_uid | The unique identifier of the user's credential. | keyword | +| aws_securityhub.finding.evidences.actor.session.expiration_reason | The reason which triggered the session expiration. | keyword | +| aws_securityhub.finding.evidences.actor.session.expiration_time | The session expiration time. | date | +| aws_securityhub.finding.evidences.actor.session.expiration_time_dt | The session expiration time. | date | +| aws_securityhub.finding.evidences.actor.session.is_mfa | Indicates whether Multi Factor Authentication was used during authentication. | boolean | +| aws_securityhub.finding.evidences.actor.session.is_remote | The indication of whether the session is remote. | boolean | +| aws_securityhub.finding.evidences.actor.session.is_vpn | The indication of whether the session is a VPN session. | boolean | +| aws_securityhub.finding.evidences.actor.session.issuer | The identifier of the session issuer. | keyword | +| aws_securityhub.finding.evidences.actor.session.terminal | The Pseudo Terminal associated with the session. | keyword | +| aws_securityhub.finding.evidences.actor.session.uid | The unique identifier of the session. | keyword | +| aws_securityhub.finding.evidences.actor.session.uid_alt | The alternate unique identifier of the session. | keyword | +| aws_securityhub.finding.evidences.actor.session.uuid | The universally unique identifier of the session. | keyword | +| aws_securityhub.finding.evidences.actor.user.account | The user's account or the account associated with the user. | flattened | +| aws_securityhub.finding.evidences.actor.user.credential_uid | The unique identifier of the user's credential. | keyword | +| aws_securityhub.finding.evidences.actor.user.display_name | The display name of the user, as reported by the product. | keyword | +| aws_securityhub.finding.evidences.actor.user.domain | The domain where the user is defined. | keyword | +| aws_securityhub.finding.evidences.actor.user.email_addr | The user's primary email address. | keyword | +| aws_securityhub.finding.evidences.actor.user.forward_addr | The user's forwarding email address. | keyword | +| aws_securityhub.finding.evidences.actor.user.full_name | The full name of the user, as reported by the product. | keyword | +| aws_securityhub.finding.evidences.actor.user.groups | The administrative groups to which the user belongs. | nested | +| aws_securityhub.finding.evidences.actor.user.has_mfa | The user has a multi-factor or secondary-factor device assigned. | boolean | +| aws_securityhub.finding.evidences.actor.user.ldap_person | The additional LDAP attributes that describe a person. | flattened | +| aws_securityhub.finding.evidences.actor.user.name | The username. | keyword | +| aws_securityhub.finding.evidences.actor.user.org | Organization and org unit related to the user. | flattened | +| aws_securityhub.finding.evidences.actor.user.phone_number | The telephone number of the user. | keyword | +| aws_securityhub.finding.evidences.actor.user.risk_level | The risk level, normalized to the caption of the risk_level_id value. | keyword | +| aws_securityhub.finding.evidences.actor.user.risk_level_id | The normalized risk level id. | keyword | +| aws_securityhub.finding.evidences.actor.user.risk_score | The risk score as reported by the event source. | long | +| aws_securityhub.finding.evidences.actor.user.type | The type of the user. | keyword | +| aws_securityhub.finding.evidences.actor.user.type_id | The account type identifier. | keyword | +| aws_securityhub.finding.evidences.actor.user.uid | The unique user identifier. | keyword | +| aws_securityhub.finding.evidences.actor.user.uid_alt | The alternate user identifier. | keyword | +| aws_securityhub.finding.evidences.api.group.desc | The group description. | keyword | +| aws_securityhub.finding.evidences.api.group.domain | The domain where the group is defined. | keyword | +| aws_securityhub.finding.evidences.api.group.name | The group name. | keyword | +| aws_securityhub.finding.evidences.api.group.privileges | The group privileges. | keyword | +| aws_securityhub.finding.evidences.api.group.type | The type of the group or account. | keyword | +| aws_securityhub.finding.evidences.api.group.uid | The unique identifier of the group. | keyword | +| aws_securityhub.finding.evidences.api.operation | Verb/Operation associated with the request. | keyword | +| aws_securityhub.finding.evidences.api.request.containers | When working with containerized applications, the set of containers which write to the standard the output of a particular logging driver. | nested | +| aws_securityhub.finding.evidences.api.request.data | The additional data that is associated with the api request. | flattened | +| aws_securityhub.finding.evidences.api.request.flags | The communication flags that are associated with the api request. | keyword | +| aws_securityhub.finding.evidences.api.request.uid | The unique request identifier. | keyword | +| aws_securityhub.finding.evidences.api.response.code | The numeric response sent to a request. | long | +| aws_securityhub.finding.evidences.api.response.containers | When working with containerized applications, the set of containers which write to the standard the output of a particular logging driver. | nested | +| aws_securityhub.finding.evidences.api.response.data | The additional data that is associated with the api response. | flattened | +| aws_securityhub.finding.evidences.api.response.error | Error Code. | keyword | +| aws_securityhub.finding.evidences.api.response.error_message | Error Message. | keyword | +| aws_securityhub.finding.evidences.api.response.flags | The communication flags that are associated with the api response. | keyword | +| aws_securityhub.finding.evidences.api.response.message | The description of the event/finding, as defined by the source. | keyword | +| aws_securityhub.finding.evidences.api.service.labels | The list of labels associated with the service. | keyword | +| aws_securityhub.finding.evidences.api.service.name | The name of the service. | keyword | +| aws_securityhub.finding.evidences.api.service.uid | The unique identifier of the service. | keyword | +| aws_securityhub.finding.evidences.api.service.version | The version of the service. | keyword | +| aws_securityhub.finding.evidences.api.version | The version of the API service. | keyword | +| aws_securityhub.finding.evidences.connection_info.boundary | The boundary of the connection, normalized to the caption of 'boundary_id'. | keyword | +| aws_securityhub.finding.evidences.connection_info.boundary_id | The normalized identifier of the boundary of the connection. | keyword | +| aws_securityhub.finding.evidences.connection_info.community_uid | The Community ID of the network connection. | keyword | +| aws_securityhub.finding.evidences.connection_info.direction | The direction of the initiated connection, traffic, or email, normalized to the caption of the direction_id value. | keyword | +| aws_securityhub.finding.evidences.connection_info.direction_id | The normalized identifier of the direction of the initiated connection, traffic, or email. | keyword | +| aws_securityhub.finding.evidences.connection_info.flag_history | The Connection Flag History summarizes events in a network connection. | keyword | +| aws_securityhub.finding.evidences.connection_info.protocol_name | The IP protocol name in lowercase, as defined by the Internet Assigned Numbers Authority (IANA). | keyword | +| aws_securityhub.finding.evidences.connection_info.protocol_num | The IP protocol number, as defined by the Internet Assigned Numbers Authority (IANA). | long | +| aws_securityhub.finding.evidences.connection_info.protocol_ver | The Internet Protocol version. | keyword | +| aws_securityhub.finding.evidences.connection_info.protocol_ver_id | The Internet Protocol version identifier. | keyword | +| aws_securityhub.finding.evidences.connection_info.session | The authenticated user or service session. | flattened | +| aws_securityhub.finding.evidences.connection_info.tcp_flags | The network connection TCP header flags (i.e., control bits). | long | +| aws_securityhub.finding.evidences.connection_info.uid | The unique identifier of the connection. | keyword | +| aws_securityhub.finding.evidences.container | Describes details about the container associated to the activity that triggered the detection. | flattened | +| aws_securityhub.finding.evidences.data | Additional evidence data that is not accounted for in the specific evidence attributes. | flattened | +| aws_securityhub.finding.evidences.database | Describes details about the database associated to the activity that triggered the detection. | flattened | +| aws_securityhub.finding.evidences.databucket | Describes details about the databucket associated to the activity that triggered the detection. | flattened | +| aws_securityhub.finding.evidences.device | An addressable device, computer system or host associated to the activity that triggered the detection. | flattened | +| aws_securityhub.finding.evidences.dst_endpoint | Describes details about the destination of the network activity that triggered the detection. | flattened | +| aws_securityhub.finding.evidences.email | The email object associated to the activity that triggered the detection. | flattened | +| aws_securityhub.finding.evidences.file | Describes details about the file associated to the activity that triggered the detection. | flattened | +| aws_securityhub.finding.evidences.http_request | Describes details about the http request associated to the activity that triggered the detection. | flattened | +| aws_securityhub.finding.evidences.http_response | Describes details about the http response associated to the activity that triggered the detection. | flattened | +| aws_securityhub.finding.evidences.ja4_fingerprint_list | Describes details about the JA4+ fingerprints that triggered the detection. | nested | +| aws_securityhub.finding.evidences.job | Describes details about the scheduled job that was associated with the activity that triggered the detection. | flattened | +| aws_securityhub.finding.evidences.name | The naming convention or type identifier of the evidence associated with the security detection. | keyword | +| aws_securityhub.finding.evidences.process.ancestry | An array of Process Entities describing the extended parentage of this process object. | nested | +| aws_securityhub.finding.evidences.process.auid | The audit user assigned at login by the audit subsystem. | keyword | +| aws_securityhub.finding.evidences.process.cmd_line | The full command line used to launch an application, service, process, or job. | keyword | +| aws_securityhub.finding.evidences.process.container | The information describing an instance of a container. | flattened | +| aws_securityhub.finding.evidences.process.cpid | A unique process identifier that can be assigned deterministically by multiple system data producers. | keyword | +| aws_securityhub.finding.evidences.process.created_time | The time when the process was created/started. | date | +| aws_securityhub.finding.evidences.process.created_time_dt | The time when the process was created/started. | date | +| aws_securityhub.finding.evidences.process.egid | The effective group under which this process is running. | keyword | +| aws_securityhub.finding.evidences.process.environment_variables | Environment variables associated with the process. | nested | +| aws_securityhub.finding.evidences.process.euid | The effective user under which this process is running. | keyword | +| aws_securityhub.finding.evidences.process.file | The process file object. | flattened | +| aws_securityhub.finding.evidences.process.group | The group under which this process is running. | flattened | +| aws_securityhub.finding.evidences.process.integrity | The process integrity level, normalized to the caption of the integrity_id value. | keyword | +| aws_securityhub.finding.evidences.process.integrity_id | The normalized identifier of the process integrity level (Windows only). | keyword | +| aws_securityhub.finding.evidences.process.loaded_modules | The list of loaded module names. | keyword | +| aws_securityhub.finding.evidences.process.name | The friendly name of the process. | keyword | +| aws_securityhub.finding.evidences.process.namespace_pid | If running under a process namespace (such as in a container), the process identifier within that process namespace. | long | +| aws_securityhub.finding.evidences.process.parent_process | The parent process of this process object. | flattened | +| aws_securityhub.finding.evidences.process.path | The process file path. | keyword | +| aws_securityhub.finding.evidences.process.pid | The process identifier, as reported by the operating system. | long | +| aws_securityhub.finding.evidences.process.sandbox | The name of the containment jail. | keyword | +| aws_securityhub.finding.evidences.process.session | The user session under which this process is running. | flattened | +| aws_securityhub.finding.evidences.process.terminated_time | The time when the process was terminated. | date | +| aws_securityhub.finding.evidences.process.terminated_time_dt | The time when the process was terminated. | date | +| aws_securityhub.finding.evidences.process.tid | The Identifier of the thread associated with the event, as returned by the operating system. | keyword | +| aws_securityhub.finding.evidences.process.uid | A unique identifier for this process assigned by the producer (tool). | keyword | +| aws_securityhub.finding.evidences.process.user | The user under which this process is running. | flattened | +| aws_securityhub.finding.evidences.process.working_directory | The working directory of a process. | keyword | +| aws_securityhub.finding.evidences.process.xattributes | An unordered collection of zero or more name/value pairs that represent a process extended attribute. | flattened | +| aws_securityhub.finding.evidences.query.class | The class of resource records being queried. | keyword | +| aws_securityhub.finding.evidences.query.hostname | The hostname or domain being queried. | keyword | +| aws_securityhub.finding.evidences.query.opcode | The DNS opcode specifies the type of the query message. | keyword | +| aws_securityhub.finding.evidences.query.opcode_id | The DNS opcode ID specifies the normalized query message type as defined in RFC-5395. | keyword | +| aws_securityhub.finding.evidences.query.packet_uid | The DNS packet identifier assigned by the program that generated the query. | keyword | +| aws_securityhub.finding.evidences.query.type | The type of resource records being queried. | keyword | +| aws_securityhub.finding.evidences.reg_key | Describes details about the registry key that triggered the detection. | flattened | +| aws_securityhub.finding.evidences.reg_value | Describes details about the registry value that triggered the detection. | flattened | +| aws_securityhub.finding.evidences.resources | Describes details about the cloud resources directly related to activity that triggered the detection. | nested | +| aws_securityhub.finding.evidences.script | Describes details about the script that was associated with the activity that triggered the detection. | flattened | +| aws_securityhub.finding.evidences.src_endpoint.agent_list | A list of agent objects associated with a device, endpoint, or resource. | nested | +| aws_securityhub.finding.evidences.src_endpoint.autonomous_system | The Autonomous System details associated with an IP address. | flattened | +| aws_securityhub.finding.evidences.src_endpoint.container | The information describing an instance of a container. | flattened | +| aws_securityhub.finding.evidences.src_endpoint.domain | The name of the domain that the endpoint belongs to or that corresponds to the endpoint. | keyword | +| aws_securityhub.finding.evidences.src_endpoint.hostname | The fully qualified name of the endpoint. | keyword | +| aws_securityhub.finding.evidences.src_endpoint.hw_info | The endpoint hardware information. | flattened | +| aws_securityhub.finding.evidences.src_endpoint.instance_uid | The unique identifier of a VM instance. | keyword | +| aws_securityhub.finding.evidences.src_endpoint.interface_name | The name of the network interface (e.g. eth2). | keyword | +| aws_securityhub.finding.evidences.src_endpoint.interface_uid | The unique identifier of the network interface. | keyword | +| aws_securityhub.finding.evidences.src_endpoint.intermediate_ips | The intermediate IP Addresses. | ip | +| aws_securityhub.finding.evidences.src_endpoint.ip | The IP address of the endpoint, in either IPv4 or IPv6 format. | ip | +| aws_securityhub.finding.evidences.src_endpoint.isp | The name of the Internet Service Provider (ISP). | keyword | +| aws_securityhub.finding.evidences.src_endpoint.isp_org | The organization name of the Internet Service Provider (ISP). | keyword | +| aws_securityhub.finding.evidences.src_endpoint.location | The geographical location of the endpoint. | flattened | +| aws_securityhub.finding.evidences.src_endpoint.mac | The Media Access Control (MAC) address of the endpoint. | keyword | +| aws_securityhub.finding.evidences.src_endpoint.name | The short name of the endpoint. | keyword | +| aws_securityhub.finding.evidences.src_endpoint.namespace_pid | If running under a process namespace (such as in a container), the process identifier within that process namespace. | long | +| aws_securityhub.finding.evidences.src_endpoint.os | The endpoint operating system. | flattened | +| aws_securityhub.finding.evidences.src_endpoint.owner | The identity of the service or user account that owns the endpoint or was last logged into it. | flattened | +| aws_securityhub.finding.evidences.src_endpoint.port | The port used for communication within the network connection. | long | +| aws_securityhub.finding.evidences.src_endpoint.proxy_endpoint | The network proxy information pertaining to a specific endpoint. | flattened | +| aws_securityhub.finding.evidences.src_endpoint.subnet_uid | The unique identifier of a virtual subnet. | keyword | +| aws_securityhub.finding.evidences.src_endpoint.svc_name | The service name in service-to-service connections. | keyword | +| aws_securityhub.finding.evidences.src_endpoint.type | The network endpoint type. | keyword | +| aws_securityhub.finding.evidences.src_endpoint.type_id | The network endpoint type ID. | keyword | +| aws_securityhub.finding.evidences.src_endpoint.uid | The unique identifier of the endpoint. | keyword | +| aws_securityhub.finding.evidences.src_endpoint.vlan_uid | The Virtual LAN identifier. | keyword | +| aws_securityhub.finding.evidences.src_endpoint.vpc_uid | The unique identifier of the Virtual Private Cloud (VPC). | keyword | +| aws_securityhub.finding.evidences.src_endpoint.zone | The network zone or LAN segment. | keyword | +| aws_securityhub.finding.evidences.tls | Describes details about the Transport Layer Security (TLS) activity that triggered the detection. | flattened | +| aws_securityhub.finding.evidences.uid | The unique identifier of the evidence associated with the security detection. | keyword | +| aws_securityhub.finding.evidences.url | The URL object that pertains to the event or object associated to the activity that triggered the detection. | flattened | +| aws_securityhub.finding.evidences.user | Describes details about the user that was the target or somehow else associated with the activity that triggered the detection. | flattened | +| aws_securityhub.finding.evidences.verdict | The normalized verdict of the evidence associated with the security detection. | keyword | +| aws_securityhub.finding.evidences.verdict_id | The normalized verdict (or status) ID of the evidence associated with the security detection. | keyword | +| aws_securityhub.finding.evidences.win_service | Describes details about the Windows service that triggered the detection. | flattened | +| aws_securityhub.finding.finding_info.analytic.algorithm | The algorithm used by the underlying analytic to generate the finding. | keyword | +| aws_securityhub.finding.finding_info.analytic.category | The analytic category. | keyword | +| aws_securityhub.finding.finding_info.analytic.desc | The description of the analytic that generated the finding. | keyword | +| aws_securityhub.finding.finding_info.analytic.name | The name of the analytic that generated the finding. | keyword | +| aws_securityhub.finding.finding_info.analytic.type | The analytic type. | keyword | +| aws_securityhub.finding.finding_info.analytic.type_id | The analytic type ID. | keyword | +| aws_securityhub.finding.finding_info.analytic.uid | The unique identifier of the analytic that generated the finding. | keyword | +| aws_securityhub.finding.finding_info.analytic.version | The analytic version. | keyword | +| aws_securityhub.finding.finding_info.attacks.mitigation | The Mitigation object describes the MITRE ATT&CK® or ATLAS™ Mitigation ID and/or name that is associated to an attack. | flattened | +| aws_securityhub.finding.finding_info.attacks.sub_technique | The Sub-technique object describes the MITRE ATT&CK® or ATLAS™ Sub-technique ID and/or name associated to an attack. | flattened | +| aws_securityhub.finding.finding_info.attacks.tactic | The Tactic object describes the MITRE ATT&CK® or ATLAS™ Tactic ID and/or name that is associated to an attack. | flattened | +| aws_securityhub.finding.finding_info.attacks.technique | The Technique object describes the MITRE ATT&CK® or ATLAS™ Technique ID and/or name associated to an attack. | flattened | +| aws_securityhub.finding.finding_info.attacks.version | The ATT&CK® or ATLAS™ Matrix version. | keyword | +| aws_securityhub.finding.finding_info.created_time | The time when the finding was created. | date | +| aws_securityhub.finding.finding_info.created_time_dt | The time when the finding was created. | date | +| aws_securityhub.finding.finding_info.data_sources | A list of data sources utilized in generation of the finding. | keyword | +| aws_securityhub.finding.finding_info.desc | The description of the reported finding. | keyword | +| aws_securityhub.finding.finding_info.first_seen_time | The time when the finding was first observed. | date | +| aws_securityhub.finding.finding_info.first_seen_time_dt | The time when the finding was first observed. | date | +| aws_securityhub.finding.finding_info.kill_chain.phase | The cyber kill chain phase. | keyword | +| aws_securityhub.finding.finding_info.kill_chain.phase_id | The cyber kill chain phase identifier. | keyword | +| aws_securityhub.finding.finding_info.last_seen_time | The time when the finding was most recently observed. | date | +| aws_securityhub.finding.finding_info.last_seen_time_dt | The time when the finding was most recently observed. | date | +| aws_securityhub.finding.finding_info.modified_time | The time when the finding was last modified. | date | +| aws_securityhub.finding.finding_info.modified_time_dt | The time when the finding was last modified. | date | +| aws_securityhub.finding.finding_info.product.cpe_name | The Common Platform Enumeration (CPE) name as described by (NIST). | keyword | +| aws_securityhub.finding.finding_info.product.data_classifications | A list of Data Classification objects. | nested | +| aws_securityhub.finding.finding_info.product.feature.name | The name of the feature. | keyword | +| aws_securityhub.finding.finding_info.product.feature.uid | The unique identifier of the feature. | keyword | +| aws_securityhub.finding.finding_info.product.feature.version | The version of the feature. | keyword | +| aws_securityhub.finding.finding_info.product.lang | The two letter lower case language codes. | keyword | +| aws_securityhub.finding.finding_info.product.name | The name of the product. | keyword | +| aws_securityhub.finding.finding_info.product.path | The installation path of the product. | keyword | +| aws_securityhub.finding.finding_info.product.uid | The unique identifier of the product. | keyword | +| aws_securityhub.finding.finding_info.product.url_string | The URL pointing towards the product. | keyword | +| aws_securityhub.finding.finding_info.product.vendor_name | The name of the vendor of the product. | keyword | +| aws_securityhub.finding.finding_info.product.version | The version of the product. | keyword | +| aws_securityhub.finding.finding_info.related_analytics.algorithm | The algorithm used by the underlying analytic to generate the finding. | keyword | +| aws_securityhub.finding.finding_info.related_analytics.category | The analytic category. | keyword | +| aws_securityhub.finding.finding_info.related_analytics.desc | The description of the analytic that generated the finding. | keyword | +| aws_securityhub.finding.finding_info.related_analytics.name | The name of the analytic that generated the finding. | keyword | +| aws_securityhub.finding.finding_info.related_analytics.type | The analytic type. | keyword | +| aws_securityhub.finding.finding_info.related_analytics.type_id | The analytic type ID. | keyword | +| aws_securityhub.finding.finding_info.related_analytics.uid | The unique identifier of the analytic that generated the finding. | keyword | +| aws_securityhub.finding.finding_info.related_analytics.vendor_name | The name of the vendor of the product. | keyword | +| aws_securityhub.finding.finding_info.related_analytics.version | The analytic version. | keyword | +| aws_securityhub.finding.finding_info.related_events.attacks | An array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. | nested | +| aws_securityhub.finding.finding_info.related_events.count | The number of times that activity in the same logical group occurred, as reported by the related Finding. | long | +| aws_securityhub.finding.finding_info.related_events.created_time | The time when the related event/finding was created. | date | +| aws_securityhub.finding.finding_info.related_events.created_time_dt | The time when the related event/finding was created. | date | +| aws_securityhub.finding.finding_info.related_events.desc | A description of the related event/finding. | keyword | +| aws_securityhub.finding.finding_info.related_events.first_seen_time | The time when the finding was first observed. | date | +| aws_securityhub.finding.finding_info.related_events.first_seen_time_dt | The time when the finding was first observed. | date | +| aws_securityhub.finding.finding_info.related_events.kill_chain | The Cyber Kill Chain® provides a detailed description of each phase and its associated activities within the broader context of a cyber attack. | nested | +| aws_securityhub.finding.finding_info.related_events.last_seen_time | The time when the finding was most recently observed. | date | +| aws_securityhub.finding.finding_info.related_events.last_seen_time_dt | The time when the finding was most recently observed. | date | +| aws_securityhub.finding.finding_info.related_events.modified_time | The time when the related event/finding was last modified. | date | +| aws_securityhub.finding.finding_info.related_events.modified_time_dt | The time when the related event/finding was last modified. | date | +| aws_securityhub.finding.finding_info.related_events.observables | The observables associated with the event or a finding. | nested | +| aws_securityhub.finding.finding_info.related_events.product | Details about the product that reported the related event/finding. | flattened | +| aws_securityhub.finding.finding_info.related_events.severity | The event/finding severity, normalized to the caption of the severity_id value. | keyword | +| aws_securityhub.finding.finding_info.related_events.severity_id | The normalized identifier of the event/finding severity. | keyword | +| aws_securityhub.finding.finding_info.related_events.title | A title or a brief phrase summarizing the related event/finding. | keyword | +| aws_securityhub.finding.finding_info.related_events.traits | The list of key traits or characteristics extracted from the related event/finding that influenced or contributed to the overall finding's outcome. | nested | +| aws_securityhub.finding.finding_info.related_events.type | The type of the related event/finding. | keyword | +| aws_securityhub.finding.finding_info.related_events.type_name | The type of the related OCSF event, as defined by type_uid. | keyword | +| aws_securityhub.finding.finding_info.related_events.type_uid | The unique identifier of the related OCSF event type. | keyword | +| aws_securityhub.finding.finding_info.related_events.uid | The unique identifier of the related event/finding. | keyword | +| aws_securityhub.finding.finding_info.related_events_count | Number of related events or findings. | long | +| aws_securityhub.finding.finding_info.src_url | The URL pointing to the source of the finding. | keyword | +| aws_securityhub.finding.finding_info.title | A title or a brief phrase summarizing the reported finding. | keyword | +| aws_securityhub.finding.finding_info.traits.category | The high-level grouping or classification this trait belongs to. | keyword | +| aws_securityhub.finding.finding_info.traits.name | The name of the trait. | keyword | +| aws_securityhub.finding.finding_info.traits.type | The type of the trait. | keyword | +| aws_securityhub.finding.finding_info.traits.uid | The unique identifier of the trait. | keyword | +| aws_securityhub.finding.finding_info.traits.values | The values of the trait. | keyword | +| aws_securityhub.finding.finding_info.types | One or more types of the reported finding. | keyword | +| aws_securityhub.finding.finding_info.uid | The unique identifier of the reported finding. | keyword | +| aws_securityhub.finding.finding_info.uid_alt | The alternative unique identifier of the reported finding. | keyword | +| aws_securityhub.finding.firewall_rule.category | The rule category. | keyword | +| aws_securityhub.finding.firewall_rule.condition | The rule trigger condition for the rule. | keyword | +| aws_securityhub.finding.firewall_rule.desc | The description of the rule that generated the event. | keyword | +| aws_securityhub.finding.firewall_rule.duration | The rule response time duration, usually used for challenge completion time. | long | +| aws_securityhub.finding.firewall_rule.match_details | The data in a request that rule matched. | keyword | +| aws_securityhub.finding.firewall_rule.match_location | The location of the matched data in the source which resulted in the triggered firewall rule. | keyword | +| aws_securityhub.finding.firewall_rule.name | The name of the rule that generated the event. | keyword | +| aws_securityhub.finding.firewall_rule.rate_limit | The rate limit for a rate-based rule. | long | +| aws_securityhub.finding.firewall_rule.sensitivity | The sensitivity of the firewall rule in the matched event. | keyword | +| aws_securityhub.finding.firewall_rule.type | The rule type. | keyword | +| aws_securityhub.finding.firewall_rule.uid | The unique identifier of the rule that generated the event. | keyword | +| aws_securityhub.finding.firewall_rule.version | The rule version. | keyword | +| aws_securityhub.finding.impact | The impact , normalized to the caption of the impact_id value. | keyword | +| aws_securityhub.finding.impact_id | The normalized impact of the incident or finding. | keyword | +| aws_securityhub.finding.impact_score | The impact as an integer value of the finding. | long | +| aws_securityhub.finding.is_alert | Indicates that the event is considered to be an alertable signal. | boolean | +| aws_securityhub.finding.is_suspected_breach | A determination based on analytics as to whether a potential breach was found. | boolean | +| aws_securityhub.finding.malware.classification_ids | The list of normalized identifiers of the malware classifications. | keyword | +| aws_securityhub.finding.malware.classifications | The list of malware classifications, normalized to the captions of the classification_ids values. | keyword | +| aws_securityhub.finding.malware.cves.created_time | The Record Creation Date identifies when the CVE ID was issued to a CVE Numbering Authority (CNA) or the CVE Record was published on the CVE List. | date | +| aws_securityhub.finding.malware.cves.created_time_dt | The Record Creation Date identifies when the CVE ID was issued to a CVE Numbering Authority (CNA) or the CVE Record was published on the CVE List. | date | +| aws_securityhub.finding.malware.cves.cvss.base_score | The CVSS base score. | double | +| aws_securityhub.finding.malware.cves.cvss.depth | The CVSS depth represents a depth of the equation used to calculate CVSS score. | keyword | +| aws_securityhub.finding.malware.cves.cvss.metrics.name | The Common Vulnerability Scoring System metrics. | keyword | +| aws_securityhub.finding.malware.cves.cvss.metrics.value | The Common Vulnerability Scoring System metrics. | keyword | +| aws_securityhub.finding.malware.cves.cvss.overall_score | The CVSS overall score, impacted by base, temporal, and environmental metrics. | double | +| aws_securityhub.finding.malware.cves.cvss.severity | The Common Vulnerability Scoring System (CVSS) Qualitative Severity Rating. | keyword | +| aws_securityhub.finding.malware.cves.cvss.src_url | The source URL for the CVSS score. | keyword | +| aws_securityhub.finding.malware.cves.cvss.vector_string | The CVSS vector string is a text representation of a set of CVSS metrics. | keyword | +| aws_securityhub.finding.malware.cves.cvss.vendor_name | The vendor that provided the CVSS score. | keyword | +| aws_securityhub.finding.malware.cves.cvss.version | The CVSS version. | keyword | +| aws_securityhub.finding.malware.cves.desc | A brief description of the CVE Record. | keyword | +| aws_securityhub.finding.malware.cves.epss | The Exploit Prediction Scoring System (EPSS) object describes the estimated probability a vulnerability will be exploited. | flattened | +| aws_securityhub.finding.malware.cves.modified_time | The Record Modified Date identifies when the CVE record was last updated. | date | +| aws_securityhub.finding.malware.cves.modified_time_dt | The Record Modified Date identifies when the CVE record was last updated. | date | +| aws_securityhub.finding.malware.cves.product | The product where the vulnerability was discovered. | flattened | +| aws_securityhub.finding.malware.cves.references | A list of reference URLs with additional information about the CVE Record. | keyword | +| aws_securityhub.finding.malware.cves.related_cwes | Describes the Common Weakness Enumeration (CWE) details related to the CVE Record. | nested | +| aws_securityhub.finding.malware.cves.title | A title or a brief phrase summarizing the CVE record. | keyword | +| aws_securityhub.finding.malware.cves.type | The vulnerability type as selected from a large dropdown menu during CVE refinement. | keyword | +| aws_securityhub.finding.malware.cves.uid | The Common Vulnerabilities and Exposures unique number assigned to a specific computer vulnerability. | keyword | +| aws_securityhub.finding.malware.files.accessed_time | The time when the file was last accessed. | date | +| aws_securityhub.finding.malware.files.accessed_time_dt | The time when the file was last accessed. | date | +| aws_securityhub.finding.malware.files.accessor | The name of the user who last accessed the object. | flattened | +| aws_securityhub.finding.malware.files.attributes | The bitmask value that represents the file attributes. | long | +| aws_securityhub.finding.malware.files.company_name | The name of the company that published the file. | keyword | +| aws_securityhub.finding.malware.files.confidentiality | The file content confidentiality, normalized to the confidentiality_id value. | keyword | +| aws_securityhub.finding.malware.files.confidentiality_id | The normalized identifier of the file content confidentiality indicator. | keyword | +| aws_securityhub.finding.malware.files.created_time | The time when the file was created. | date | +| aws_securityhub.finding.malware.files.created_time_dt | The time when the file was created. | date | +| aws_securityhub.finding.malware.files.creator | The user that created the file. | flattened | +| aws_securityhub.finding.malware.files.data_classifications | A list of Data Classification objects, that include information about data classification levels and data category types, indentified by a classifier. | nested | +| aws_securityhub.finding.malware.files.desc | The description of the file, as returned by file system. | keyword | +| aws_securityhub.finding.malware.files.drive_type | The drive type, normalized to the caption of the drive_type_id value. | keyword | +| aws_securityhub.finding.malware.files.drive_type_id | Identifies the type of a disk drive. | keyword | +| aws_securityhub.finding.malware.files.encryption_details | The encryption details of the file. | flattened | +| aws_securityhub.finding.malware.files.ext | The extension of the file, excluding the leading dot. | keyword | +| aws_securityhub.finding.malware.files.hashes | An array of hash attributes. | nested | +| aws_securityhub.finding.malware.files.internal_name | The name of the file as identified within the file itself. | keyword | +| aws_securityhub.finding.malware.files.is_deleted | Indicates if the file was deleted from the filesystem. | boolean | +| aws_securityhub.finding.malware.files.is_encrypted | Indicates if the file is encrypted. | boolean | +| aws_securityhub.finding.malware.files.is_system | The indication of whether the object is part of the operating system. | boolean | +| aws_securityhub.finding.malware.files.mime_type | The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. | keyword | +| aws_securityhub.finding.malware.files.modified_time | The time when the file was last modified. | date | +| aws_securityhub.finding.malware.files.modified_time_dt | The time when the file was last modified. | date | +| aws_securityhub.finding.malware.files.modifier | The user that last modified the file. | flattened | +| aws_securityhub.finding.malware.files.name | The name of the file. | keyword | +| aws_securityhub.finding.malware.files.owner | The user that owns the file/object. | flattened | +| aws_securityhub.finding.malware.files.parent_folder | The parent folder in which the file resides. | keyword | +| aws_securityhub.finding.malware.files.path | The full path to the file. | keyword | +| aws_securityhub.finding.malware.files.product | The product that created or installed the file. | flattened | +| aws_securityhub.finding.malware.files.security_descriptor | The object security descriptor. | keyword | +| aws_securityhub.finding.malware.files.signature | The digital signature of the file. | flattened | +| aws_securityhub.finding.malware.files.size | The size of data, in bytes. | long | +| aws_securityhub.finding.malware.files.type | The file type. | keyword | +| aws_securityhub.finding.malware.files.type_id | The file type ID. | keyword | +| aws_securityhub.finding.malware.files.uid | The unique identifier of the file as defined by the storage system. | keyword | +| aws_securityhub.finding.malware.files.uri | The file URI. | keyword | +| aws_securityhub.finding.malware.files.url | The URL of the file. | flattened | +| aws_securityhub.finding.malware.files.version | The file version. | keyword | +| aws_securityhub.finding.malware.files.volume | The volume on the storage device where the file is located. | keyword | +| aws_securityhub.finding.malware.files.xattributes | An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. | flattened | +| aws_securityhub.finding.malware.name | The malware name, as reported by the detection engine. | keyword | +| aws_securityhub.finding.malware.num_infected | The number of files that were identified to be infected by the malware. | long | +| aws_securityhub.finding.malware.provider | The name or identifier of the security solution or service that provided the malware detection information. | keyword | +| aws_securityhub.finding.malware.severity | The severity of the malware, normalized to the captions of the severity_id values. | keyword | +| aws_securityhub.finding.malware.severity_id | The normalized identifier of the malware severity. | keyword | +| aws_securityhub.finding.malware.uid | A unique identifier for the specific malware instance, as assigned by the detection engine. | keyword | +| aws_securityhub.finding.malware_scan_info.end_time | The timestamp indicating when the scan job completed execution. | date | +| aws_securityhub.finding.malware_scan_info.end_time_dt | The timestamp indicating when the scan job completed execution. | date | +| aws_securityhub.finding.malware_scan_info.name | The administrator-supplied or application-generated name of the scan. | keyword | +| aws_securityhub.finding.malware_scan_info.num_files | The total number of files analyzed during the scan. | long | +| aws_securityhub.finding.malware_scan_info.num_infected | The total number of files identified as infected with malware during the scan. | long | +| aws_securityhub.finding.malware_scan_info.num_volumes | The total number of storage volumes examined during the malware scan. | long | +| aws_securityhub.finding.malware_scan_info.size | The total size in bytes of all files that were scanned. | long | +| aws_securityhub.finding.malware_scan_info.start_time | The timestamp indicating when the scan job began execution. | date | +| aws_securityhub.finding.malware_scan_info.start_time_dt | The timestamp indicating when the scan job began execution. | date | +| aws_securityhub.finding.malware_scan_info.type | The type of scan. | keyword | +| aws_securityhub.finding.malware_scan_info.type_id | The type id of the scan. | keyword | +| aws_securityhub.finding.malware_scan_info.uid | The application-defined unique identifier assigned to an instance of a scan. | keyword | +| aws_securityhub.finding.malware_scan_info.unique_malware_count | The number of unique malware detected across all infected files. | long | +| aws_securityhub.finding.message | The description of the event/finding, as defined by the source. | keyword | +| aws_securityhub.finding.metadata.correlation_uid | The unique identifier used to correlate events. | keyword | +| aws_securityhub.finding.metadata.data_classifications.category | The name of the data classification category that data matched into. | keyword | +| aws_securityhub.finding.metadata.data_classifications.category_id | The normalized identifier of the data classification category. | keyword | +| aws_securityhub.finding.metadata.data_classifications.classifier_details | Describes details about the classifier used for data classification. | flattened | +| aws_securityhub.finding.metadata.data_classifications.confidentiality | The file content confidentiality, normalized to the confidentiality_id value. | keyword | +| aws_securityhub.finding.metadata.data_classifications.confidentiality_id | The normalized identifier of the file content confidentiality indicator. | keyword | +| aws_securityhub.finding.metadata.data_classifications.discovery_details | Details about the data discovered by classification job. | nested | +| aws_securityhub.finding.metadata.data_classifications.policy | Details about the data policy that governs data handling and security measures related to classification. | flattened | +| aws_securityhub.finding.metadata.data_classifications.size | Size of the data classified. | long | +| aws_securityhub.finding.metadata.data_classifications.src_url | The source URL pointing towards the full classifcation job details. | keyword | +| aws_securityhub.finding.metadata.data_classifications.status | The resultant status of the classification job normalized to the caption of the status_id value. | keyword | +| aws_securityhub.finding.metadata.data_classifications.status_details | The contextual description of the status, status_id value. | keyword | +| aws_securityhub.finding.metadata.data_classifications.status_id | The normalized status identifier of the classification job. | keyword | +| aws_securityhub.finding.metadata.data_classifications.total | The total count of discovered entities, by the classification job. | long | +| aws_securityhub.finding.metadata.data_classifications.uid | The unique identifier of the classification job. | keyword | +| aws_securityhub.finding.metadata.debug | Debug information about non-fatal issues with this OCSF event. | keyword | +| aws_securityhub.finding.metadata.event_code | The Event ID, Code, or Name that the product uses to primarily identify the event. | keyword | +| aws_securityhub.finding.metadata.extensions.name | The schema extension name. | keyword | +| aws_securityhub.finding.metadata.extensions.uid | The schema extension unique identifier. | keyword | +| aws_securityhub.finding.metadata.extensions.version | The schema extension version. | keyword | +| aws_securityhub.finding.metadata.labels | The list of labels attached to the event. | keyword | +| aws_securityhub.finding.metadata.log_level | The audit level at which an event was generated. | keyword | +| aws_securityhub.finding.metadata.log_name | The event log name. | keyword | +| aws_securityhub.finding.metadata.log_provider | The logging provider or logging service that logged the event. | keyword | +| aws_securityhub.finding.metadata.log_version | The event log schema version that specifies the format of the original event. For example syslog version or Cisco Log Schema Version. | keyword | +| aws_securityhub.finding.metadata.logged_time | The time when the logging system collected and logged the event. | date | +| aws_securityhub.finding.metadata.logged_time_dt | The time when the logging system collected and logged the event. | date | +| aws_securityhub.finding.metadata.loggers.device | The device where the events are logged. | flattened | +| aws_securityhub.finding.metadata.loggers.event_uid | The unique identifier of the event assigned by the logger. | keyword | +| aws_securityhub.finding.metadata.loggers.log_level | The audit level at which an event was generated. | keyword | +| aws_securityhub.finding.metadata.loggers.log_name | The event log name. | keyword | +| aws_securityhub.finding.metadata.loggers.log_provider | The logging provider or logging service that logged the event. | keyword | +| aws_securityhub.finding.metadata.loggers.log_version | The event log schema version that specifies the format of the original event. | keyword | +| aws_securityhub.finding.metadata.loggers.logged_time | The time when the logging system collected and logged the event. | date | +| aws_securityhub.finding.metadata.loggers.logged_time_dt | The time when the logging system collected and logged the event. | date | +| aws_securityhub.finding.metadata.loggers.name | The name of the logging product instance. | keyword | +| aws_securityhub.finding.metadata.loggers.product | The product logging the event. | flattened | +| aws_securityhub.finding.metadata.loggers.transmit_time | The time when the event was transmitted from the logging device to it's next destination. | date | +| aws_securityhub.finding.metadata.loggers.transmit_time_dt | The time when the event was transmitted from the logging device to it's next destination. | date | +| aws_securityhub.finding.metadata.loggers.uid | The unique identifier of the logging product instance. | keyword | +| aws_securityhub.finding.metadata.loggers.version | The version of the logging product. | keyword | +| aws_securityhub.finding.metadata.modified_time | The time when the event was last modified or enriched. | date | +| aws_securityhub.finding.metadata.modified_time_dt | The time when the event was last modified or enriched. | date | +| aws_securityhub.finding.metadata.original_time | The original event time as reported by the event source. | keyword | +| aws_securityhub.finding.metadata.processed_time | The event processed time. | date | +| aws_securityhub.finding.metadata.processed_time_dt | The event processed time. | date | +| aws_securityhub.finding.metadata.product.cpe_name | The Common Platform Enumeration (CPE) name as described by (NIST). | keyword | +| aws_securityhub.finding.metadata.product.data_classifications | A list of Data Classification objects. | nested | +| aws_securityhub.finding.metadata.product.feature.name | The name of the feature. | keyword | +| aws_securityhub.finding.metadata.product.feature.uid | The unique identifier of the feature. | keyword | +| aws_securityhub.finding.metadata.product.feature.version | The version of the feature. | keyword | +| aws_securityhub.finding.metadata.product.lang | The two letter lower case language codes. | keyword | +| aws_securityhub.finding.metadata.product.name | The name of the product. | keyword | +| aws_securityhub.finding.metadata.product.path | The installation path of the product. | keyword | +| aws_securityhub.finding.metadata.product.uid | The unique identifier of the product. | keyword | +| aws_securityhub.finding.metadata.product.url_string | The URL pointing towards the product. | keyword | +| aws_securityhub.finding.metadata.product.vendor_name | The name of the vendor of the product. | keyword | +| aws_securityhub.finding.metadata.product.version | The version of the product. | keyword | +| aws_securityhub.finding.metadata.profiles | The list of profiles used to create the event. | keyword | +| aws_securityhub.finding.metadata.sequence | Sequence number of the event. | long | +| aws_securityhub.finding.metadata.tenant_uid | The unique tenant identifier. | keyword | +| aws_securityhub.finding.metadata.transformation_info_list.lang | The transformation language used to transform the data. | keyword | +| aws_securityhub.finding.metadata.transformation_info_list.name | The name of the transformation or mapping. | keyword | +| aws_securityhub.finding.metadata.transformation_info_list.product | The product or instance used to make the transformation. | flattened | +| aws_securityhub.finding.metadata.transformation_info_list.time | Time of the transformation. | date | +| aws_securityhub.finding.metadata.transformation_info_list.time_dt | Time of the transformation. | date | +| aws_securityhub.finding.metadata.transformation_info_list.uid | The unique identifier of the mapping or transformation. | keyword | +| aws_securityhub.finding.metadata.transformation_info_list.url_string | The Uniform Resource Locator String where the mapping or transformation exists. | keyword | +| aws_securityhub.finding.metadata.uid | The logging system-assigned unique identifier of an event instance. | keyword | +| aws_securityhub.finding.metadata.version | The version of the OCSF schema, using Semantic Versioning Specification (SemVer). | keyword | +| aws_securityhub.finding.observables.name | The full name of the observable attribute. | keyword | +| aws_securityhub.finding.observables.reputation.base_score | The reputation score as reported by the event source. | double | +| aws_securityhub.finding.observables.reputation.provider | The provider of the reputation information. | keyword | +| aws_securityhub.finding.observables.reputation.score | The reputation score, normalized to the caption of the score_id value. | keyword | +| aws_securityhub.finding.observables.reputation.score_id | The normalized reputation score identifier. | keyword | +| aws_securityhub.finding.observables.type | The observable value type name. | keyword | +| aws_securityhub.finding.observables.type_id | The observable value type identifier. | keyword | +| aws_securityhub.finding.observables.value | The value associated with the observable attribute. | keyword | +| aws_securityhub.finding.osint.answers.class | The class of DNS data contained in this resource record. | keyword | +| aws_securityhub.finding.osint.answers.flag_ids | The list of DNS answer header flag IDs. | keyword | +| aws_securityhub.finding.osint.answers.flags | The list of DNS answer header flags. | keyword | +| aws_securityhub.finding.osint.answers.packet_uid | The DNS packet identifier assigned by the program that generated the query. | keyword | +| aws_securityhub.finding.osint.answers.rdata | The data describing the DNS resource. | keyword | +| aws_securityhub.finding.osint.answers.ttl | The time interval that the resource record may be cached. | long | +| aws_securityhub.finding.osint.answers.type | The type of data contained in this resource record. | keyword | +| aws_securityhub.finding.osint.attacks.mitigation | The Mitigation object describes the MITRE ATT&CK® or ATLAS™ Mitigation ID and/or name that is associated to an attack. | flattened | +| aws_securityhub.finding.osint.attacks.sub_technique | The Sub-technique object describes the MITRE ATT&CK® or ATLAS™ Sub-technique ID and/or name associated to an attack. | flattened | +| aws_securityhub.finding.osint.attacks.tactic | The Tactic object describes the MITRE ATT&CK® or ATLAS™ Tactic ID and/or name that is associated to an attack. | flattened | +| aws_securityhub.finding.osint.attacks.technique | The Technique object describes the MITRE ATT&CK® or ATLAS™ Technique ID and/or name associated to an attack. | flattened | +| aws_securityhub.finding.osint.attacks.version | The ATT&CK® or ATLAS™ Matrix version. | keyword | +| aws_securityhub.finding.osint.autonomous_system.name | Organization name for the Autonomous System. | keyword | +| aws_securityhub.finding.osint.autonomous_system.number | Unique number that the AS is identified by. | long | +| aws_securityhub.finding.osint.campaign.name | The name of a specific campaign associated with a cyber threat. | keyword | +| aws_securityhub.finding.osint.category | Categorizes the threat indicator based on its functional or operational role. | keyword | +| aws_securityhub.finding.osint.comment | Analyst commentary or source commentary about an indicator or OSINT analysis. | keyword | +| aws_securityhub.finding.osint.confidence | The confidence of an indicator being malicious and/or pertinent, normalized to the caption of the confidence_id value. | keyword | +| aws_securityhub.finding.osint.confidence_id | The normalized confidence refers to the accuracy of collected information related to the OSINT or how pertinent an indicator or analysis is to a specific event or finding. | keyword | +| aws_securityhub.finding.osint.created_time | The timestamp when the indicator was initially created or identified. | date | +| aws_securityhub.finding.osint.created_time_dt | The timestamp when the indicator was initially created or identified. | date | +| aws_securityhub.finding.osint.creator.account | The user's account or the account associated with the user. | flattened | +| aws_securityhub.finding.osint.creator.credential_uid | The unique identifier of the user's credential. | keyword | +| aws_securityhub.finding.osint.creator.display_name | The display name of the user, as reported by the product. | keyword | +| aws_securityhub.finding.osint.creator.domain | The domain where the user is defined. | keyword | +| aws_securityhub.finding.osint.creator.email_addr | The user's primary email address. | keyword | +| aws_securityhub.finding.osint.creator.forward_addr | The user's forwarding email address. | keyword | +| aws_securityhub.finding.osint.creator.full_name | The full name of the user, as reported by the product. | keyword | +| aws_securityhub.finding.osint.creator.groups | The administrative groups to which the user belongs. | nested | +| aws_securityhub.finding.osint.creator.has_mfa | The user has a multi-factor or secondary-factor device assigned. | boolean | +| aws_securityhub.finding.osint.creator.ldap_person | The additional LDAP attributes that describe a person. | flattened | +| aws_securityhub.finding.osint.creator.name | The username. | keyword | +| aws_securityhub.finding.osint.creator.org | Organization and org unit related to the user. | flattened | +| aws_securityhub.finding.osint.creator.phone_number | The telephone number of the user. | keyword | +| aws_securityhub.finding.osint.creator.risk_level | The risk level, normalized to the caption of the risk_level_id value. | keyword | +| aws_securityhub.finding.osint.creator.risk_level_id | The normalized risk level id. | keyword | +| aws_securityhub.finding.osint.creator.risk_score | The risk score as reported by the event source. | long | +| aws_securityhub.finding.osint.creator.type | The type of the user. | keyword | +| aws_securityhub.finding.osint.creator.type_id | The account type identifier. | keyword | +| aws_securityhub.finding.osint.creator.uid | The unique user identifier. | keyword | +| aws_securityhub.finding.osint.creator.uid_alt | The alternate user identifier. | keyword | +| aws_securityhub.finding.osint.desc | A detailed explanation of the indicator, including its context, purpose, and relevance. | keyword | +| aws_securityhub.finding.osint.detection_pattern | The specific detection pattern or signature associated with the indicator. | keyword | +| aws_securityhub.finding.osint.detection_pattern_type | The detection pattern type, normalized to the caption of the detection_pattern_type_id value. | keyword | +| aws_securityhub.finding.osint.detection_pattern_type_id | Specifies the type of detection pattern used to identify the associated threat indicator. | keyword | +| aws_securityhub.finding.osint.email.cc | The machine-readable email header Cc values. | keyword | +| aws_securityhub.finding.osint.email.cc_mailboxes | The human-readable email header Cc Mailbox values. | keyword | +| aws_securityhub.finding.osint.email.data_classifications | A list of Data Classification objects, that include information about data classification levels and data category types, indentified by a classifier. | nested | +| aws_securityhub.finding.osint.email.delivered_to_list | The machine-readable Delivered-To email header values. | keyword | +| aws_securityhub.finding.osint.email.files | The files embedded or attached to the email. | nested | +| aws_securityhub.finding.osint.email.from | The machine-readable email header From values. | keyword | +| aws_securityhub.finding.osint.email.from_mailbox | The human-readable email header From Mailbox value. | keyword | +| aws_securityhub.finding.osint.email.http_headers | Additional HTTP headers of an HTTP request or response. | nested | +| aws_securityhub.finding.osint.email.is_read | The indication of whether the email has been read. | boolean | +| aws_securityhub.finding.osint.email.message_uid | The email header Message-ID value. | keyword | +| aws_securityhub.finding.osint.email.raw_header | The email authentication header. | keyword | +| aws_securityhub.finding.osint.email.reply_to_mailboxes | The human-readable email header Reply To Mailbox values. | keyword | +| aws_securityhub.finding.osint.email.size | The size in bytes of the email, including attachments. | long | +| aws_securityhub.finding.osint.email.subject | The email header Subject value. | keyword | +| aws_securityhub.finding.osint.email.to | The machine-readable email header To values. | keyword | +| aws_securityhub.finding.osint.email.to_mailboxes | The human-readable email header To Mailbox values. | keyword | +| aws_securityhub.finding.osint.email.uid | The unique identifier of the email thread. | keyword | +| aws_securityhub.finding.osint.email.urls | The URLs embedded in the email. | nested | +| aws_securityhub.finding.osint.email.x_originating_ip | The X-Originating-IP header identifying the emails originating IP address(es). | ip | +| aws_securityhub.finding.osint.email_auth.dkim | The DomainKeys Identified Mail (DKIM) status of the email. | keyword | +| aws_securityhub.finding.osint.email_auth.dkim_domain | The DomainKeys Identified Mail (DKIM) status of the email. | keyword | +| aws_securityhub.finding.osint.email_auth.dkim_signature | The DomainKeys Identified Mail (DKIM) signature used by the sending/receiving system. | keyword | +| aws_securityhub.finding.osint.email_auth.dmarc | The Domain-based Message Authentication, Reporting and Conformance (DMARC) status of the email. | keyword | +| aws_securityhub.finding.osint.email_auth.dmarc_override | The Domain-based Message Authentication, Reporting and Conformance (DMARC) override action. | keyword | +| aws_securityhub.finding.osint.email_auth.dmarc_policy | The Domain-based Message Authentication, Reporting and Conformance (DMARC) policy status. | keyword | +| aws_securityhub.finding.osint.email_auth.spf | The Sender Policy Framework (SPF) status of the email. | keyword | +| aws_securityhub.finding.osint.expiration_time | The expiration date of the indicator, after which it is no longer considered reliable. | date | +| aws_securityhub.finding.osint.expiration_time_dt | The expiration date of the indicator, after which it is no longer considered reliable. | date | +| aws_securityhub.finding.osint.external_uid | A unique identifier assigned by an external system for cross-referencing. | keyword | +| aws_securityhub.finding.osint.file.accessed_time | The time when the file was last accessed. | date | +| aws_securityhub.finding.osint.file.accessed_time_dt | The time when the file was last accessed. | date | +| aws_securityhub.finding.osint.file.accessor | The name of the user who last accessed the object. | flattened | +| aws_securityhub.finding.osint.file.attributes | The bitmask value that represents the file attributes. | long | +| aws_securityhub.finding.osint.file.company_name | The name of the company that published the file. | keyword | +| aws_securityhub.finding.osint.file.confidentiality | The file content confidentiality, normalized to the confidentiality_id value. | keyword | +| aws_securityhub.finding.osint.file.confidentiality_id | The normalized identifier of the file content confidentiality indicator. | keyword | +| aws_securityhub.finding.osint.file.created_time | The time when the file was created. | date | +| aws_securityhub.finding.osint.file.created_time_dt | The time when the file was created. | date | +| aws_securityhub.finding.osint.file.creator | The user that created the file. | flattened | +| aws_securityhub.finding.osint.file.data_classifications | A list of Data Classification objects, that include information about data classification levels and data category types, indentified by a classifier. | nested | +| aws_securityhub.finding.osint.file.desc | The description of the file, as returned by file system. | keyword | +| aws_securityhub.finding.osint.file.drive_type | The drive type, normalized to the caption of the drive_type_id value. | keyword | +| aws_securityhub.finding.osint.file.drive_type_id | Identifies the type of a disk drive. | keyword | +| aws_securityhub.finding.osint.file.encryption_details | The encryption details of the file. | flattened | +| aws_securityhub.finding.osint.file.ext | The extension of the file, excluding the leading dot. | keyword | +| aws_securityhub.finding.osint.file.hashes | An array of hash attributes. | nested | +| aws_securityhub.finding.osint.file.internal_name | The name of the file as identified within the file itself. | keyword | +| aws_securityhub.finding.osint.file.is_deleted | Indicates if the file was deleted from the filesystem. | boolean | +| aws_securityhub.finding.osint.file.is_encrypted | Indicates if the file is encrypted. | boolean | +| aws_securityhub.finding.osint.file.is_system | The indication of whether the object is part of the operating system. | boolean | +| aws_securityhub.finding.osint.file.mime_type | The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. | keyword | +| aws_securityhub.finding.osint.file.modified_time | The time when the file was last modified. | date | +| aws_securityhub.finding.osint.file.modified_time_dt | The time when the file was last modified. | date | +| aws_securityhub.finding.osint.file.modifier | The user that last modified the file. | flattened | +| aws_securityhub.finding.osint.file.name | The name of the file. | keyword | +| aws_securityhub.finding.osint.file.owner | The user that owns the file/object. | flattened | +| aws_securityhub.finding.osint.file.parent_folder | The parent folder in which the file resides. | keyword | +| aws_securityhub.finding.osint.file.path | The full path to the file. | keyword | +| aws_securityhub.finding.osint.file.product | The product that created or installed the file. | flattened | +| aws_securityhub.finding.osint.file.security_descriptor | The object security descriptor. | keyword | +| aws_securityhub.finding.osint.file.signature | The digital signature of the file. | flattened | +| aws_securityhub.finding.osint.file.size | The size of data, in bytes. | long | +| aws_securityhub.finding.osint.file.type | The file type. | keyword | +| aws_securityhub.finding.osint.file.type_id | The file type ID. | keyword | +| aws_securityhub.finding.osint.file.uid | The unique identifier of the file as defined by the storage system. | keyword | +| aws_securityhub.finding.osint.file.uri | The file URI. | keyword | +| aws_securityhub.finding.osint.file.url | The URL of the file. | flattened | +| aws_securityhub.finding.osint.file.version | The file version. | keyword | +| aws_securityhub.finding.osint.file.volume | The volume on the storage device where the file is located. | keyword | +| aws_securityhub.finding.osint.file.xattributes | An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. | flattened | +| aws_securityhub.finding.osint.intrusion_sets | A grouping of adversarial behaviors and resources believed to be associated with specific threat actors or campaigns. | keyword | +| aws_securityhub.finding.osint.kill_chain.phase | The cyber kill chain phase. | keyword | +| aws_securityhub.finding.osint.kill_chain.phase_id | The cyber kill chain phase identifier. | keyword | +| aws_securityhub.finding.osint.labels | Tags or keywords associated with the indicator to enhance searchability. | keyword | +| aws_securityhub.finding.osint.location.aerial_height | Expressed as either height above takeoff location or height above ground level (AGL) for a UAS current location. | keyword | +| aws_securityhub.finding.osint.location.city | The name of the city. | keyword | +| aws_securityhub.finding.osint.location.continent | The name of the continent. | keyword | +| aws_securityhub.finding.osint.location.country | The ISO 3166-1 Alpha-2 country code. | keyword | +| aws_securityhub.finding.osint.location.desc | The description of the geographical location. | keyword | +| aws_securityhub.finding.osint.location.geodetic_altitude | The aircraft distance above or below the ellipsoid as measured along a line that passes through the aircraft and is normal to the surface of the WGS-84 ellipsoid. | keyword | +| aws_securityhub.finding.osint.location.geodetic_vertical_accuracy | Provides quality/containment on geodetic altitude. | keyword | +| aws_securityhub.finding.osint.location.geohash | Geohash of the geo-coordinates (latitude and longitude). | keyword | +| aws_securityhub.finding.osint.location.horizontal_accuracy | Provides quality/containment on horizontal position. | keyword | +| aws_securityhub.finding.osint.location.is_on_premises | The indication of whether the location is on premises. | boolean | +| aws_securityhub.finding.osint.location.lat | The geographical Latitude coordinate represented in Decimal Degrees (DD). | double | +| aws_securityhub.finding.osint.location.long | The geographical Longitude coordinate represented in Decimal Degrees (DD). | double | +| aws_securityhub.finding.osint.location.postal_code | The postal code of the location. | keyword | +| aws_securityhub.finding.osint.location.pressure_altitude | The uncorrected barometric pressure altitude (based on reference standard 29.92 inHg, 1013.25 mb) provides a reference for algorithms that utilize 'altitude deltas' between aircraft. | keyword | +| aws_securityhub.finding.osint.location.provider | The provider of the geographical location data. | keyword | +| aws_securityhub.finding.osint.location.region | The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. | keyword | +| aws_securityhub.finding.osint.malware.classification_ids | The list of normalized identifiers of the malware classifications. | keyword | +| aws_securityhub.finding.osint.malware.classifications | The list of malware classifications, normalized to the captions of the classification_ids values. | keyword | +| aws_securityhub.finding.osint.malware.cves | The list of Common Vulnerabilities and Exposures (CVE) identifiers associated with the malware. | nested | +| aws_securityhub.finding.osint.malware.files | The list of file objects representing files that were identified as infected by the malware. | nested | +| aws_securityhub.finding.osint.malware.name | The malware name, as reported by the detection engine. | keyword | +| aws_securityhub.finding.osint.malware.num_infected | The number of files that were identified to be infected by the malware. | long | +| aws_securityhub.finding.osint.malware.provider | The name or identifier of the security solution or service that provided the malware detection information. | keyword | +| aws_securityhub.finding.osint.malware.severity | The severity of the malware, normalized to the captions of the severity_id values. | keyword | +| aws_securityhub.finding.osint.malware.severity_id | The normalized identifier of the malware severity. | keyword | +| aws_securityhub.finding.osint.malware.uid | A unique identifier for the specific malware instance, as assigned by the detection engine. | keyword | +| aws_securityhub.finding.osint.modified_time | The timestamp of the last modification or update to the indicator. | date | +| aws_securityhub.finding.osint.modified_time_dt | The timestamp of the last modification or update to the indicator. | date | +| aws_securityhub.finding.osint.name | The name is a pointer/reference to an attribute within the OCSF event data. | keyword | +| aws_securityhub.finding.osint.references | Provides a reference to an external source of information related to the CTI being represented. | keyword | +| aws_securityhub.finding.osint.related_analytics.algorithm | The algorithm used by the underlying analytic to generate the finding. | keyword | +| aws_securityhub.finding.osint.related_analytics.category | The analytic category. | keyword | +| aws_securityhub.finding.osint.related_analytics.desc | The description of the analytic that generated the finding. | keyword | +| aws_securityhub.finding.osint.related_analytics.name | The name of the analytic that generated the finding. | keyword | +| aws_securityhub.finding.osint.related_analytics.type | The analytic type. | keyword | +| aws_securityhub.finding.osint.related_analytics.type_id | The analytic type ID. | keyword | +| aws_securityhub.finding.osint.related_analytics.uid | The unique identifier of the analytic that generated the finding. | keyword | +| aws_securityhub.finding.osint.related_analytics.version | The analytic version. | keyword | +| aws_securityhub.finding.osint.reputation.base_score | The reputation score as reported by the event source. | double | +| aws_securityhub.finding.osint.reputation.provider | The provider of the reputation information. | keyword | +| aws_securityhub.finding.osint.reputation.score | The reputation score, normalized to the caption of the score_id value. | keyword | +| aws_securityhub.finding.osint.reputation.score_id | The normalized reputation score identifier. | keyword | +| aws_securityhub.finding.osint.risk_score | A numerical representation of the threat indicator’s risk level. | long | +| aws_securityhub.finding.osint.script.file | Present if this script is associated with a file. | flattened | +| aws_securityhub.finding.osint.script.hashes | An array of the script's cryptographic hashes. | nested | +| aws_securityhub.finding.osint.script.name | Unique identifier for the script or macro, independent of the containing file, used for tracking, auditing, and security analysis. | keyword | +| aws_securityhub.finding.osint.script.parent_uid | This attribute relates a sub-script to a parent script having the matching uid attribute. | keyword | +| aws_securityhub.finding.osint.script.script_content | The script content, normalized to UTF-8 encoding irrespective of its original encoding. | flattened | +| aws_securityhub.finding.osint.script.type | The script type, normalized to the caption of the type_id value. | keyword | +| aws_securityhub.finding.osint.script.type_id | The normalized script type ID. | keyword | +| aws_securityhub.finding.osint.script.uid | Some script engines assign a unique ID to each individual execution of a given script. | keyword | +| aws_securityhub.finding.osint.severity | Represents the severity level of the threat indicator, typically reflecting its potential impact or damage. | keyword | +| aws_securityhub.finding.osint.severity_id | The normalized severity level of the threat indicator, typically reflecting its potential impact or damage. | keyword | +| aws_securityhub.finding.osint.signatures.algorithm | The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. | keyword | +| aws_securityhub.finding.osint.signatures.algorithm_id | The identifier of the normalized digital signature algorithm. | keyword | +| aws_securityhub.finding.osint.signatures.certificate | The certificate object containing information about the digital certificate. | flattened | +| aws_securityhub.finding.osint.signatures.created_time | The time when the digital signature was created. | date | +| aws_securityhub.finding.osint.signatures.created_time_dt | The time when the digital signature was created. | date | +| aws_securityhub.finding.osint.signatures.developer_uid | The developer ID on the certificate that signed the file. | keyword | +| aws_securityhub.finding.osint.signatures.digest | The message digest attribute contains the fixed length message hash representation and the corresponding hashing algorithm information. | flattened | +| aws_securityhub.finding.osint.signatures.state | The digital signature state defines the signature state, normalized to the caption of 'state_id'. | keyword | +| aws_securityhub.finding.osint.signatures.state_id | The normalized identifier of the signature state. | keyword | +| aws_securityhub.finding.osint.src_url | The source URL of an indicator or OSINT analysis. | keyword | +| aws_securityhub.finding.osint.subdomains | Any pertinent subdomain information. | keyword | +| aws_securityhub.finding.osint.subnet | A CIDR or network block related to an indicator or OSINT analysis. | keyword | +| aws_securityhub.finding.osint.threat_actor.name | The name of the threat actor. | keyword | +| aws_securityhub.finding.osint.threat_actor.type | The classification of the threat actor based on their motivations, capabilities, or affiliations. Common types include nation-state actors, cybercriminal groups, hacktivists, or insider threats. | keyword | +| aws_securityhub.finding.osint.threat_actor.type_id | The normalized datastore resource type identifier. | keyword | +| aws_securityhub.finding.osint.tlp | The Traffic Light Protocol was created to facilitate greater sharing of potentially sensitive information and more effective collaboration. | keyword | +| aws_securityhub.finding.osint.type | The OSINT indicator type. | keyword | +| aws_securityhub.finding.osint.type_id | The OSINT indicator type ID. | keyword | +| aws_securityhub.finding.osint.uid | The unique identifier for the OSINT object. | keyword | +| aws_securityhub.finding.osint.uploaded_time | The timestamp indicating when the associated indicator or intelligence was added to the system or repository. | date | +| aws_securityhub.finding.osint.uploaded_time_dt | The timestamp indicating when the associated indicator or intelligence was added to the system or repository. | date | +| aws_securityhub.finding.osint.value | The actual indicator value in scope. | keyword | +| aws_securityhub.finding.osint.vendor_name | The vendor name of a tool which generates intelligence or provides indicators. | keyword | +| aws_securityhub.finding.osint.vulnerabilities.advisory | Detail about the security advisory, that is used to publicly disclose cybersecurity vulnerabilities by a vendor. | flattened | +| aws_securityhub.finding.osint.vulnerabilities.affected_code | List of Affected Code objects that describe details about code blocks identified as vulnerable. | nested | +| aws_securityhub.finding.osint.vulnerabilities.affected_packages | List of software packages identified as affected by a vulnerability/vulnerabilities. | nested | +| aws_securityhub.finding.osint.vulnerabilities.category | The category of a vulnerability or weakness, as reported by the source tool, such as Container Security or Open Source Security. | keyword | +| aws_securityhub.finding.osint.vulnerabilities.cve | Describes the Common Vulnerabilities and Exposures (CVE) details related to the vulnerability. | flattened | +| aws_securityhub.finding.osint.vulnerabilities.cwe | Describes the Common Weakness Enumeration (CWE) details related to the vulnerability. | flattened | +| aws_securityhub.finding.osint.vulnerabilities.dependency_chain | Information about the chain of dependencies related to the issue as reported by an Application Security or Vulnerability Management tool. | keyword | +| aws_securityhub.finding.osint.vulnerabilities.desc | The description of the vulnerability. | keyword | +| aws_securityhub.finding.osint.vulnerabilities.exploit_last_seen_time | The time when the exploit was most recently observed. | date | +| aws_securityhub.finding.osint.vulnerabilities.exploit_last_seen_time_dt | The time when the exploit was most recently observed. | date | +| aws_securityhub.finding.osint.vulnerabilities.exploit_ref_url | The URL of the exploit code or Proof-of-Concept (PoC). | keyword | +| aws_securityhub.finding.osint.vulnerabilities.exploit_requirement | The requirement description related to any constraints around exploit execution. | keyword | +| aws_securityhub.finding.osint.vulnerabilities.exploit_type | The categorization or type of Exploit. | keyword | +| aws_securityhub.finding.osint.vulnerabilities.first_seen_time | The time when the vulnerability was first observed. | date | +| aws_securityhub.finding.osint.vulnerabilities.first_seen_time_dt | The time when the vulnerability was first observed. | date | +| aws_securityhub.finding.osint.vulnerabilities.fix_coverage | The fix coverage, normalized to the caption of the fix_coverage_id value. | keyword | +| aws_securityhub.finding.osint.vulnerabilities.fix_coverage_id | The normalized identifier for fix coverage, applicable to this vulnerability. | keyword | +| aws_securityhub.finding.osint.vulnerabilities.is_exploit_available | Indicates if an exploit or a PoC (proof-of-concept) is available for the reported vulnerability. | boolean | +| aws_securityhub.finding.osint.vulnerabilities.is_fix_available | Indicates if a fix is available for the reported vulnerability. | boolean | +| aws_securityhub.finding.osint.vulnerabilities.last_seen_time | The time when the vulnerability was most recently observed. | date | +| aws_securityhub.finding.osint.vulnerabilities.last_seen_time_dt | The time when the vulnerability was most recently observed. | date | +| aws_securityhub.finding.osint.vulnerabilities.references | A list of reference URLs with additional information about the vulnerability. | keyword | +| aws_securityhub.finding.osint.vulnerabilities.related_vulnerabilities | List of vulnerability IDs (e.g. CVE ID) that are related to this vulnerability. | keyword | +| aws_securityhub.finding.osint.vulnerabilities.remediation | The remediation recommendations on how to mitigate the identified vulnerability. | flattened | +| aws_securityhub.finding.osint.vulnerabilities.severity | The vendor assigned severity of the vulnerability. | keyword | +| aws_securityhub.finding.osint.vulnerabilities.title | A title or a brief phrase summarizing the discovered vulnerability. | keyword | +| aws_securityhub.finding.osint.vulnerabilities.vendor_name | The name of the vendor that identified the vulnerability. | keyword | +| aws_securityhub.finding.osint.whois.autonomous_system | The autonomous system information associated with a domain. | flattened | +| aws_securityhub.finding.osint.whois.created_time | When the domain was registered or WHOIS entry was created. | date | +| aws_securityhub.finding.osint.whois.created_time_dt | When the domain was registered or WHOIS entry was created. | date | +| aws_securityhub.finding.osint.whois.dnssec_status | The normalized value of dnssec_status_id. | keyword | +| aws_securityhub.finding.osint.whois.dnssec_status_id | Describes the normalized status of DNS Security Extensions (DNSSEC) for a domain. | keyword | +| aws_securityhub.finding.osint.whois.domain | The domain name corresponding to the WHOIS record. | keyword | +| aws_securityhub.finding.osint.whois.domain_contacts | An array of Domain Contact objects. | nested | +| aws_securityhub.finding.osint.whois.email_addr | The email address for the registrar's abuse contact. | keyword | +| aws_securityhub.finding.osint.whois.isp | The name of the Internet Service Provider (ISP). | keyword | +| aws_securityhub.finding.osint.whois.isp_org | The organization name of the Internet Service Provider (ISP). | keyword | +| aws_securityhub.finding.osint.whois.last_seen_time | When the WHOIS record was last updated or seen at. | date | +| aws_securityhub.finding.osint.whois.last_seen_time_dt | When the WHOIS record was last updated or seen at. | date | +| aws_securityhub.finding.osint.whois.name_servers | A collection of name servers related to a domain registration or other record. | keyword | +| aws_securityhub.finding.osint.whois.phone_number | The phone number for the registrar's abuse contact. | keyword | +| aws_securityhub.finding.osint.whois.registrar | The domain registrar. | keyword | +| aws_securityhub.finding.osint.whois.status | The status of a domain and its ability to be transferred. | keyword | +| aws_securityhub.finding.osint.whois.subdomains | An array of subdomain strings. | keyword | +| aws_securityhub.finding.osint.whois.subnet | The IP address block (CIDR) associated with a domain. | keyword | +| aws_securityhub.finding.policy.data | Additional data about the policy such as the underlying JSON policy itself or other details. | flattened | +| aws_securityhub.finding.policy.desc | The description of the policy. | keyword | +| aws_securityhub.finding.policy.group.desc | The group description. | keyword | +| aws_securityhub.finding.policy.group.domain | The domain where the group is defined. | keyword | +| aws_securityhub.finding.policy.group.name | The group name. | keyword | +| aws_securityhub.finding.policy.group.privileges | The group privileges. | keyword | +| aws_securityhub.finding.policy.group.type | The type of the group or account. | keyword | +| aws_securityhub.finding.policy.group.uid | The unique identifier of the group. | keyword | +| aws_securityhub.finding.policy.is_applied | A determination if the content of a policy was applied to a target or request, or not. | boolean | +| aws_securityhub.finding.policy.name | The policy name. | keyword | +| aws_securityhub.finding.policy.uid | A unique identifier of the policy instance. | keyword | +| aws_securityhub.finding.policy.version | The policy version number. | keyword | +| aws_securityhub.finding.priority | The priority, normalized to the caption of the priority_id value. | keyword | +| aws_securityhub.finding.priority_id | The normalized priority. | keyword | +| aws_securityhub.finding.raw_data | The raw event/finding data as received from the source. | keyword | +| aws_securityhub.finding.raw_data_size | The size of the raw data which was transformed into an OCSF event. | long | +| aws_securityhub.finding.remediation.cis_controls.desc | The CIS Control description. | keyword | +| aws_securityhub.finding.remediation.cis_controls.name | The CIS Control name. | keyword | +| aws_securityhub.finding.remediation.cis_controls.version | The CIS Control version. | keyword | +| aws_securityhub.finding.remediation.desc | The description of the remediation strategy. | keyword | +| aws_securityhub.finding.remediation.kb_article_list.avg_timespan | The average time to patch. | flattened | +| aws_securityhub.finding.remediation.kb_article_list.bulletin | The kb article bulletin identifier. | keyword | +| aws_securityhub.finding.remediation.kb_article_list.classification | The vendors classification of the kb article. | keyword | +| aws_securityhub.finding.remediation.kb_article_list.created_time | The date the kb article was released by the vendor. | date | +| aws_securityhub.finding.remediation.kb_article_list.created_time_dt | The date the kb article was released by the vendor. | date | +| aws_securityhub.finding.remediation.kb_article_list.install_state | The install state of the kb article. | keyword | +| aws_securityhub.finding.remediation.kb_article_list.install_state_id | The normalized install state ID of the kb article. | keyword | +| aws_securityhub.finding.remediation.kb_article_list.is_superseded | The kb article has been replaced by another. | boolean | +| aws_securityhub.finding.remediation.kb_article_list.os | The operating system the kb article applies. | flattened | +| aws_securityhub.finding.remediation.kb_article_list.product | The product details the kb article applies. | flattened | +| aws_securityhub.finding.remediation.kb_article_list.severity | The severity of the kb article. | keyword | +| aws_securityhub.finding.remediation.kb_article_list.size | The size in bytes for the kb article. | long | +| aws_securityhub.finding.remediation.kb_article_list.src_url | The kb article link from the source vendor. | keyword | +| aws_securityhub.finding.remediation.kb_article_list.title | The title of the kb article. | keyword | +| aws_securityhub.finding.remediation.kb_article_list.uid | The unique identifier for the kb article. | keyword | +| aws_securityhub.finding.remediation.references | A list of supporting URL/s, references that help describe the remediation strategy. | keyword | +| aws_securityhub.finding.resources.agent_list.name | The name of the agent or sensor. | keyword | +| aws_securityhub.finding.resources.agent_list.policies | Describes the various policies that may be applied or enforced by an agent or sensor. | nested | +| aws_securityhub.finding.resources.agent_list.type | The normalized caption of the type_id value for the agent or sensor. | keyword | +| aws_securityhub.finding.resources.agent_list.type_id | The normalized representation of an agent or sensor. | keyword | +| aws_securityhub.finding.resources.agent_list.uid | The UID of the agent or sensor, sometimes known as a Sensor ID or aid. | keyword | +| aws_securityhub.finding.resources.agent_list.uid_alt | An alternative or contextual identifier for the agent or sensor, such as a configuration, organization, or license UID. | keyword | +| aws_securityhub.finding.resources.agent_list.vendor_name | The company or author who created the agent or sensor. | keyword | +| aws_securityhub.finding.resources.agent_list.version | The semantic version of the agent or sensor. | keyword | +| aws_securityhub.finding.resources.cloud_partition | The canonical cloud partition name to which the region is assigned. | keyword | +| aws_securityhub.finding.resources.created_time | The time when the resource was created. | date | +| aws_securityhub.finding.resources.created_time_dt | The time when the resource was created. | date | +| aws_securityhub.finding.resources.criticality | The criticality of the resource as defined by the event source. | keyword | +| aws_securityhub.finding.resources.data.awsEc2InstanceDetails.iamInstanceProfileArn | | keyword | +| aws_securityhub.finding.resources.data.awsEc2InstanceDetails.imageId | | keyword | +| aws_securityhub.finding.resources.data.awsEc2InstanceDetails.ipV4Addresses | | ip | +| aws_securityhub.finding.resources.data.awsEc2InstanceDetails.launchedAt | | date | +| aws_securityhub.finding.resources.data.awsEc2InstanceDetails.platform | | keyword | +| aws_securityhub.finding.resources.data.awsEc2InstanceDetails.subnetId | | keyword | +| aws_securityhub.finding.resources.data.awsEc2InstanceDetails.type | | keyword | +| aws_securityhub.finding.resources.data.awsEc2InstanceDetails.vpcId | | keyword | +| aws_securityhub.finding.resources.data.awsLambdaFunctionDetails.architectures | | keyword | +| aws_securityhub.finding.resources.data.awsLambdaFunctionDetails.codeSha256 | | keyword | +| aws_securityhub.finding.resources.data.awsLambdaFunctionDetails.executionRoleArn | | keyword | +| aws_securityhub.finding.resources.data.awsLambdaFunctionDetails.functionName | | keyword | +| aws_securityhub.finding.resources.data.awsLambdaFunctionDetails.lastModifiedAt | | date | +| aws_securityhub.finding.resources.data.awsLambdaFunctionDetails.layers | | keyword | +| aws_securityhub.finding.resources.data.awsLambdaFunctionDetails.packageType | | keyword | +| aws_securityhub.finding.resources.data.awsLambdaFunctionDetails.runtime | | keyword | +| aws_securityhub.finding.resources.data.awsLambdaFunctionDetails.version | | keyword | +| aws_securityhub.finding.resources.data_classifications.category | The name of the data classification category that data matched into. | keyword | +| aws_securityhub.finding.resources.data_classifications.category_id | The normalized identifier of the data classification category. | keyword | +| aws_securityhub.finding.resources.data_classifications.classifier_details | Describes details about the classifier used for data classification. | flattened | +| aws_securityhub.finding.resources.data_classifications.confidentiality | The file content confidentiality, normalized to the confidentiality_id value. | keyword | +| aws_securityhub.finding.resources.data_classifications.confidentiality_id | The normalized identifier of the file content confidentiality indicator. | keyword | +| aws_securityhub.finding.resources.data_classifications.discovery_details | Details about the data discovered by classification job. | nested | +| aws_securityhub.finding.resources.data_classifications.policy | Details about the data policy that governs data handling and security measures related to classification. | flattened | +| aws_securityhub.finding.resources.data_classifications.size | Size of the data classified. | long | +| aws_securityhub.finding.resources.data_classifications.src_url | The source URL pointing towards the full classifcation job details. | keyword | +| aws_securityhub.finding.resources.data_classifications.status | The resultant status of the classification job normalized to the caption of the status_id value. | keyword | +| aws_securityhub.finding.resources.data_classifications.status_details | The contextual description of the status, status_id value. | keyword | +| aws_securityhub.finding.resources.data_classifications.status_id | The normalized status identifier of the classification job. | keyword | +| aws_securityhub.finding.resources.data_classifications.total | The total count of discovered entities, by the classification job. | long | +| aws_securityhub.finding.resources.data_classifications.uid | The unique identifier of the classification job. | keyword | +| aws_securityhub.finding.resources.group.desc | The group description. | keyword | +| aws_securityhub.finding.resources.group.domain | The domain where the group is defined. | keyword | +| aws_securityhub.finding.resources.group.name | The group name. | keyword | +| aws_securityhub.finding.resources.group.privileges | The group privileges. | keyword | +| aws_securityhub.finding.resources.group.type | The type of the group or account. | keyword | +| aws_securityhub.finding.resources.group.uid | The unique identifier of the group. | keyword | +| aws_securityhub.finding.resources.hostname | The fully qualified name of the resource. | keyword | +| aws_securityhub.finding.resources.ip | The IP address of the resource, in either IPv4 or IPv6 format. | ip | +| aws_securityhub.finding.resources.is_backed_up | Indicates whether the device or resource has a backup enabled, such as an automated snapshot or a cloud backup. | boolean | +| aws_securityhub.finding.resources.labels | The list of labels associated to the resource. | keyword | +| aws_securityhub.finding.resources.modified_time | The time when the resource was last modified. | date | +| aws_securityhub.finding.resources.modified_time_dt | The time when the resource was last modified. | date | +| aws_securityhub.finding.resources.name | The name of the resource. | keyword | +| aws_securityhub.finding.resources.namespace | The namespace is useful when similar entities exist that you need to keep separate. | keyword | +| aws_securityhub.finding.resources.owner.account | The user's account or the account associated with the user. | flattened | +| aws_securityhub.finding.resources.owner.credential_uid | The unique identifier of the user's credential. | keyword | +| aws_securityhub.finding.resources.owner.display_name | The display name of the user, as reported by the product. | keyword | +| aws_securityhub.finding.resources.owner.domain | The domain where the user is defined. | keyword | +| aws_securityhub.finding.resources.owner.email_addr | The user's primary email address. | keyword | +| aws_securityhub.finding.resources.owner.forward_addr | The user's forwarding email address. | keyword | +| aws_securityhub.finding.resources.owner.full_name | The full name of the user, as reported by the product. | keyword | +| aws_securityhub.finding.resources.owner.groups | The administrative groups to which the user belongs. | nested | +| aws_securityhub.finding.resources.owner.has_mfa | The user has a multi-factor or secondary-factor device assigned. | boolean | +| aws_securityhub.finding.resources.owner.ldap_person | The additional LDAP attributes that describe a person. | flattened | +| aws_securityhub.finding.resources.owner.name | The username. | keyword | +| aws_securityhub.finding.resources.owner.org | Organization and org unit related to the user. | flattened | +| aws_securityhub.finding.resources.owner.phone_number | The telephone number of the user. | keyword | +| aws_securityhub.finding.resources.owner.risk_level | The risk level, normalized to the caption of the risk_level_id value. | keyword | +| aws_securityhub.finding.resources.owner.risk_level_id | The normalized risk level id. | keyword | +| aws_securityhub.finding.resources.owner.risk_score | The risk score as reported by the event source. | long | +| aws_securityhub.finding.resources.owner.type | The type of the user. | keyword | +| aws_securityhub.finding.resources.owner.type_id | The account type identifier. | keyword | +| aws_securityhub.finding.resources.owner.uid | The unique user identifier. | keyword | +| aws_securityhub.finding.resources.owner.uid_alt | The alternate user identifier. | keyword | +| aws_securityhub.finding.resources.region | The cloud region of the resource. | keyword | +| aws_securityhub.finding.resources.resource_relationship.desc | The graph description - provides additional details about the graph's purpose and contents. | keyword | +| aws_securityhub.finding.resources.resource_relationship.edges | The edges/connections between nodes in the graph - contains the collection of edge objects defining relationships between nodes. | nested | +| aws_securityhub.finding.resources.resource_relationship.is_directed | Indicates if the graph is directed (true) or undirected (false). | boolean | +| aws_securityhub.finding.resources.resource_relationship.name | The graph name - a human readable identifier for the graph. | keyword | +| aws_securityhub.finding.resources.resource_relationship.nodes | The nodes/vertices of the graph - contains the collection of node objects that make up the graph. | flattened | +| aws_securityhub.finding.resources.resource_relationship.query_language | The graph query language, normalized to the caption of the query_language_id value. | keyword | +| aws_securityhub.finding.resources.resource_relationship.query_language_id | The normalized identifier of a graph query language that can be used to interact with the graph. | keyword | +| aws_securityhub.finding.resources.resource_relationship.type | The graph type. Typically useful to represent the specifc type of graph that is used. | keyword | +| aws_securityhub.finding.resources.resource_relationship.uid | Unique identifier of the graph - a unique ID to reference this specific graph. | keyword | +| aws_securityhub.finding.resources.tags.\* | The list of tags. | object | +| aws_securityhub.finding.resources.type | The resource type as defined by the event source. | keyword | +| aws_securityhub.finding.resources.uid | The unique identifier of the resource. | keyword | +| aws_securityhub.finding.resources.uid_alt | The alternative unique identifier of the resource. | keyword | +| aws_securityhub.finding.resources.version | The version of the resource. | keyword | +| aws_securityhub.finding.resources.zone | The specific availability zone within a cloud region where the resource is located. | keyword | +| aws_securityhub.finding.risk_details | Describes the risk associated with the finding. | keyword | +| aws_securityhub.finding.risk_level | The risk level, normalized to the caption of the risk_level_id value. | keyword | +| aws_securityhub.finding.risk_level_id | The normalized risk level id. | keyword | +| aws_securityhub.finding.risk_score | The risk score as reported by the event source. | long | +| aws_securityhub.finding.severity | The event/finding severity, normalized to the caption of the severity_id value. | keyword | +| aws_securityhub.finding.severity_id | The normalized identifier of the event/finding severity. | keyword | +| aws_securityhub.finding.src_url | A Url link used to access the original incident. | keyword | +| aws_securityhub.finding.start_time | The time of the least recent event included in the finding. | date | +| aws_securityhub.finding.start_time_dt | The time of the least recent event included in the finding. | date | +| aws_securityhub.finding.status | The normalized status of the Finding set by the consumer normalized to the caption of the status_id value. | keyword | +| aws_securityhub.finding.status_code | The event status code, as reported by the event source. | keyword | +| aws_securityhub.finding.status_detail | The status detail contains additional information about the event/finding outcome. | keyword | +| aws_securityhub.finding.status_id | The normalized status identifier of the Finding. | keyword | +| aws_securityhub.finding.tickets.src_url | The url of a ticket in the ticket system. | keyword | +| aws_securityhub.finding.tickets.status | The status of the ticket normalized to the caption of the status_id value. In the case of 99, this value should as defined by the source. | keyword | +| aws_securityhub.finding.tickets.status_details | A list of contextual descriptions of the status, status_id values. | keyword | +| aws_securityhub.finding.tickets.status_id | The normalized identifier for the ticket status. | keyword | +| aws_securityhub.finding.tickets.title | The title of the ticket. | keyword | +| aws_securityhub.finding.tickets.type | The linked ticket type determines whether the ticket is internal or in an external ticketing system. | keyword | +| aws_securityhub.finding.tickets.type_id | The normalized identifier for the ticket type. | keyword | +| aws_securityhub.finding.tickets.uid | Unique identifier of the ticket. | keyword | +| aws_securityhub.finding.time | The normalized event occurrence time or the finding creation time. | date | +| aws_securityhub.finding.time_dt | The normalized event occurrence time or the finding creation time. | date | +| aws_securityhub.finding.timezone_offset | The number of minutes that the reported event time is ahead or behind UTC. | long | +| aws_securityhub.finding.type_name | The event/finding type name, as defined by the type_uid. | keyword | +| aws_securityhub.finding.type_uid | The event/finding type ID. | keyword | +| aws_securityhub.finding.unmapped | The attributes that are not mapped to the event schema. | flattened | +| aws_securityhub.finding.vendor_attributes.severity | The finding severity, as reported by the Vendor. | keyword | +| aws_securityhub.finding.vendor_attributes.severity_id | The finding severity ID, as reported by the Vendor. | keyword | +| aws_securityhub.finding.verdict | The verdict assigned to an Incident finding. | keyword | +| aws_securityhub.finding.verdict_id | The normalized verdict of an Incident. | keyword | +| aws_securityhub.finding.vulnerabilities.advisory.avg_timespan | The average time to patch. | flattened | +| aws_securityhub.finding.vulnerabilities.advisory.bulletin | The Advisory bulletin identifier. | keyword | +| aws_securityhub.finding.vulnerabilities.advisory.classification | The vendors classification of the Advisory. | keyword | +| aws_securityhub.finding.vulnerabilities.advisory.created_time | The time when the Advisory record was created. | date | +| aws_securityhub.finding.vulnerabilities.advisory.created_time_dt | The time when the Advisory record was created. | date | +| aws_securityhub.finding.vulnerabilities.advisory.desc | A brief description of the Advisory Record. | keyword | +| aws_securityhub.finding.vulnerabilities.advisory.install_state | The install state of the Advisory. | keyword | +| aws_securityhub.finding.vulnerabilities.advisory.install_state_id | The normalized install state ID of the Advisory. | keyword | +| aws_securityhub.finding.vulnerabilities.advisory.is_superseded | The Advisory has been replaced by another. | boolean | +| aws_securityhub.finding.vulnerabilities.advisory.modified_time | The time when the Advisory record was last updated. | date | +| aws_securityhub.finding.vulnerabilities.advisory.modified_time_dt | The time when the Advisory record was last updated. | date | +| aws_securityhub.finding.vulnerabilities.advisory.os | The operating system the Advisory applies to. | flattened | +| aws_securityhub.finding.vulnerabilities.advisory.product | The product where the vulnerability was discovered. | flattened | +| aws_securityhub.finding.vulnerabilities.advisory.references | A list of reference URLs with additional information about the vulnerabilities disclosed in the Advisory. | keyword | +| aws_securityhub.finding.vulnerabilities.advisory.related_cves | A list of Common Vulnerabilities and Exposures (CVE) identifiers related to the vulnerabilities disclosed in the Advisory. | nested | +| aws_securityhub.finding.vulnerabilities.advisory.related_cwes | A list of Common Weakness Enumeration (CWE) identifiers related to the vulnerabilities disclosed in the Advisory. | nested | +| aws_securityhub.finding.vulnerabilities.advisory.size | The size in bytes for the Advisory. Usually populated for a KB Article patch. | long | +| aws_securityhub.finding.vulnerabilities.advisory.src_url | The Advisory link from the source vendor. | keyword | +| aws_securityhub.finding.vulnerabilities.advisory.title | A title or a brief phrase summarizing the Advisory. | keyword | +| aws_securityhub.finding.vulnerabilities.advisory.uid | The unique identifier assigned to the advisory or disclosed vulnerability. | keyword | +| aws_securityhub.finding.vulnerabilities.affected_code.end_column | The column number of the last part of the assessed code identified as vulnerable. | long | +| aws_securityhub.finding.vulnerabilities.affected_code.end_line | The line number of the last line of code block identified as vulnerable. | long | +| aws_securityhub.finding.vulnerabilities.affected_code.file | Details about the file that contains the affected code block. | flattened | +| aws_securityhub.finding.vulnerabilities.affected_code.owner | Details about the user that owns the affected file. | flattened | +| aws_securityhub.finding.vulnerabilities.affected_code.remediation | Describes the recommended remediation steps to address identified issue(s). | flattened | +| aws_securityhub.finding.vulnerabilities.affected_code.rule | Details about the specific rule. | flattened | +| aws_securityhub.finding.vulnerabilities.affected_code.start_column | The column number of the first part of the assessed code identified as vulnerable. | long | +| aws_securityhub.finding.vulnerabilities.affected_code.start_line | The line number of the first line of code block identified as vulnerable. | long | +| aws_securityhub.finding.vulnerabilities.affected_packages.architecture | Architecture is a shorthand name describing the type of computer hardware the packaged software is meant to run on. | keyword | +| aws_securityhub.finding.vulnerabilities.affected_packages.cpe_name | The Common Platform Enumeration (CPE) name as described by (NIST). | keyword | +| aws_securityhub.finding.vulnerabilities.affected_packages.epoch | The software package epoch. Epoch is a way to define weighted dependencies based on version numbers. | long | +| aws_securityhub.finding.vulnerabilities.affected_packages.fixed_in_version | The software package version in which a reported vulnerability was patched/fixed. | keyword | +| aws_securityhub.finding.vulnerabilities.affected_packages.hash | Cryptographic hash to identify the binary instance of a software component. | flattened | +| aws_securityhub.finding.vulnerabilities.affected_packages.license | The software license applied to this package. | keyword | +| aws_securityhub.finding.vulnerabilities.affected_packages.license_url | The URL pointing to the license applied on package or software. | keyword | +| aws_securityhub.finding.vulnerabilities.affected_packages.name | The software package name. | keyword | +| aws_securityhub.finding.vulnerabilities.affected_packages.package_manager | The software packager manager utilized to manage a package on a system. | keyword | +| aws_securityhub.finding.vulnerabilities.affected_packages.package_manager_url | The URL of the package or library at the package manager, or the specific URL or URI of an internal package manager link. | keyword | +| aws_securityhub.finding.vulnerabilities.affected_packages.path | The installation path of the affected package. | keyword | +| aws_securityhub.finding.vulnerabilities.affected_packages.purl | A purl is a URL keyword used to identify and locate a software package in a mostly universal and uniform way across programming languages, package managers, packaging conventions, tools, APIs and databases. | keyword | +| aws_securityhub.finding.vulnerabilities.affected_packages.release | Release is the number of times a version of the software has been packaged. | keyword | +| aws_securityhub.finding.vulnerabilities.affected_packages.remediation | Describes the recommended remediation steps to address identified issue(s). | flattened | +| aws_securityhub.finding.vulnerabilities.affected_packages.src_url | The link to the specific library or package such as within GitHub, this is different from the link to the package manager where the library or package is hosted. | keyword | +| aws_securityhub.finding.vulnerabilities.affected_packages.type | The type of software package, normalized to the caption of the type_id value. | keyword | +| aws_securityhub.finding.vulnerabilities.affected_packages.type_id | The type of software package. | keyword | +| aws_securityhub.finding.vulnerabilities.affected_packages.uid | A unique identifier for the package or library reported by the source tool. | keyword | +| aws_securityhub.finding.vulnerabilities.affected_packages.vendor_name | The name of the vendor who published the software package. | keyword | +| aws_securityhub.finding.vulnerabilities.affected_packages.version | The software package version. | keyword | +| aws_securityhub.finding.vulnerabilities.category | The category of a vulnerability or weakness, as reported by the source tool, such as Container Security or Open Source Security. | keyword | +| aws_securityhub.finding.vulnerabilities.cve.created_time | The Record Creation Date identifies when the CVE ID was issued to a CVE Numbering Authority (CNA) or the CVE Record was published on the CVE List. | date | +| aws_securityhub.finding.vulnerabilities.cve.created_time_dt | The Record Creation Date identifies when the CVE ID was issued to a CVE Numbering Authority (CNA) or the CVE Record was published on the CVE List. | date | +| aws_securityhub.finding.vulnerabilities.cve.cvss.base_score | The CVSS base score. | double | +| aws_securityhub.finding.vulnerabilities.cve.cvss.depth | The CVSS depth represents a depth of the equation used to calculate CVSS score. | keyword | +| aws_securityhub.finding.vulnerabilities.cve.cvss.metrics.name | The Common Vulnerability Scoring System metrics. | keyword | +| aws_securityhub.finding.vulnerabilities.cve.cvss.metrics.value | The Common Vulnerability Scoring System metrics. | keyword | +| aws_securityhub.finding.vulnerabilities.cve.cvss.overall_score | The CVSS overall score, impacted by base, temporal, and environmental metrics. | double | +| aws_securityhub.finding.vulnerabilities.cve.cvss.severity | The Common Vulnerability Scoring System (CVSS) Qualitative Severity Rating. | keyword | +| aws_securityhub.finding.vulnerabilities.cve.cvss.src_url | The source URL for the CVSS score. | keyword | +| aws_securityhub.finding.vulnerabilities.cve.cvss.vector_string | The CVSS vector string is a text representation of a set of CVSS metrics. | keyword | +| aws_securityhub.finding.vulnerabilities.cve.cvss.vendor_name | The vendor that provided the CVSS score. | keyword | +| aws_securityhub.finding.vulnerabilities.cve.cvss.version | The CVSS version. | keyword | +| aws_securityhub.finding.vulnerabilities.cve.desc | A brief description of the CVE Record. | keyword | +| aws_securityhub.finding.vulnerabilities.cve.epss.created_time | The timestamp indicating when the EPSS score was calculated. | date | +| aws_securityhub.finding.vulnerabilities.cve.epss.created_time_dt | The timestamp indicating when the EPSS score was calculated. | date | +| aws_securityhub.finding.vulnerabilities.cve.epss.percentile | The EPSS score's percentile representing relative importance and ranking of the score in the larger EPSS dataset. | double | +| aws_securityhub.finding.vulnerabilities.cve.epss.score | The EPSS score representing the probability [0-1] of exploitation in the wild in the next 30 days (following score publication). | keyword | +| aws_securityhub.finding.vulnerabilities.cve.epss.version | The version of the EPSS model used to calculate the score. | keyword | +| aws_securityhub.finding.vulnerabilities.cve.modified_time | The Record Modified Date identifies when the CVE record was last updated. | date | +| aws_securityhub.finding.vulnerabilities.cve.modified_time_dt | The Record Modified Date identifies when the CVE record was last updated. | date | +| aws_securityhub.finding.vulnerabilities.cve.product | The product where the vulnerability was discovered. | flattened | +| aws_securityhub.finding.vulnerabilities.cve.references | A list of reference URLs with additional information about the CVE Record. | keyword | +| aws_securityhub.finding.vulnerabilities.cve.related_cwes | Describes the Common Weakness Enumeration (CWE) details related to the CVE Record. | nested | +| aws_securityhub.finding.vulnerabilities.cve.title | A title or a brief phrase summarizing the CVE record. | keyword | +| aws_securityhub.finding.vulnerabilities.cve.type | The vulnerability type as selected from a large dropdown menu during CVE refinement. | keyword | +| aws_securityhub.finding.vulnerabilities.cve.uid | The Common Vulnerabilities and Exposures unique number assigned to a specific computer vulnerability. | keyword | +| aws_securityhub.finding.vulnerabilities.cwe.caption | The caption assigned to the Common Weakness Enumeration unique identifier. | keyword | +| aws_securityhub.finding.vulnerabilities.cwe.src_url | URL pointing to the CWE Specification. For more information see CWE. | keyword | +| aws_securityhub.finding.vulnerabilities.cwe.uid | The Common Weakness Enumeration unique number assigned to a specific weakness. | keyword | +| aws_securityhub.finding.vulnerabilities.dependency_chain | Information about the chain of dependencies related to the issue as reported by an Application Security or Vulnerability Management tool. | keyword | +| aws_securityhub.finding.vulnerabilities.desc | The description of the vulnerability. | keyword | +| aws_securityhub.finding.vulnerabilities.exploit_last_seen_time | The time when the exploit was most recently observed. | date | +| aws_securityhub.finding.vulnerabilities.exploit_last_seen_time_dt | The time when the exploit was most recently observed. | date | +| aws_securityhub.finding.vulnerabilities.exploit_ref_url | The URL of the exploit code or Proof-of-Concept (PoC). | keyword | +| aws_securityhub.finding.vulnerabilities.exploit_requirement | The requirement description related to any constraints around exploit execution. | keyword | +| aws_securityhub.finding.vulnerabilities.exploit_type | The categorization or type of Exploit. | keyword | +| aws_securityhub.finding.vulnerabilities.first_seen_time | The time when the vulnerability was first observed. | date | +| aws_securityhub.finding.vulnerabilities.first_seen_time_dt | The time when the vulnerability was first observed. | date | +| aws_securityhub.finding.vulnerabilities.fix_coverage | The fix coverage, normalized to the caption of the fix_coverage_id value. | keyword | +| aws_securityhub.finding.vulnerabilities.fix_coverage_id | The normalized identifier for fix coverage, applicable to this vulnerability. | keyword | +| aws_securityhub.finding.vulnerabilities.is_exploit_available | Indicates if an exploit or a PoC (proof-of-concept) is available for the reported vulnerability. | boolean | +| aws_securityhub.finding.vulnerabilities.is_fix_available | Indicates if a fix is available for the reported vulnerability. | boolean | +| aws_securityhub.finding.vulnerabilities.last_seen_time | The time when the vulnerability was most recently observed. | date | +| aws_securityhub.finding.vulnerabilities.last_seen_time_dt | The time when the vulnerability was most recently observed. | date | +| aws_securityhub.finding.vulnerabilities.references | A list of reference URLs with additional information about the vulnerability. | keyword | +| aws_securityhub.finding.vulnerabilities.related_vulnerabilities | List of vulnerability IDs (e.g. CVE ID) that are related to this vulnerability. | keyword | +| aws_securityhub.finding.vulnerabilities.remediation.cis_controls | An array of Center for Internet Security (CIS) Controls that can be optionally mapped to provide additional remediation details. | nested | +| aws_securityhub.finding.vulnerabilities.remediation.desc | The description of the remediation strategy. | keyword | +| aws_securityhub.finding.vulnerabilities.remediation.kb_article_list | A list of KB articles or patches related to an endpoint. A KB Article contains metadata that describes the patch or an update. | nested | +| aws_securityhub.finding.vulnerabilities.remediation.references | A list of supporting URL/s, references that help describe the remediation strategy. | keyword | +| aws_securityhub.finding.vulnerabilities.severity | The vendor assigned severity of the vulnerability. | keyword | +| aws_securityhub.finding.vulnerabilities.title | A title or a brief phrase summarizing the discovered vulnerability. | keyword | +| aws_securityhub.finding.vulnerabilities.vendor_name | The name of the vendor that identified the vulnerability. | keyword | +| data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | +| data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | +| data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword | +| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | constant_keyword | +| event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | constant_keyword | +| input.type | Type of filebeat input. | keyword | +| log.offset | Log offset. | long | +| observer.vendor | Vendor name of the observer. | constant_keyword | +| package.fixed_version | In which version of the package the vulnerability was fixed. | keyword | +| resource.id | The ID of the resource. | keyword | +| resource.name | The name of the resource. | keyword | +| resource.type | The type of the resource. | keyword | +| result.evaluation | The result of the evaluation. | keyword | +| rule.remediation | The remediation actions for the rule. | keyword | +| vulnerability.cve | The CVE id of the vulnerability. | keyword | +| vulnerability.published_date | When the vulnerability was published. | date | +| vulnerability.scanner.vendor | The name of the vulnerability scanner vendor. | constant_keyword | +| vulnerability.title | The human readable title of the vulnerability. | keyword | + + +### Example event + +#### Finding + + + +### Inputs used + +These inputs are used in this integration: + +- [cel](https://www.elastic.co/docs/reference/beats/filebeat/filebeat-input-cel) + +### API usage + +This integration dataset uses the following APIs: + +- `Finding`: [AWS Security Hub REST API](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_GetFindingsV2.html). diff --git a/packages/aws_securityhub/elasticsearch/transform/latest_cdr_vulnerabilities/fields/base-fields.yml b/packages/aws_securityhub/elasticsearch/transform/latest_cdr_vulnerabilities/fields/base-fields.yml new file mode 100644 index 00000000000..b7e5200dd17 --- /dev/null +++ b/packages/aws_securityhub/elasticsearch/transform/latest_cdr_vulnerabilities/fields/base-fields.yml @@ -0,0 +1,17 @@ +- name: data_stream.type + external: ecs +- name: data_stream.dataset + external: ecs +- name: data_stream.namespace + external: ecs + type: keyword +- name: event.module + external: ecs + type: constant_keyword + value: aws_securityhub +- name: event.dataset + external: ecs + type: constant_keyword + value: aws_securityhub.finding +- name: '@timestamp' + external: ecs diff --git a/packages/aws_securityhub/elasticsearch/transform/latest_cdr_vulnerabilities/fields/beats.yml b/packages/aws_securityhub/elasticsearch/transform/latest_cdr_vulnerabilities/fields/beats.yml new file mode 100644 index 00000000000..4084f1dc7f5 --- /dev/null +++ b/packages/aws_securityhub/elasticsearch/transform/latest_cdr_vulnerabilities/fields/beats.yml @@ -0,0 +1,6 @@ +- name: input.type + type: keyword + description: Type of filebeat input. +- name: log.offset + type: long + description: Log offset. diff --git a/packages/aws_securityhub/elasticsearch/transform/latest_cdr_vulnerabilities/fields/ecs.yml b/packages/aws_securityhub/elasticsearch/transform/latest_cdr_vulnerabilities/fields/ecs.yml new file mode 100644 index 00000000000..cc61312ef72 --- /dev/null +++ b/packages/aws_securityhub/elasticsearch/transform/latest_cdr_vulnerabilities/fields/ecs.yml @@ -0,0 +1,7 @@ +# Define ECS constant fields as constant_keyword +- name: observer.vendor + type: constant_keyword + external: ecs +- name: vulnerability.scanner.vendor + type: constant_keyword + external: ecs diff --git a/packages/aws_securityhub/elasticsearch/transform/latest_cdr_vulnerabilities/fields/fields.yml b/packages/aws_securityhub/elasticsearch/transform/latest_cdr_vulnerabilities/fields/fields.yml new file mode 100644 index 00000000000..c94cb9a1ca1 --- /dev/null +++ b/packages/aws_securityhub/elasticsearch/transform/latest_cdr_vulnerabilities/fields/fields.yml @@ -0,0 +1,4378 @@ +- name: aws_securityhub + type: group + fields: + - name: finding + type: group + fields: + - name: action + type: keyword + description: The normalized caption of action_id. + - name: action_id + type: keyword + description: The action taken by a control or other policy-based system leading to an outcome or disposition. + - name: activity_id + type: keyword + description: The normalized identifier of the finding activity. + - name: activity_name + type: keyword + description: The finding activity name, as defined by the activity_id. + - name: actor + type: group + fields: + - name: app_name + type: keyword + description: The client application or service that initiated the activity. + - name: app_uid + type: keyword + description: The unique identifier of the client application or service that initiated the activity. + - name: authorizations + type: group + fields: + - name: decision + type: keyword + description: Authorization Result/outcome. + - name: policy + type: flattened + description: Details about the Identity/Access management policies that are applicable. + - name: idp + type: group + fields: + - name: auth_factors + type: nested + description: The Authentication Factors object describes the different types of Multi-Factor Authentication (MFA) methods and/or devices supported by the Identity Provider. + - name: domain + type: keyword + description: The primary domain associated with the Identity Provider. + - name: fingerprint + type: flattened + description: The fingerprint of the X.509 certificate used by the Identity Provider. + - name: has_mfa + type: boolean + description: The Identity Provider enforces Multi Factor Authentication (MFA). + - name: issuer + type: keyword + description: The unique identifier (often a URL) used by the Identity Provider as its issuer. + - name: name + type: keyword + description: The name of the Identity Provider. + - name: protocol_name + type: keyword + description: The supported protocol of the Identity Provider. + - name: scim + type: flattened + description: The System for Cross-domain Identity Management (SCIM) resource object provides a structured set of attributes related to SCIM protocols used for identity provisioning and management across cloud-based platforms. + - name: sso + type: flattened + description: The Single Sign-On (SSO) object provides a structure for normalizing SSO attributes, configuration, and/or settings from Identity Providers. + - name: state + type: keyword + description: The configuration state of the Identity Provider, normalized to the caption of the state_id value. + - name: state_id + type: keyword + description: The normalized state ID of the Identity Provider to reflect its configuration or activation status. + - name: tenant_uid + type: keyword + description: The tenant ID associated with the Identity Provider. + - name: uid + type: keyword + description: The unique identifier of the Identity Provider. + - name: url_string + type: keyword + description: The URL for accessing the configuration or metadata of the Identity Provider. + - name: process + type: group + fields: + - name: ancestry + type: nested + description: An array of Process Entities describing the extended parentage of this process object. + - name: auid + type: keyword + description: The audit user assigned at login by the audit subsystem. + - name: cmd_line + type: keyword + description: The full command line used to launch an application, service, process, or job. + - name: container + type: flattened + description: The information describing an instance of a container. + - name: cpid + type: keyword + description: A unique process identifier that can be assigned deterministically by multiple system data producers. + - name: created_time + type: date + description: The time when the process was created/started. + - name: created_time_dt + type: date + description: The time when the process was created/started. + - name: egid + type: keyword + description: The effective group under which this process is running. + - name: euid + type: keyword + description: The effective user under which this process is running. + - name: file + type: flattened + description: The process file object. + - name: group + type: flattened + description: The group under which this process is running. + - name: integrity + type: keyword + description: The process integrity level, normalized to the caption of the integrity_id value. + - name: integrity_id + type: keyword + description: The normalized identifier of the process integrity level (Windows only). + - name: loaded_modules + type: keyword + description: The list of loaded module names. + - name: name + type: keyword + description: The friendly name of the process. + - name: namespace_pid + type: long + description: If running under a process namespace (such as in a container), the process identifier within that process namespace. + - name: parent_process + type: flattened + description: The parent process of this process object. + - name: path + type: keyword + description: The process file path. + - name: pid + type: long + description: The process identifier, as reported by the operating system. + - name: sandbox + type: keyword + description: The name of the containment jail. + - name: session + type: flattened + description: The user session under which this process is running. + - name: terminated_time + type: date + description: The time when the process was terminated. + - name: terminated_time_dt + type: date + description: The time when the process was terminated. + - name: tid + type: keyword + description: The Identifier of the thread associated with the event, as returned by the operating system. + - name: uid + type: keyword + description: A unique identifier for this process assigned by the producer (tool). + - name: user + type: flattened + description: The user under which this process is running. + - name: working_directory + type: keyword + description: The working directory of a process. + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs that represent a process extended attribute. + - name: session + type: group + fields: + - name: count + type: long + description: The number of identical sessions spawned from the same source IP, destination IP, application, and content/threat type seen over a period of time. + - name: created_time + type: date + description: The time when the session was created. + - name: created_time_dt + type: date + description: The time when the session was created. + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. + - name: expiration_reason + type: keyword + description: The reason which triggered the session expiration. + - name: expiration_time + type: date + description: The session expiration time. + - name: expiration_time_dt + type: date + description: The session expiration time. + - name: is_mfa + type: boolean + description: Indicates whether Multi Factor Authentication was used during authentication. + - name: is_remote + type: boolean + description: The indication of whether the session is remote. + - name: is_vpn + type: boolean + description: The indication of whether the session is a VPN session. + - name: issuer + type: keyword + description: The identifier of the session issuer. + - name: terminal + type: keyword + description: The Pseudo Terminal associated with the session. + - name: uid + type: keyword + description: The unique identifier of the session. + - name: uid_alt + type: keyword + description: The alternate unique identifier of the session. + - name: uuid + type: keyword + description: The universally unique identifier of the session. + - name: user + type: group + fields: + - name: account + type: flattened + description: The user's account or the account associated with the user. + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. + - name: display_name + type: keyword + description: The display name of the user, as reported by the product. + - name: domain + type: keyword + description: The domain where the user is defined. + - name: email_addr + type: keyword + description: The user's primary email address. + - name: forward_addr + type: keyword + description: The user's forwarding email address. + - name: full_name + type: keyword + description: The full name of the user, as reported by the product. + - name: groups + type: nested + description: The administrative groups to which the user belongs. + - name: has_mfa + type: boolean + description: The user has a multi-factor or secondary-factor device assigned. + - name: ldap_person + type: flattened + description: The additional LDAP attributes that describe a person. + - name: name + type: keyword + description: The username. + - name: org + type: flattened + description: Organization and org unit related to the user. + - name: phone_number + type: keyword + description: The telephone number of the user. + - name: risk_level + type: keyword + description: The risk level, normalized to the caption of the risk_level_id value. + - name: risk_level_id + type: keyword + description: The normalized risk level id. + - name: risk_score + type: long + description: The risk score as reported by the event source. + - name: type + type: keyword + description: The type of the user. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. + - name: uid_alt + type: keyword + description: The alternate user identifier. + - name: api + type: group + fields: + - name: group + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: domain + type: keyword + description: The domain where the group is defined. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. + - name: operation + type: keyword + description: Verb/Operation associated with the request. + - name: request + type: group + fields: + - name: containers + type: nested + description: When working with containerized applications, the set of containers which write to the standard the output of a particular logging driver. + - name: data + type: flattened + description: The additional data that is associated with the api request. + - name: flags + type: keyword + description: The communication flags that are associated with the api request. + - name: uid + type: keyword + description: The unique request identifier. + - name: response + type: group + fields: + - name: code + type: long + description: The numeric response sent to a request. + - name: containers + type: nested + description: When working with containerized applications, the set of containers which write to the standard the output of a particular logging driver. + - name: data + type: flattened + description: The additional data that is associated with the api response. + - name: error + type: keyword + description: Error Code. + - name: error_message + type: keyword + description: Error Message. + - name: flags + type: keyword + description: The communication flags that are associated with the api response. + - name: message + type: keyword + description: The description of the event/finding, as defined by the source. + - name: service + type: group + fields: + - name: labels + type: keyword + description: The list of labels associated with the service. + - name: name + type: keyword + description: The name of the service. + - name: uid + type: keyword + description: The unique identifier of the service. + - name: version + type: keyword + description: The version of the service. + - name: version + type: keyword + description: The version of the API service. + - name: assignee + type: group + fields: + - name: account + type: group + fields: + - name: labels + type: keyword + description: The list of labels associated to the account. + - name: name + type: keyword + description: The name of the account. + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account. + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. + - name: display_name + type: keyword + description: The display name of the user, as reported by the product. + - name: domain + type: keyword + description: The domain where the user is defined. + - name: email_addr + type: keyword + description: The user's primary email address. + - name: forward_addr + type: keyword + description: The user's forwarding email address. + - name: full_name + type: keyword + description: The full name of the user, as reported by the product. + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group privileges. + - name: domain + type: keyword + description: The group description. + - name: name + type: keyword + description: The domain where the group is defined. + - name: privileges + type: keyword + description: The group name. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. + - name: has_mfa + type: boolean + description: The user has a multi-factor or secondary-factor device assigned. + - name: ldap_person + type: group + fields: + - name: cost_center + type: keyword + description: The cost center associated with the assignee. + - name: created_time + type: date + description: The timestamp when the user was created. + - name: created_time_dt + type: date + description: The timestamp when the user was created. + - name: deleted_time + type: date + description: The timestamp when the user was deleted. + - name: deleted_time_dt + type: date + description: The timestamp when the user was deleted. + - name: display_name + type: keyword + description: The display name of the LDAP person. + - name: email_addrs + type: keyword + description: A list of additional email addresses for the assignee. + - name: employee_uid + type: keyword + description: The employee identifier assigned to the user by the organization. + - name: given_name + type: keyword + description: The given or first name of the assignee. + - name: hire_time + type: date + description: The timestamp when the user was or will be hired by the organization. + - name: hire_time_dt + type: date + description: The timestamp when the user was or will be hired by the organization. + - name: job_title + type: keyword + description: The user's job title. + - name: labels + type: keyword + description: The labels associated with the assignee. + - name: last_login_time + type: date + description: The last time when the user logged in. + - name: last_login_time_dt + type: date + description: The last time when the user logged in. + - name: ldap_cn + type: keyword + description: The LDAP and X.500 commonName attribute, typically the full name of the person. + - name: ldap_dn + type: keyword + description: The X.500 Distinguished Name (DN) is a structured string that uniquely identifies an entry, such as a user, in an X.500 directory service. + - name: leave_time + type: date + description: The timestamp when the user left or will be leaving the organization. + - name: leave_time_dt + type: date + description: The timestamp when the user left or will be leaving the organization. + - name: location + type: flattened + description: The geographical location associated with a assignee. + - name: manager + type: flattened + description: The user's manager. + - name: modified_time + type: date + description: The timestamp when the user entry was last modified. + - name: modified_time_dt + type: date + description: The timestamp when the user entry was last modified. + - name: office_location + type: keyword + description: The primary office location associated with the assignee. + - name: phone_number + type: keyword + description: The telephone number of the assignee. + - name: surname + type: keyword + description: The last or family name for the assignee. + - name: name + type: keyword + description: The username. + - name: org + type: group + fields: + - name: name + type: keyword + description: The name of the organization. + - name: ou_name + type: keyword + description: The name of an organizational unit. + - name: ou_uid + type: keyword + description: The unique identifier of an organizational unit. + - name: uid + type: keyword + description: The unique identifier of the organization. + - name: phone_number + type: keyword + description: The telephone number of the assignee. + - name: risk_level + type: keyword + description: The risk level, normalized to the caption of the risk_level_id value. + - name: risk_level_id + type: keyword + description: The normalized risk level id. + - name: risk_score + type: long + description: The risk score as reported by the event source. + - name: type + type: keyword + description: The type of the assignee. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. + - name: uid_alt + type: keyword + description: The alternate user identifier. + - name: assignee_group + type: group + fields: + - name: desc + type: keyword + description: The group privileges. + - name: domain + type: keyword + description: The group description. + - name: name + type: keyword + description: The domain where the group is defined. + - name: privileges + type: keyword + description: The group name. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. + - name: attacks + type: group + fields: + - name: mitigation + type: group + fields: + - name: countermeasures + type: nested + description: The ATT&CK® or ATLAS™ Matrix version. + - name: name + type: keyword + description: The D3FEND countermeasures that are associated with the attack technique. + - name: src_url + type: keyword + description: The Mitigation name that is associated with the attack technique. + - name: uid + type: keyword + description: The versioned permalink of the Mitigation. + - name: version + type: keyword + description: The Mitigation ID that is associated with the attack technique. + - name: sub_technique + type: group + fields: + - name: name + type: keyword + description: The name of the attack sub-technique. + - name: src_url + type: keyword + description: The versioned permalink of the attack sub-technique. + - name: uid + type: keyword + description: The unique identifier of the attack sub-technique. + - name: tactic + type: group + fields: + - name: name + type: keyword + description: The Tactic name that is associated with the attack technique. + - name: src_url + type: keyword + description: The versioned permalink of the Tactic. + - name: uid + type: keyword + description: The Tactic ID that is associated with the attack technique. + - name: technique + type: group + fields: + - name: name + type: keyword + description: The name of the attack technique. + - name: src_url + type: keyword + description: The versioned permalink of the attack technique. + - name: uid + type: keyword + description: The unique identifier of the attack technique. + - name: version + type: keyword + description: The ATT&CK® or ATLAS™ Matrix version. + - name: authorizations + type: group + fields: + - name: decision + type: keyword + description: Authorization Result/outcome. + - name: policy + type: group + fields: + - name: data + type: flattened + description: Additional data about the policy such as the underlying JSON policy itself or other details. + - name: desc + type: keyword + description: The description of the policy. + - name: group + type: flattened + description: The policy group. + - name: is_applied + type: boolean + description: A determination if the content of a policy was applied to a target or request, or not. + - name: name + type: keyword + description: The policy name. + - name: uid + type: keyword + description: A unique identifier of the policy instance. + - name: version + type: keyword + description: The policy version number. + - name: category_name + type: keyword + description: The event category name. + - name: category_uid + type: keyword + description: The category unique identifier of the event. + - name: class_name + type: keyword + description: The event class name. + - name: class_uid + type: keyword + description: The unique identifier of a class. + - name: cloud + type: group + fields: + - name: account + type: group + fields: + - name: labels + type: keyword + description: The list of labels associated to the account. + - name: name + type: keyword + description: The name of the account. + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account. + - name: cloud_partition + type: keyword + description: The canonical cloud partition name to which the region is assigned. + - name: org + type: group + fields: + - name: name + type: keyword + description: The name of the organization. + - name: ou_name + type: keyword + description: The name of an organizational unit. + - name: ou_uid + type: keyword + description: The unique identifier of an organizational unit. + - name: uid + type: keyword + description: The unique identifier of the organization. + - name: provider + type: keyword + description: The unique name of the Cloud services provider. + - name: region + type: keyword + description: The name of the cloud region, as defined by the cloud provider. + - name: zone + type: keyword + description: The availability zone in the cloud region, as defined by the cloud provider. + - name: comment + type: keyword + description: A user provided comment about the finding. + - name: confidence + type: keyword + description: The confidence, normalized to the caption of the confidence_id value. . + - name: confidence_id + type: keyword + description: The normalized confidence refers to the accuracy of the rule that created the finding. + - name: confidence_score + type: long + description: The confidence score as reported by the event source. + - name: count + type: long + description: The number of times that events in the same logical group occurred during the event Start Time to End Time period. + - name: device + type: group + fields: + - name: agent_list + type: group + fields: + - name: name + type: keyword + description: The name of the agent or sensor. + - name: policies + type: nested + description: Describes the various policies that may be applied or enforced by an agent or sensor. + - name: type + type: keyword + description: The normalized caption of the type_id value for the agent or sensor. + - name: type_id + type: keyword + description: The normalized representation of an agent or sensor. + - name: uid + type: keyword + description: The UID of the agent or sensor, sometimes known as a Sensor ID or aid. + - name: uid_alt + type: keyword + description: An alternative or contextual identifier for the agent or sensor. + - name: vendor_name + type: keyword + description: The company or author who created the agent or sensor. + - name: version + type: keyword + description: The semantic version of the agent or sensor. + - name: autoscale_uid + type: keyword + description: The unique identifier of the cloud autoscale configuration. + - name: boot_time + type: date + description: The time the system was booted. + - name: boot_time_dt + type: date + description: The time the system was booted. + - name: boot_uid + type: keyword + description: A unique identifier of the device that changes after every reboot. + - name: container + type: group + fields: + - name: hash + type: flattened + description: Commit hash of image created for docker or the SHA256 hash of the container. + - name: image + type: flattened + description: The container image used as a template to run the container. + - name: labels + type: keyword + description: The list of labels associated to the container. + - name: name + type: keyword + description: The container name. + - name: network_driver + type: keyword + description: The network driver used by the container. + - name: orchestrator + type: keyword + description: The orchestrator managing the container. + - name: pod_uuid + type: keyword + description: The unique identifier of the pod (or equivalent) that the container is executing on. + - name: runtime + type: keyword + description: The backend running the container. + - name: size + type: long + description: The size of the container image. + - name: uid + type: keyword + description: The full container unique identifier for this instantiation of the container. + - name: created_time + type: date + description: The time when the device was known to have been created. + - name: created_time_dt + type: date + description: The time when the device was known to have been created. + - name: desc + type: keyword + description: The description of the device, ordinarily as reported by the operating system. + - name: domain + type: keyword + description: The network domain where the device resides. + - name: eid + type: keyword + description: An Embedded Identity Document, is a unique serial number that identifies an eSIM-enabled device. + - name: first_seen_time + type: date + description: The initial discovery time of the device. + - name: first_seen_time_dt + type: date + description: The initial discovery time of the device. + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group privileges. + - name: domain + type: keyword + description: The group description. + - name: name + type: keyword + description: The domain where the group is defined. + - name: privileges + type: keyword + description: The group name. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. + - name: hostname + type: keyword + description: The device hostname. + - name: hw_info + type: group + fields: + - name: bios_date + type: keyword + description: The BIOS date. + - name: bios_manufacturer + type: keyword + description: The BIOS manufacturer. + - name: bios_ver + type: keyword + description: The BIOS version. + - name: chassis + type: keyword + description: The chassis type describes the system enclosure or physical form factor. + - name: cpu_architecture + type: keyword + description: The CPU architecture, normalized to the caption of the cpu_architecture_id value. + - name: cpu_architecture_id + type: keyword + description: The normalized identifier of the CPU architecture. + - name: cpu_bits + type: long + description: The cpu architecture, the number of bits used for addressing in memory. + - name: cpu_cores + type: long + description: The number of processor cores in all installed processors. + - name: cpu_count + type: long + description: The number of physical processors on a system. + - name: cpu_speed + type: long + description: The speed of the processor in Mhz. + - name: cpu_type + type: keyword + description: The processor type. + - name: desktop_display + type: flattened + description: The desktop display affiliated with the event. + - name: keyboard_info + type: flattened + description: The keyboard detailed information. + - name: ram_size + type: long + description: The total amount of installed RAM, in Megabytes. + - name: serial_number + type: keyword + description: The device manufacturer serial number. + - name: uuid + type: keyword + description: The device manufacturer assigned universally unique hardware identifier. . + - name: vendor_name + type: keyword + description: The device manufacturer. + - name: hypervisor + type: keyword + description: The name of the hypervisor running on the device. + - name: iccid + type: keyword + description: The Integrated Circuit Card Identification of a mobile device. + - name: image + type: group + fields: + - name: labels + type: keyword + description: The list of labels associated to the image. + - name: name + type: keyword + description: The image name. + - name: path + type: keyword + description: The full path to the image file. + - name: uid + type: keyword + description: The unique image ID. + - name: imei_list + type: keyword + description: The International Mobile Equipment Identity values that are associated with the device. + - name: instance_uid + type: keyword + description: The unique identifier of a VM instance. + - name: interface_name + type: keyword + description: The name of the network interface. + - name: interface_uid + type: keyword + description: The unique identifier of the network interface. + - name: ip + type: ip + description: The device IP address. + - name: is_backed_up + type: boolean + description: Indicates whether the device or resource has a backup enabled, such as an automated snapshot or a cloud backup. + - name: is_compliant + type: boolean + description: The event occurred on a compliant device. + - name: is_managed + type: boolean + description: The event occurred on a managed device. + - name: is_mobile_account_active + type: boolean + description: Indicates whether the device has an active mobile account. + - name: is_personal + type: boolean + description: The event occurred on a personal device. + - name: is_shared + type: boolean + description: The event occurred on a shared device. + - name: is_supervised + type: boolean + description: The event occurred on a supervised device. + - name: is_trusted + type: boolean + description: The event occurred on a trusted device. + - name: last_seen_time + type: date + description: The most recent discovery time of the device. + - name: last_seen_time_dt + type: date + description: The most recent discovery time of the device. + - name: location + type: group + fields: + - name: aerial_height + type: keyword + description: Expressed as either height above takeoff location or height above ground level (AGL) for a UAS current location. + - name: city + type: keyword + description: The name of the city. + - name: continent + type: keyword + description: The name of the continent. + - name: country + type: keyword + description: The ISO 3166-1 Alpha-2 country code. + - name: desc + type: keyword + description: The description of the geographical location. + - name: geodetic_altitude + type: keyword + description: The aircraft distance above or below the ellipsoid as measured along a line that passes through the aircraft and is normal to the surface of the WGS-84 ellipsoid. + - name: geodetic_vertical_accuracy + type: keyword + description: Provides quality/containment on geodetic altitude. + - name: geohash + type: keyword + description: Geohash of the geo-coordinates (latitude and longitude). + - name: horizontal_accuracy + type: keyword + description: Provides quality/containment on horizontal position. + - name: is_on_premises + type: boolean + description: The indication of whether the location is on premises. + - name: lat + type: double + description: The geographical Latitude coordinate represented in Decimal Degrees (DD). + - name: long + type: double + description: The geographical Longitude coordinate represented in Decimal Degrees (DD). + - name: postal_code + type: keyword + description: The postal code of the location. + - name: pressure_altitude + type: keyword + description: The uncorrected barometric pressure altitude (based on reference standard 29.92 inHg, 1013.25 mb) provides a reference for algorithms that utilize 'altitude deltas' between aircraft. + - name: provider + type: keyword + description: The provider of the geographical location data. + - name: region + type: keyword + description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. + - name: value + type: geo_point + description: The geographical location. + - name: mac + type: keyword + description: The Media Access Control (MAC) address of the endpoint. + - name: meid + type: keyword + description: The Mobile Equipment Identifier. + - name: model + type: keyword + description: The model of the device. + - name: modified_time + type: date + description: The time when the device was last known to have been modified. + - name: modified_time_dt + type: date + description: The time when the device was last known to have been modified. + - name: name + type: keyword + description: The alternate device name, ordinarily as assigned by an administrator. + - name: namespace_pid + type: long + description: If running under a process namespace (such as in a container), the process identifier within that process namespace. + - name: network_interfaces + type: group + fields: + - name: hostname + type: keyword + description: The hostname associated with the network interface. + - name: ip + type: ip + description: The IP address associated with the network interface. + - name: mac + type: keyword + description: The MAC address of the network interface. + - name: name + type: keyword + description: The name of the network interface. + - name: namespace + type: keyword + description: The namespace is useful in merger or acquisition situations. + - name: subnet_prefix + type: long + description: The subnet prefix length determines the number of bits used to represent the network part of the IP address. + - name: type + type: keyword + description: The type of network interface. + - name: type_id + type: keyword + description: The network interface type identifier. + - name: uid + type: keyword + description: The unique identifier for the network interface. + - name: org + type: group + fields: + - name: name + type: keyword + description: The name of the organization. + - name: ou_name + type: keyword + description: The name of an organizational unit. + - name: ou_uid + type: keyword + description: The unique identifier of an organizational unit. + - name: uid + type: keyword + description: The unique identifier of the organization. + - name: os + type: group + fields: + - name: build + type: keyword + description: The operating system build number. + - name: country + type: keyword + description: The operating system country code, as defined by the ISO 3166-1 standard (Alpha-2 code). + - name: cpe_name + type: keyword + description: The Common Platform Enumeration (CPE) name as described by (NIST). + - name: cpu_bits + type: long + description: The cpu architecture, the number of bits used for addressing in memory. + - name: edition + type: keyword + description: The operating system edition. + - name: kernel_release + type: keyword + description: The kernel release of the operating system. + - name: lang + type: keyword + description: The two letter lower case language codes. + - name: name + type: keyword + description: The operating system name. + - name: sp_name + type: keyword + description: The name of the latest Service Pack. + - name: sp_ver + type: keyword + description: The version number of the latest Service Pack. + - name: type + type: keyword + description: The type of the operating system. . + - name: type_id + type: keyword + description: The type identifier of the operating system. + - name: version + type: keyword + description: The version of the OS running on the device that originated the event. + - name: os_machine_uuid + type: keyword + description: The operating system assigned Machine ID. + - name: owner + type: group + fields: + - name: account + type: flattened + description: The user's account or the account associated with the user. + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. + - name: display_name + type: keyword + description: The display name of the user, as reported by the product. + - name: domain + type: keyword + description: The domain where the user is defined. + - name: email_addr + type: keyword + description: The user's primary email address. + - name: forward_addr + type: keyword + description: The user's forwarding email address. + - name: full_name + type: keyword + description: The full name of the user, as reported by the product. + - name: groups + type: nested + description: The administrative groups to which the user belongs. + - name: has_mfa + type: boolean + description: The user has a multi-factor or secondary-factor device assigned. + - name: ldap_person + type: flattened + description: The additional LDAP attributes that describe a person. + - name: name + type: keyword + description: The username. + - name: org + type: flattened + description: Organization and org unit related to the user. + - name: phone_number + type: keyword + description: The telephone number of the user. + - name: risk_level + type: keyword + description: The risk level, normalized to the caption of the risk_level_id value. + - name: risk_level_id + type: keyword + description: The normalized risk level id. + - name: risk_score + type: long + description: The risk score as reported by the event source. + - name: type + type: keyword + description: The type of the user. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. + - name: uid_alt + type: keyword + description: The alternate user identifier. + - name: region + type: keyword + description: The region where the virtual machine is located. + - name: risk_level + type: keyword + description: The risk level, normalized to the caption of the risk_level_id value. + - name: risk_level_id + type: keyword + description: The normalized risk level id. + - name: risk_score + type: long + description: The risk score as reported by the event source. + - name: subnet + type: keyword + description: The subnet mask. + - name: subnet_uid + type: keyword + description: The unique identifier of a virtual subnet. + - name: type + type: keyword + description: The device type. + - name: type_id + type: keyword + description: The device type ID. + - name: udid + type: keyword + description: The Apple assigned Unique Device Identifier (UDID). + - name: uid + type: keyword + description: The unique identifier of the device. + - name: uid_alt + type: keyword + description: An alternate unique identifier of the device if any. + - name: vendor_name + type: keyword + description: The vendor for the device. + - name: vlan_uid + type: keyword + description: The Virtual LAN identifier. + - name: vpc_uid + type: keyword + description: The unique identifier of the Virtual Private Cloud (VPC). + - name: zone + type: keyword + description: The network zone or LAN segment. + - name: disposition + type: keyword + description: The disposition name, normalized to the caption of the disposition_id value. + - name: disposition_id + type: keyword + description: Describes the outcome or action taken by a security control. + - name: duration + type: long + description: The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds. + - name: end_time + type: date + description: The time of the most recent event included in the finding. + - name: end_time_dt + type: date + description: The time of the most recent event included in the finding. + - name: enrichments + type: group + fields: + - name: created_time + type: date + description: The time when the enrichment data was generated. + - name: created_time_dt + type: date + description: The time when the enrichment data was generated. + - name: data + type: flattened + description: The enrichment data associated with the attribute and value. . + - name: desc + type: keyword + description: A long description of the enrichment data. + - name: name + type: keyword + description: The name of the attribute to which the enriched data pertains. + - name: provider + type: keyword + description: The enrichment data provider name. + - name: reputation + type: group + fields: + - name: base_score + type: double + description: The reputation score as reported by the event source. + - name: provider + type: keyword + description: The provider of the reputation information. + - name: score + type: keyword + description: The reputation score, normalized to the caption of the score_id value. + - name: score_id + type: keyword + description: The normalized reputation score identifier. + - name: short_desc + type: keyword + description: A short description of the enrichment data. + - name: src_url + type: keyword + description: The URL of the source of the enrichment data. + - name: type + type: keyword + description: The enrichment type. + - name: value + type: keyword + description: The value of the attribute to which the enriched data pertains. + - name: evidences + type: group + fields: + - name: actor + type: group + fields: + - name: app_name + type: keyword + description: The client application or service that initiated the activity. + - name: app_uid + type: keyword + description: The unique identifier of the client application or service that initiated the activity. + - name: authorizations + type: group + fields: + - name: decision + type: keyword + description: Authorization Result/outcome. + - name: policy + type: flattened + description: Details about the Identity/Access management policies that are applicable. + - name: idp + type: group + fields: + - name: domain + type: keyword + description: The primary domain associated with the Identity Provider. + - name: fingerprint + type: flattened + description: The fingerprint of the X.509 certificate used by the Identity Provider. + - name: has_mfa + type: boolean + description: The Identity Provider enforces Multi Factor Authentication (MFA). + - name: issuer + type: keyword + description: The unique identifier (often a URL) used by the Identity Provider as its issuer. + - name: name + type: keyword + description: The name of the Identity Provider. + - name: protocol_name + type: keyword + description: The supported protocol of the Identity Provider. + - name: scim + type: flattened + description: The System for Cross-domain Identity Management (SCIM) resource object provides a structured set of attributes related to SCIM protocols used for identity provisioning and management across cloud-based platforms. + - name: sso + type: flattened + description: The Single Sign-On (SSO) object provides a structure for normalizing SSO attributes, configuration, and/or settings from Identity Providers. + - name: state + type: keyword + description: The configuration state of the Identity Provider, normalized to the caption of the state_id value. + - name: state_id + type: keyword + description: The normalized state ID of the Identity Provider to reflect its configuration or activation status. + - name: tenant_uid + type: keyword + description: The tenant ID associated with the Identity Provider. + - name: uid + type: keyword + description: The unique identifier of the Identity Provider. + - name: url_string + type: keyword + description: The URL for accessing the configuration or metadata of the Identity Provider. + - name: process + type: group + fields: + - name: auid + type: keyword + description: The audit user assigned at login by the audit subsystem. + - name: cmd_line + type: keyword + description: The full command line used to launch an application, service, process, or job. + - name: container + type: flattened + description: The information describing an instance of a container. + - name: cpid + type: keyword + description: A unique process identifier that can be assigned deterministically by multiple system data producers. + - name: created_time + type: date + description: The time when the process was created/started. + - name: created_time_dt + type: date + description: The time when the process was created/started. + - name: egid + type: keyword + description: The effective group under which this process is running. + - name: euid + type: keyword + description: The effective user under which this process is running. + - name: file + type: flattened + description: The process file object. + - name: group + type: flattened + description: The group under which this process is running. + - name: integrity + type: keyword + description: The process integrity level, normalized to the caption of the integrity_id value. + - name: integrity_id + type: keyword + description: The normalized identifier of the process integrity level (Windows only). + - name: loaded_modules + type: keyword + description: The list of loaded module names. + - name: name + type: keyword + description: The friendly name of the process. + - name: namespace_pid + type: long + description: If running under a process namespace (such as in a container), the process identifier within that process namespace. + - name: parent_process + type: flattened + description: The parent process of this process object. + - name: path + type: keyword + description: The process file path. + - name: pid + type: long + description: The process identifier, as reported by the operating system. + - name: sandbox + type: keyword + description: The name of the containment jail. + - name: session + type: flattened + description: The user session under which this process is running. + - name: terminated_time + type: date + description: The time when the process was terminated. + - name: terminated_time_dt + type: date + description: The time when the process was terminated. + - name: tid + type: keyword + description: The Identifier of the thread associated with the event, as returned by the operating system. + - name: uid + type: keyword + description: A unique identifier for this process assigned by the producer (tool). + - name: user + type: flattened + description: The user under which this process is running. + - name: working_directory + type: keyword + description: The working directory of a process. + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs that represent a process extended attribute. + - name: session + type: group + fields: + - name: count + type: long + description: The number of identical sessions spawned from the same source IP, destination IP, application, and content/threat type seen over a period of time. + - name: created_time + type: date + description: The time when the session was created. + - name: created_time_dt + type: date + description: The time when the session was created. + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. + - name: expiration_reason + type: keyword + description: The reason which triggered the session expiration. + - name: expiration_time + type: date + description: The session expiration time. + - name: expiration_time_dt + type: date + description: The session expiration time. + - name: is_mfa + type: boolean + description: Indicates whether Multi Factor Authentication was used during authentication. + - name: is_remote + type: boolean + description: The indication of whether the session is remote. + - name: is_vpn + type: boolean + description: The indication of whether the session is a VPN session. + - name: issuer + type: keyword + description: The identifier of the session issuer. + - name: terminal + type: keyword + description: The Pseudo Terminal associated with the session. + - name: uid + type: keyword + description: The unique identifier of the session. + - name: uid_alt + type: keyword + description: The alternate unique identifier of the session. + - name: uuid + type: keyword + description: The universally unique identifier of the session. + - name: user + type: group + fields: + - name: account + type: flattened + description: The user's account or the account associated with the user. + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. + - name: display_name + type: keyword + description: The display name of the user, as reported by the product. + - name: domain + type: keyword + description: The domain where the user is defined. + - name: email_addr + type: keyword + description: The user's primary email address. + - name: forward_addr + type: keyword + description: The user's forwarding email address. + - name: full_name + type: keyword + description: The full name of the user, as reported by the product. + - name: groups + type: nested + description: The administrative groups to which the user belongs. + - name: has_mfa + type: boolean + description: The user has a multi-factor or secondary-factor device assigned. + - name: ldap_person + type: flattened + description: The additional LDAP attributes that describe a person. + - name: name + type: keyword + description: The username. + - name: org + type: flattened + description: Organization and org unit related to the user. + - name: phone_number + type: keyword + description: The telephone number of the user. + - name: risk_level + type: keyword + description: The risk level, normalized to the caption of the risk_level_id value. + - name: risk_level_id + type: keyword + description: The normalized risk level id. + - name: risk_score + type: long + description: The risk score as reported by the event source. + - name: type + type: keyword + description: The type of the user. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. + - name: uid_alt + type: keyword + description: The alternate user identifier. + - name: api + type: group + fields: + - name: group + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: domain + type: keyword + description: The domain where the group is defined. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. + - name: operation + type: keyword + description: Verb/Operation associated with the request. + - name: request + type: group + fields: + - name: containers + type: nested + description: When working with containerized applications, the set of containers which write to the standard the output of a particular logging driver. + - name: data + type: flattened + description: The additional data that is associated with the api request. + - name: flags + type: keyword + description: The communication flags that are associated with the api request. + - name: uid + type: keyword + description: The unique request identifier. + - name: response + type: group + fields: + - name: code + type: long + description: The numeric response sent to a request. + - name: containers + type: nested + description: When working with containerized applications, the set of containers which write to the standard the output of a particular logging driver. + - name: data + type: flattened + description: The additional data that is associated with the api response. + - name: error + type: keyword + description: Error Code. + - name: error_message + type: keyword + description: Error Message. + - name: flags + type: keyword + description: The communication flags that are associated with the api response. + - name: message + type: keyword + description: The description of the event/finding, as defined by the source. + - name: service + type: group + fields: + - name: labels + type: keyword + description: The list of labels associated with the service. + - name: name + type: keyword + description: The name of the service. + - name: uid + type: keyword + description: The unique identifier of the service. + - name: version + type: keyword + description: The version of the service. + - name: version + type: keyword + description: The version of the API service. + - name: connection_info + type: group + fields: + - name: boundary + type: keyword + description: The boundary of the connection, normalized to the caption of 'boundary_id'. + - name: boundary_id + type: keyword + description: The normalized identifier of the boundary of the connection. + - name: community_uid + type: keyword + description: The Community ID of the network connection. + - name: direction + type: keyword + description: The direction of the initiated connection, traffic, or email, normalized to the caption of the direction_id value. + - name: direction_id + type: keyword + description: The normalized identifier of the direction of the initiated connection, traffic, or email. + - name: flag_history + type: keyword + description: The Connection Flag History summarizes events in a network connection. + - name: protocol_name + type: keyword + description: The IP protocol name in lowercase, as defined by the Internet Assigned Numbers Authority (IANA). + - name: protocol_num + type: long + description: The IP protocol number, as defined by the Internet Assigned Numbers Authority (IANA). + - name: protocol_ver + type: keyword + description: The Internet Protocol version. + - name: protocol_ver_id + type: keyword + description: The Internet Protocol version identifier. + - name: session + type: flattened + description: The authenticated user or service session. + - name: tcp_flags + type: long + description: The network connection TCP header flags (i.e., control bits). + - name: uid + type: keyword + description: The unique identifier of the connection. + - name: container + type: flattened + description: Describes details about the container associated to the activity that triggered the detection. + - name: data + type: flattened + description: Additional evidence data that is not accounted for in the specific evidence attributes. + - name: database + type: flattened + description: Describes details about the database associated to the activity that triggered the detection. + - name: databucket + type: flattened + description: Describes details about the databucket associated to the activity that triggered the detection. + - name: device + type: flattened + description: An addressable device, computer system or host associated to the activity that triggered the detection. + - name: dst_endpoint + type: flattened + description: Describes details about the destination of the network activity that triggered the detection. + - name: email + type: flattened + description: The email object associated to the activity that triggered the detection. + - name: file + type: flattened + description: Describes details about the file associated to the activity that triggered the detection. + - name: http_request + type: flattened + description: Describes details about the http request associated to the activity that triggered the detection. + - name: http_response + type: flattened + description: Describes details about the http response associated to the activity that triggered the detection. + - name: ja4_fingerprint_list + type: nested + description: Describes details about the JA4+ fingerprints that triggered the detection. + - name: job + type: flattened + description: Describes details about the scheduled job that was associated with the activity that triggered the detection. + - name: name + type: keyword + description: The naming convention or type identifier of the evidence associated with the security detection. + - name: process + type: group + fields: + - name: ancestry + type: nested + description: An array of Process Entities describing the extended parentage of this process object. + - name: auid + type: keyword + description: The audit user assigned at login by the audit subsystem. + - name: cmd_line + type: keyword + description: The full command line used to launch an application, service, process, or job. + - name: container + type: flattened + description: The information describing an instance of a container. + - name: cpid + type: keyword + description: A unique process identifier that can be assigned deterministically by multiple system data producers. + - name: created_time + type: date + description: The time when the process was created/started. + - name: created_time_dt + type: date + description: The time when the process was created/started. + - name: egid + type: keyword + description: The effective group under which this process is running. + - name: environment_variables + type: nested + description: Environment variables associated with the process. + - name: euid + type: keyword + description: The effective user under which this process is running. + - name: file + type: flattened + description: The process file object. + - name: group + type: flattened + description: The group under which this process is running. + - name: integrity + type: keyword + description: The process integrity level, normalized to the caption of the integrity_id value. + - name: integrity_id + type: keyword + description: The normalized identifier of the process integrity level (Windows only). + - name: loaded_modules + type: keyword + description: The list of loaded module names. + - name: name + type: keyword + description: The friendly name of the process. + - name: namespace_pid + type: long + description: If running under a process namespace (such as in a container), the process identifier within that process namespace. + - name: parent_process + type: flattened + description: The parent process of this process object. + - name: path + type: keyword + description: The process file path. + - name: pid + type: long + description: The process identifier, as reported by the operating system. + - name: sandbox + type: keyword + description: The name of the containment jail. + - name: session + type: flattened + description: The user session under which this process is running. + - name: terminated_time + type: date + description: The time when the process was terminated. + - name: terminated_time_dt + type: date + description: The time when the process was terminated. + - name: tid + type: keyword + description: The Identifier of the thread associated with the event, as returned by the operating system. + - name: uid + type: keyword + description: A unique identifier for this process assigned by the producer (tool). + - name: user + type: flattened + description: The user under which this process is running. + - name: working_directory + type: keyword + description: The working directory of a process. + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs that represent a process extended attribute. + - name: query + type: group + fields: + - name: class + type: keyword + description: The class of resource records being queried. + - name: hostname + type: keyword + description: The hostname or domain being queried. + - name: opcode + type: keyword + description: The DNS opcode specifies the type of the query message. + - name: opcode_id + type: keyword + description: The DNS opcode ID specifies the normalized query message type as defined in RFC-5395. + - name: packet_uid + type: keyword + description: The DNS packet identifier assigned by the program that generated the query. + - name: type + type: keyword + description: The type of resource records being queried. + - name: reg_key + type: flattened + description: Describes details about the registry key that triggered the detection. + - name: reg_value + type: flattened + description: Describes details about the registry value that triggered the detection. + - name: resources + type: nested + description: Describes details about the cloud resources directly related to activity that triggered the detection. + - name: script + type: flattened + description: Describes details about the script that was associated with the activity that triggered the detection. + - name: src_endpoint + type: group + fields: + - name: agent_list + type: nested + description: A list of agent objects associated with a device, endpoint, or resource. + - name: autonomous_system + type: flattened + description: The Autonomous System details associated with an IP address. + - name: container + type: flattened + description: The information describing an instance of a container. + - name: domain + type: keyword + description: The name of the domain that the endpoint belongs to or that corresponds to the endpoint. + - name: hostname + type: keyword + description: The fully qualified name of the endpoint. + - name: hw_info + type: flattened + description: The endpoint hardware information. + - name: instance_uid + type: keyword + description: The unique identifier of a VM instance. + - name: interface_name + type: keyword + description: The name of the network interface (e.g. eth2). + - name: interface_uid + type: keyword + description: The unique identifier of the network interface. + - name: intermediate_ips + type: ip + description: The intermediate IP Addresses. + - name: ip + type: ip + description: The IP address of the endpoint, in either IPv4 or IPv6 format. + - name: isp + type: keyword + description: The name of the Internet Service Provider (ISP). + - name: isp_org + type: keyword + description: The organization name of the Internet Service Provider (ISP). + - name: location + type: flattened + description: The geographical location of the endpoint. + - name: mac + type: keyword + description: The Media Access Control (MAC) address of the endpoint. + - name: name + type: keyword + description: The short name of the endpoint. + - name: namespace_pid + type: long + description: If running under a process namespace (such as in a container), the process identifier within that process namespace. + - name: os + type: flattened + description: The endpoint operating system. + - name: owner + type: flattened + description: The identity of the service or user account that owns the endpoint or was last logged into it. + - name: port + type: long + description: The port used for communication within the network connection. + - name: proxy_endpoint + type: flattened + description: The network proxy information pertaining to a specific endpoint. + - name: subnet_uid + type: keyword + description: The unique identifier of a virtual subnet. + - name: svc_name + type: keyword + description: The service name in service-to-service connections. + - name: type + type: keyword + description: The network endpoint type. + - name: type_id + type: keyword + description: The network endpoint type ID. + - name: uid + type: keyword + description: The unique identifier of the endpoint. + - name: vlan_uid + type: keyword + description: The Virtual LAN identifier. + - name: vpc_uid + type: keyword + description: The unique identifier of the Virtual Private Cloud (VPC). + - name: zone + type: keyword + description: The network zone or LAN segment. + - name: tls + type: flattened + description: Describes details about the Transport Layer Security (TLS) activity that triggered the detection. + - name: uid + type: keyword + description: The unique identifier of the evidence associated with the security detection. + - name: url + type: flattened + description: The URL object that pertains to the event or object associated to the activity that triggered the detection. + - name: user + type: flattened + description: Describes details about the user that was the target or somehow else associated with the activity that triggered the detection. + - name: verdict + type: keyword + description: The normalized verdict of the evidence associated with the security detection. + - name: verdict_id + type: keyword + description: The normalized verdict (or status) ID of the evidence associated with the security detection. + - name: win_service + type: flattened + description: Describes details about the Windows service that triggered the detection. + - name: finding_info + type: group + fields: + - name: analytic + type: group + fields: + - name: algorithm + type: keyword + description: The algorithm used by the underlying analytic to generate the finding. + - name: category + type: keyword + description: The analytic category. + - name: desc + type: keyword + description: The description of the analytic that generated the finding. + - name: name + type: keyword + description: The name of the analytic that generated the finding. + - name: type + type: keyword + description: The analytic type. + - name: type_id + type: keyword + description: The analytic type ID. + - name: uid + type: keyword + description: The unique identifier of the analytic that generated the finding. + - name: version + type: keyword + description: The analytic version. + - name: attacks + type: group + fields: + - name: mitigation + type: flattened + description: The Mitigation object describes the MITRE ATT&CK® or ATLAS™ Mitigation ID and/or name that is associated to an attack. + - name: sub_technique + type: flattened + description: The Sub-technique object describes the MITRE ATT&CK® or ATLAS™ Sub-technique ID and/or name associated to an attack. + - name: tactic + type: flattened + description: The Tactic object describes the MITRE ATT&CK® or ATLAS™ Tactic ID and/or name that is associated to an attack. + - name: technique + type: flattened + description: The Technique object describes the MITRE ATT&CK® or ATLAS™ Technique ID and/or name associated to an attack. + - name: version + type: keyword + description: The ATT&CK® or ATLAS™ Matrix version. + - name: created_time + type: date + description: The time when the finding was created. + - name: created_time_dt + type: date + description: The time when the finding was created. + - name: data_sources + type: keyword + description: A list of data sources utilized in generation of the finding. + - name: desc + type: keyword + description: The description of the reported finding. + - name: first_seen_time + type: date + description: The time when the finding was first observed. + - name: first_seen_time_dt + type: date + description: The time when the finding was first observed. + - name: kill_chain + type: group + fields: + - name: phase + type: keyword + description: The cyber kill chain phase. + - name: phase_id + type: keyword + description: The cyber kill chain phase identifier. + - name: last_seen_time + type: date + description: The time when the finding was most recently observed. + - name: last_seen_time_dt + type: date + description: The time when the finding was most recently observed. + - name: modified_time + type: date + description: The time when the finding was last modified. + - name: modified_time_dt + type: date + description: The time when the finding was last modified. + - name: product + type: group + fields: + - name: cpe_name + type: keyword + description: The Common Platform Enumeration (CPE) name as described by (NIST). + - name: data_classifications + type: nested + description: A list of Data Classification objects. + - name: feature + type: group + fields: + - name: name + type: keyword + description: The name of the feature. + - name: uid + type: keyword + description: The unique identifier of the feature. + - name: version + type: keyword + description: The version of the feature. + - name: lang + type: keyword + description: The two letter lower case language codes. + - name: name + type: keyword + description: The name of the product. + - name: path + type: keyword + description: The installation path of the product. + - name: uid + type: keyword + description: The unique identifier of the product. + - name: url_string + type: keyword + description: The URL pointing towards the product. + - name: vendor_name + type: keyword + description: The name of the vendor of the product. + - name: version + type: keyword + description: The version of the product. + - name: related_analytics + type: group + fields: + - name: algorithm + type: keyword + description: The algorithm used by the underlying analytic to generate the finding. + - name: category + type: keyword + description: The analytic category. + - name: desc + type: keyword + description: The description of the analytic that generated the finding. + - name: name + type: keyword + description: The name of the analytic that generated the finding. + - name: type + type: keyword + description: The analytic type. + - name: type_id + type: keyword + description: The analytic type ID. + - name: uid + type: keyword + description: The unique identifier of the analytic that generated the finding. + - name: vendor_name + type: keyword + description: The name of the vendor of the product. + - name: version + type: keyword + description: The analytic version. + - name: related_events + type: group + fields: + - name: attacks + type: nested + description: An array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. + - name: count + type: long + description: The number of times that activity in the same logical group occurred, as reported by the related Finding. + - name: created_time + type: date + description: The time when the related event/finding was created. + - name: created_time_dt + type: date + description: The time when the related event/finding was created. + - name: desc + type: keyword + description: A description of the related event/finding. + - name: first_seen_time + type: date + description: The time when the finding was first observed. + - name: first_seen_time_dt + type: date + description: The time when the finding was first observed. + - name: kill_chain + type: nested + description: The Cyber Kill Chain® provides a detailed description of each phase and its associated activities within the broader context of a cyber attack. + - name: last_seen_time + type: date + description: The time when the finding was most recently observed. + - name: last_seen_time_dt + type: date + description: The time when the finding was most recently observed. + - name: modified_time + type: date + description: The time when the related event/finding was last modified. + - name: modified_time_dt + type: date + description: The time when the related event/finding was last modified. + - name: observables + type: nested + description: The observables associated with the event or a finding. + - name: product + type: flattened + description: Details about the product that reported the related event/finding. + - name: severity + type: keyword + description: The event/finding severity, normalized to the caption of the severity_id value. + - name: severity_id + type: keyword + description: The normalized identifier of the event/finding severity. + - name: title + type: keyword + description: A title or a brief phrase summarizing the related event/finding. + - name: traits + type: nested + description: The list of key traits or characteristics extracted from the related event/finding that influenced or contributed to the overall finding's outcome. + - name: type + type: keyword + description: The type of the related event/finding. + - name: type_name + type: keyword + description: The type of the related OCSF event, as defined by type_uid. + - name: type_uid + type: keyword + description: The unique identifier of the related OCSF event type. + - name: uid + type: keyword + description: The unique identifier of the related event/finding. + - name: related_events_count + type: long + description: Number of related events or findings. + - name: src_url + type: keyword + description: The URL pointing to the source of the finding. + - name: title + type: keyword + description: A title or a brief phrase summarizing the reported finding. + - name: traits + type: group + fields: + - name: category + type: keyword + description: The high-level grouping or classification this trait belongs to. + - name: name + type: keyword + description: The name of the trait. + - name: type + type: keyword + description: The type of the trait. + - name: uid + type: keyword + description: The unique identifier of the trait. + - name: values + type: keyword + description: The values of the trait. + - name: types + type: keyword + description: One or more types of the reported finding. + - name: uid + type: keyword + description: The unique identifier of the reported finding. + - name: uid_alt + type: keyword + description: The alternative unique identifier of the reported finding. + - name: firewall_rule + type: group + fields: + - name: category + type: keyword + description: The rule category. + - name: condition + type: keyword + description: The rule trigger condition for the rule. + - name: desc + type: keyword + description: The description of the rule that generated the event. + - name: duration + type: long + description: The rule response time duration, usually used for challenge completion time. + - name: match_details + type: keyword + description: The data in a request that rule matched. + - name: match_location + type: keyword + description: The location of the matched data in the source which resulted in the triggered firewall rule. + - name: name + type: keyword + description: The name of the rule that generated the event. + - name: rate_limit + type: long + description: The rate limit for a rate-based rule. + - name: sensitivity + type: keyword + description: The sensitivity of the firewall rule in the matched event. + - name: type + type: keyword + description: The rule type. + - name: uid + type: keyword + description: The unique identifier of the rule that generated the event. + - name: version + type: keyword + description: The rule version. + - name: impact + type: keyword + description: The impact , normalized to the caption of the impact_id value. + - name: impact_id + type: keyword + description: The normalized impact of the incident or finding. + - name: impact_score + type: long + description: The impact as an integer value of the finding. + - name: is_alert + type: boolean + description: Indicates that the event is considered to be an alertable signal. + - name: is_suspected_breach + type: boolean + description: A determination based on analytics as to whether a potential breach was found. + - name: malware + type: group + fields: + - name: classification_ids + type: keyword + description: The list of normalized identifiers of the malware classifications. + - name: classifications + type: keyword + description: The list of malware classifications, normalized to the captions of the classification_ids values. + - name: cves + type: group + fields: + - name: created_time + type: date + description: The Record Creation Date identifies when the CVE ID was issued to a CVE Numbering Authority (CNA) or the CVE Record was published on the CVE List. + - name: created_time_dt + type: date + description: The Record Creation Date identifies when the CVE ID was issued to a CVE Numbering Authority (CNA) or the CVE Record was published on the CVE List. + - name: cvss + type: group + fields: + - name: base_score + type: double + description: The CVSS base score. + - name: depth + type: keyword + description: The CVSS depth represents a depth of the equation used to calculate CVSS score. + - name: metrics + type: group + fields: + - name: name + type: keyword + description: The Common Vulnerability Scoring System metrics. + - name: value + type: keyword + description: The Common Vulnerability Scoring System metrics. + - name: overall_score + type: double + description: The CVSS overall score, impacted by base, temporal, and environmental metrics. + - name: severity + type: keyword + description: The Common Vulnerability Scoring System (CVSS) Qualitative Severity Rating. + - name: src_url + type: keyword + description: The source URL for the CVSS score. + - name: vector_string + type: keyword + description: The CVSS vector string is a text representation of a set of CVSS metrics. + - name: vendor_name + type: keyword + description: The vendor that provided the CVSS score. + - name: version + type: keyword + description: The CVSS version. + - name: desc + type: keyword + description: A brief description of the CVE Record. + - name: epss + type: flattened + description: The Exploit Prediction Scoring System (EPSS) object describes the estimated probability a vulnerability will be exploited. + - name: modified_time + type: date + description: The Record Modified Date identifies when the CVE record was last updated. + - name: modified_time_dt + type: date + description: The Record Modified Date identifies when the CVE record was last updated. + - name: product + type: flattened + description: The product where the vulnerability was discovered. + - name: references + type: keyword + description: A list of reference URLs with additional information about the CVE Record. + - name: related_cwes + type: nested + description: Describes the Common Weakness Enumeration (CWE) details related to the CVE Record. + - name: title + type: keyword + description: A title or a brief phrase summarizing the CVE record. + - name: type + type: keyword + description: The vulnerability type as selected from a large dropdown menu during CVE refinement. + - name: uid + type: keyword + description: The Common Vulnerabilities and Exposures unique number assigned to a specific computer vulnerability. + - name: files + type: group + fields: + - name: accessed_time + type: date + description: The time when the file was last accessed. + - name: accessed_time_dt + type: date + description: The time when the file was last accessed. + - name: accessor + type: flattened + description: The name of the user who last accessed the object. + - name: attributes + type: long + description: The bitmask value that represents the file attributes. + - name: company_name + type: keyword + description: The name of the company that published the file. + - name: confidentiality + type: keyword + description: The file content confidentiality, normalized to the confidentiality_id value. + - name: confidentiality_id + type: keyword + description: The normalized identifier of the file content confidentiality indicator. + - name: created_time + type: date + description: The time when the file was created. + - name: created_time_dt + type: date + description: The time when the file was created. + - name: creator + type: flattened + description: The user that created the file. + - name: data_classifications + type: nested + description: A list of Data Classification objects, that include information about data classification levels and data category types, indentified by a classifier. + - name: desc + type: keyword + description: The description of the file, as returned by file system. + - name: drive_type + type: keyword + description: The drive type, normalized to the caption of the drive_type_id value. + - name: drive_type_id + type: keyword + description: Identifies the type of a disk drive. + - name: encryption_details + type: flattened + description: The encryption details of the file. + - name: ext + type: keyword + description: The extension of the file, excluding the leading dot. + - name: hashes + type: nested + description: An array of hash attributes. + - name: internal_name + type: keyword + description: The name of the file as identified within the file itself. + - name: is_deleted + type: boolean + description: Indicates if the file was deleted from the filesystem. + - name: is_encrypted + type: boolean + description: Indicates if the file is encrypted. + - name: is_system + type: boolean + description: The indication of whether the object is part of the operating system. + - name: mime_type + type: keyword + description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. + - name: modified_time + type: date + description: The time when the file was last modified. + - name: modified_time_dt + type: date + description: The time when the file was last modified. + - name: modifier + type: flattened + description: The user that last modified the file. + - name: name + type: keyword + description: The name of the file. + - name: owner + type: flattened + description: The user that owns the file/object. + - name: parent_folder + type: keyword + description: The parent folder in which the file resides. + - name: path + type: keyword + description: The full path to the file. + - name: product + type: flattened + description: The product that created or installed the file. + - name: security_descriptor + type: keyword + description: The object security descriptor. + - name: signature + type: flattened + description: The digital signature of the file. + - name: size + type: long + description: The size of data, in bytes. + - name: type + type: keyword + description: The file type. + - name: type_id + type: keyword + description: The file type ID. + - name: uid + type: keyword + description: The unique identifier of the file as defined by the storage system. + - name: uri + type: keyword + description: The file URI. + - name: url + type: flattened + description: The URL of the file. + - name: version + type: keyword + description: The file version. + - name: volume + type: keyword + description: The volume on the storage device where the file is located. + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. + - name: name + type: keyword + description: The malware name, as reported by the detection engine. + - name: num_infected + type: long + description: The number of files that were identified to be infected by the malware. + - name: provider + type: keyword + description: The name or identifier of the security solution or service that provided the malware detection information. + - name: severity + type: keyword + description: The severity of the malware, normalized to the captions of the severity_id values. + - name: severity_id + type: keyword + description: The normalized identifier of the malware severity. + - name: uid + type: keyword + description: A unique identifier for the specific malware instance, as assigned by the detection engine. + - name: malware_scan_info + type: group + fields: + - name: end_time + type: date + description: The timestamp indicating when the scan job completed execution. + - name: end_time_dt + type: date + description: The timestamp indicating when the scan job completed execution. + - name: name + type: keyword + description: The administrator-supplied or application-generated name of the scan. + - name: num_files + type: long + description: The total number of files analyzed during the scan. + - name: num_infected + type: long + description: The total number of files identified as infected with malware during the scan. + - name: num_volumes + type: long + description: The total number of storage volumes examined during the malware scan. + - name: size + type: long + description: The total size in bytes of all files that were scanned. + - name: start_time + type: date + description: The timestamp indicating when the scan job began execution. + - name: start_time_dt + type: date + description: The timestamp indicating when the scan job began execution. + - name: type + type: keyword + description: The type of scan. + - name: type_id + type: keyword + description: The type id of the scan. + - name: uid + type: keyword + description: The application-defined unique identifier assigned to an instance of a scan. + - name: unique_malware_count + type: long + description: The number of unique malware detected across all infected files. + - name: message + type: keyword + description: The description of the event/finding, as defined by the source. + - name: metadata + type: group + fields: + - name: correlation_uid + type: keyword + description: The unique identifier used to correlate events. + - name: data_classifications + type: group + fields: + - name: category + type: keyword + description: The name of the data classification category that data matched into. + - name: category_id + type: keyword + description: The normalized identifier of the data classification category. + - name: classifier_details + type: flattened + description: Describes details about the classifier used for data classification. + - name: confidentiality + type: keyword + description: The file content confidentiality, normalized to the confidentiality_id value. + - name: confidentiality_id + type: keyword + description: The normalized identifier of the file content confidentiality indicator. + - name: discovery_details + type: nested + description: Details about the data discovered by classification job. + - name: policy + type: flattened + description: Details about the data policy that governs data handling and security measures related to classification. + - name: size + type: long + description: Size of the data classified. + - name: src_url + type: keyword + description: The source URL pointing towards the full classifcation job details. + - name: status + type: keyword + description: The resultant status of the classification job normalized to the caption of the status_id value. + - name: status_details + type: keyword + description: The contextual description of the status, status_id value. + - name: status_id + type: keyword + description: The normalized status identifier of the classification job. + - name: total + type: long + description: The total count of discovered entities, by the classification job. + - name: uid + type: keyword + description: The unique identifier of the classification job. + - name: debug + type: keyword + description: Debug information about non-fatal issues with this OCSF event. + - name: event_code + type: keyword + description: The Event ID, Code, or Name that the product uses to primarily identify the event. + - name: extensions + type: group + fields: + - name: name + type: keyword + description: The schema extension name. + - name: uid + type: keyword + description: The schema extension unique identifier. + - name: version + type: keyword + description: The schema extension version. + - name: labels + type: keyword + description: The list of labels attached to the event. + - name: log_level + type: keyword + description: The audit level at which an event was generated. + - name: log_name + type: keyword + description: The event log name. + - name: log_provider + type: keyword + description: The logging provider or logging service that logged the event. + - name: log_version + type: keyword + description: The event log schema version that specifies the format of the original event. For example syslog version or Cisco Log Schema Version. + - name: logged_time + type: date + description: The time when the logging system collected and logged the event. + - name: logged_time_dt + type: date + description: The time when the logging system collected and logged the event. + - name: loggers + type: group + fields: + - name: device + type: flattened + description: The device where the events are logged. + - name: event_uid + type: keyword + description: The unique identifier of the event assigned by the logger. + - name: log_level + type: keyword + description: The audit level at which an event was generated. + - name: log_name + type: keyword + description: The event log name. + - name: log_provider + type: keyword + description: The logging provider or logging service that logged the event. + - name: log_version + type: keyword + description: The event log schema version that specifies the format of the original event. + - name: logged_time + type: date + description: The time when the logging system collected and logged the event. + - name: logged_time_dt + type: date + description: The time when the logging system collected and logged the event. + - name: name + type: keyword + description: The name of the logging product instance. + - name: product + type: flattened + description: The product logging the event. + - name: transmit_time + type: date + description: The time when the event was transmitted from the logging device to it's next destination. + - name: transmit_time_dt + type: date + description: The time when the event was transmitted from the logging device to it's next destination. + - name: uid + type: keyword + description: The unique identifier of the logging product instance. + - name: version + type: keyword + description: The version of the logging product. + - name: modified_time + type: date + description: The time when the event was last modified or enriched. + - name: modified_time_dt + type: date + description: The time when the event was last modified or enriched. + - name: original_time + type: keyword + description: The original event time as reported by the event source. + - name: processed_time + type: date + description: The event processed time. + - name: processed_time_dt + type: date + description: The event processed time. + - name: product + type: group + fields: + - name: cpe_name + type: keyword + description: The Common Platform Enumeration (CPE) name as described by (NIST). + - name: data_classifications + type: nested + description: A list of Data Classification objects. + - name: feature + type: group + fields: + - name: name + type: keyword + description: The name of the feature. + - name: uid + type: keyword + description: The unique identifier of the feature. + - name: version + type: keyword + description: The version of the feature. + - name: lang + type: keyword + description: The two letter lower case language codes. + - name: name + type: keyword + description: The name of the product. + - name: path + type: keyword + description: The installation path of the product. + - name: uid + type: keyword + description: The unique identifier of the product. + - name: url_string + type: keyword + description: The URL pointing towards the product. + - name: vendor_name + type: keyword + description: The name of the vendor of the product. + - name: version + type: keyword + description: The version of the product. + - name: profiles + type: keyword + description: The list of profiles used to create the event. + - name: sequence + type: long + description: Sequence number of the event. + - name: tenant_uid + type: keyword + description: The unique tenant identifier. + - name: transformation_info_list + type: group + fields: + - name: lang + type: keyword + description: The transformation language used to transform the data. + - name: name + type: keyword + description: The name of the transformation or mapping. + - name: product + type: flattened + description: The product or instance used to make the transformation. + - name: time + type: date + description: Time of the transformation. + - name: time_dt + type: date + description: Time of the transformation. + - name: uid + type: keyword + description: The unique identifier of the mapping or transformation. + - name: url_string + type: keyword + description: The Uniform Resource Locator String where the mapping or transformation exists. + - name: uid + type: keyword + description: The logging system-assigned unique identifier of an event instance. + - name: version + type: keyword + description: The version of the OCSF schema, using Semantic Versioning Specification (SemVer). + - name: observables + type: group + fields: + - name: name + type: keyword + description: The full name of the observable attribute. + - name: reputation + type: group + fields: + - name: base_score + type: double + description: The reputation score as reported by the event source. + - name: provider + type: keyword + description: The provider of the reputation information. + - name: score + type: keyword + description: The reputation score, normalized to the caption of the score_id value. + - name: score_id + type: keyword + description: The normalized reputation score identifier. + - name: type + type: keyword + description: The observable value type name. + - name: type_id + type: keyword + description: The observable value type identifier. + - name: value + type: keyword + description: The value associated with the observable attribute. + - name: osint + type: group + fields: + - name: answers + type: group + fields: + - name: class + type: keyword + description: The class of DNS data contained in this resource record. + - name: flag_ids + type: keyword + description: The list of DNS answer header flag IDs. + - name: flags + type: keyword + description: The list of DNS answer header flags. + - name: packet_uid + type: keyword + description: The DNS packet identifier assigned by the program that generated the query. + - name: rdata + type: keyword + description: The data describing the DNS resource. + - name: ttl + type: long + description: The time interval that the resource record may be cached. + - name: type + type: keyword + description: The type of data contained in this resource record. + - name: attacks + type: group + fields: + - name: mitigation + type: flattened + description: The Mitigation object describes the MITRE ATT&CK® or ATLAS™ Mitigation ID and/or name that is associated to an attack. + - name: sub_technique + type: flattened + description: The Sub-technique object describes the MITRE ATT&CK® or ATLAS™ Sub-technique ID and/or name associated to an attack. + - name: tactic + type: flattened + description: The Tactic object describes the MITRE ATT&CK® or ATLAS™ Tactic ID and/or name that is associated to an attack. + - name: technique + type: flattened + description: The Technique object describes the MITRE ATT&CK® or ATLAS™ Technique ID and/or name associated to an attack. + - name: version + type: keyword + description: The ATT&CK® or ATLAS™ Matrix version. + - name: autonomous_system + type: group + fields: + - name: name + type: keyword + description: Organization name for the Autonomous System. + - name: number + type: long + description: Unique number that the AS is identified by. + - name: campaign + type: group + fields: + - name: name + type: keyword + description: The name of a specific campaign associated with a cyber threat. + - name: category + type: keyword + description: Categorizes the threat indicator based on its functional or operational role. + - name: comment + type: keyword + description: Analyst commentary or source commentary about an indicator or OSINT analysis. + - name: confidence + type: keyword + description: The confidence of an indicator being malicious and/or pertinent, normalized to the caption of the confidence_id value. + - name: confidence_id + type: keyword + description: The normalized confidence refers to the accuracy of collected information related to the OSINT or how pertinent an indicator or analysis is to a specific event or finding. + - name: created_time + type: date + description: The timestamp when the indicator was initially created or identified. + - name: created_time_dt + type: date + description: The timestamp when the indicator was initially created or identified. + - name: creator + type: group + fields: + - name: account + type: flattened + description: The user's account or the account associated with the user. + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. + - name: display_name + type: keyword + description: The display name of the user, as reported by the product. + - name: domain + type: keyword + description: The domain where the user is defined. + - name: email_addr + type: keyword + description: The user's primary email address. + - name: forward_addr + type: keyword + description: The user's forwarding email address. + - name: full_name + type: keyword + description: The full name of the user, as reported by the product. + - name: groups + type: nested + description: The administrative groups to which the user belongs. + - name: has_mfa + type: boolean + description: The user has a multi-factor or secondary-factor device assigned. + - name: ldap_person + type: flattened + description: The additional LDAP attributes that describe a person. + - name: name + type: keyword + description: The username. + - name: org + type: flattened + description: Organization and org unit related to the user. + - name: phone_number + type: keyword + description: The telephone number of the user. + - name: risk_level + type: keyword + description: The risk level, normalized to the caption of the risk_level_id value. + - name: risk_level_id + type: keyword + description: The normalized risk level id. + - name: risk_score + type: long + description: The risk score as reported by the event source. + - name: type + type: keyword + description: The type of the user. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. + - name: uid_alt + type: keyword + description: The alternate user identifier. + - name: desc + type: keyword + description: A detailed explanation of the indicator, including its context, purpose, and relevance. + - name: detection_pattern + type: keyword + description: The specific detection pattern or signature associated with the indicator. + - name: detection_pattern_type + type: keyword + description: The detection pattern type, normalized to the caption of the detection_pattern_type_id value. + - name: detection_pattern_type_id + type: keyword + description: Specifies the type of detection pattern used to identify the associated threat indicator. + - name: email + type: group + fields: + - name: cc + type: keyword + description: The machine-readable email header Cc values. + - name: cc_mailboxes + type: keyword + description: The human-readable email header Cc Mailbox values. + - name: data_classifications + type: nested + description: A list of Data Classification objects, that include information about data classification levels and data category types, indentified by a classifier. + - name: delivered_to_list + type: keyword + description: The machine-readable Delivered-To email header values. + - name: files + type: nested + description: The files embedded or attached to the email. + - name: from + type: keyword + description: The machine-readable email header From values. + - name: from_mailbox + type: keyword + description: The human-readable email header From Mailbox value. + - name: http_headers + type: nested + description: Additional HTTP headers of an HTTP request or response. + - name: is_read + type: boolean + description: The indication of whether the email has been read. + - name: message_uid + type: keyword + description: The email header Message-ID value. + - name: raw_header + type: keyword + description: The email authentication header. + - name: reply_to_mailboxes + type: keyword + description: The human-readable email header Reply To Mailbox values. + - name: size + type: long + description: The size in bytes of the email, including attachments. + - name: subject + type: keyword + description: The email header Subject value. + - name: to + type: keyword + description: The machine-readable email header To values. + - name: to_mailboxes + type: keyword + description: The human-readable email header To Mailbox values. + - name: uid + type: keyword + description: The unique identifier of the email thread. + - name: urls + type: nested + description: The URLs embedded in the email. + - name: x_originating_ip + type: ip + description: The X-Originating-IP header identifying the emails originating IP address(es). + - name: email_auth + type: group + fields: + - name: dkim + type: keyword + description: The DomainKeys Identified Mail (DKIM) status of the email. + - name: dkim_domain + type: keyword + description: The DomainKeys Identified Mail (DKIM) status of the email. + - name: dkim_signature + type: keyword + description: The DomainKeys Identified Mail (DKIM) signature used by the sending/receiving system. + - name: dmarc + type: keyword + description: The Domain-based Message Authentication, Reporting and Conformance (DMARC) status of the email. + - name: dmarc_override + type: keyword + description: The Domain-based Message Authentication, Reporting and Conformance (DMARC) override action. + - name: dmarc_policy + type: keyword + description: The Domain-based Message Authentication, Reporting and Conformance (DMARC) policy status. + - name: spf + type: keyword + description: The Sender Policy Framework (SPF) status of the email. + - name: expiration_time + type: date + description: The expiration date of the indicator, after which it is no longer considered reliable. + - name: expiration_time_dt + type: date + description: The expiration date of the indicator, after which it is no longer considered reliable. + - name: external_uid + type: keyword + description: A unique identifier assigned by an external system for cross-referencing. + - name: file + type: group + fields: + - name: accessed_time + type: date + description: The time when the file was last accessed. + - name: accessed_time_dt + type: date + description: The time when the file was last accessed. + - name: accessor + type: flattened + description: The name of the user who last accessed the object. + - name: attributes + type: long + description: The bitmask value that represents the file attributes. + - name: company_name + type: keyword + description: The name of the company that published the file. + - name: confidentiality + type: keyword + description: The file content confidentiality, normalized to the confidentiality_id value. + - name: confidentiality_id + type: keyword + description: The normalized identifier of the file content confidentiality indicator. + - name: created_time + type: date + description: The time when the file was created. + - name: created_time_dt + type: date + description: The time when the file was created. + - name: creator + type: flattened + description: The user that created the file. + - name: data_classifications + type: nested + description: A list of Data Classification objects, that include information about data classification levels and data category types, indentified by a classifier. + - name: desc + type: keyword + description: The description of the file, as returned by file system. + - name: drive_type + type: keyword + description: The drive type, normalized to the caption of the drive_type_id value. + - name: drive_type_id + type: keyword + description: Identifies the type of a disk drive. + - name: encryption_details + type: flattened + description: The encryption details of the file. + - name: ext + type: keyword + description: The extension of the file, excluding the leading dot. + - name: hashes + type: nested + description: An array of hash attributes. + - name: internal_name + type: keyword + description: The name of the file as identified within the file itself. + - name: is_deleted + type: boolean + description: Indicates if the file was deleted from the filesystem. + - name: is_encrypted + type: boolean + description: Indicates if the file is encrypted. + - name: is_system + type: boolean + description: The indication of whether the object is part of the operating system. + - name: mime_type + type: keyword + description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. + - name: modified_time + type: date + description: The time when the file was last modified. + - name: modified_time_dt + type: date + description: The time when the file was last modified. + - name: modifier + type: flattened + description: The user that last modified the file. + - name: name + type: keyword + description: The name of the file. + - name: owner + type: flattened + description: The user that owns the file/object. + - name: parent_folder + type: keyword + description: The parent folder in which the file resides. + - name: path + type: keyword + description: The full path to the file. + - name: product + type: flattened + description: The product that created or installed the file. + - name: security_descriptor + type: keyword + description: The object security descriptor. + - name: signature + type: flattened + description: The digital signature of the file. + - name: size + type: long + description: The size of data, in bytes. + - name: type + type: keyword + description: The file type. + - name: type_id + type: keyword + description: The file type ID. + - name: uid + type: keyword + description: The unique identifier of the file as defined by the storage system. + - name: uri + type: keyword + description: The file URI. + - name: url + type: flattened + description: The URL of the file. + - name: version + type: keyword + description: The file version. + - name: volume + type: keyword + description: The volume on the storage device where the file is located. + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. + - name: intrusion_sets + type: keyword + description: A grouping of adversarial behaviors and resources believed to be associated with specific threat actors or campaigns. + - name: kill_chain + type: group + fields: + - name: phase + type: keyword + description: The cyber kill chain phase. + - name: phase_id + type: keyword + description: The cyber kill chain phase identifier. + - name: labels + type: keyword + description: Tags or keywords associated with the indicator to enhance searchability. + - name: location + type: group + fields: + - name: aerial_height + type: keyword + description: Expressed as either height above takeoff location or height above ground level (AGL) for a UAS current location. + - name: city + type: keyword + description: The name of the city. + - name: continent + type: keyword + description: The name of the continent. + - name: country + type: keyword + description: The ISO 3166-1 Alpha-2 country code. + - name: desc + type: keyword + description: The description of the geographical location. + - name: geodetic_altitude + type: keyword + description: The aircraft distance above or below the ellipsoid as measured along a line that passes through the aircraft and is normal to the surface of the WGS-84 ellipsoid. + - name: geodetic_vertical_accuracy + type: keyword + description: Provides quality/containment on geodetic altitude. + - name: geohash + type: keyword + description: Geohash of the geo-coordinates (latitude and longitude). + - name: horizontal_accuracy + type: keyword + description: Provides quality/containment on horizontal position. + - name: is_on_premises + type: boolean + description: The indication of whether the location is on premises. + - name: lat + type: double + description: The geographical Latitude coordinate represented in Decimal Degrees (DD). + - name: long + type: double + description: The geographical Longitude coordinate represented in Decimal Degrees (DD). + - name: postal_code + type: keyword + description: The postal code of the location. + - name: pressure_altitude + type: keyword + description: The uncorrected barometric pressure altitude (based on reference standard 29.92 inHg, 1013.25 mb) provides a reference for algorithms that utilize 'altitude deltas' between aircraft. + - name: provider + type: keyword + description: The provider of the geographical location data. + - name: region + type: keyword + description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. + - name: malware + type: group + fields: + - name: classification_ids + type: keyword + description: The list of normalized identifiers of the malware classifications. + - name: classifications + type: keyword + description: The list of malware classifications, normalized to the captions of the classification_ids values. + - name: cves + type: nested + description: The list of Common Vulnerabilities and Exposures (CVE) identifiers associated with the malware. + - name: files + type: nested + description: The list of file objects representing files that were identified as infected by the malware. + - name: name + type: keyword + description: The malware name, as reported by the detection engine. + - name: num_infected + type: long + description: The number of files that were identified to be infected by the malware. + - name: provider + type: keyword + description: The name or identifier of the security solution or service that provided the malware detection information. + - name: severity + type: keyword + description: The severity of the malware, normalized to the captions of the severity_id values. + - name: severity_id + type: keyword + description: The normalized identifier of the malware severity. + - name: uid + type: keyword + description: A unique identifier for the specific malware instance, as assigned by the detection engine. + - name: modified_time + type: date + description: The timestamp of the last modification or update to the indicator. + - name: modified_time_dt + type: date + description: The timestamp of the last modification or update to the indicator. + - name: name + type: keyword + description: The name is a pointer/reference to an attribute within the OCSF event data. + - name: references + type: keyword + description: Provides a reference to an external source of information related to the CTI being represented. + - name: related_analytics + type: group + fields: + - name: algorithm + type: keyword + description: The algorithm used by the underlying analytic to generate the finding. + - name: category + type: keyword + description: The analytic category. + - name: desc + type: keyword + description: The description of the analytic that generated the finding. + - name: name + type: keyword + description: The name of the analytic that generated the finding. + - name: type + type: keyword + description: The analytic type. + - name: type_id + type: keyword + description: The analytic type ID. + - name: uid + type: keyword + description: The unique identifier of the analytic that generated the finding. + - name: version + type: keyword + description: The analytic version. + - name: reputation + type: group + fields: + - name: base_score + type: double + description: The reputation score as reported by the event source. + - name: provider + type: keyword + description: The provider of the reputation information. + - name: score + type: keyword + description: The reputation score, normalized to the caption of the score_id value. + - name: score_id + type: keyword + description: The normalized reputation score identifier. + - name: risk_score + type: long + description: A numerical representation of the threat indicator’s risk level. + - name: script + type: group + fields: + - name: file + type: flattened + description: Present if this script is associated with a file. + - name: hashes + type: nested + description: An array of the script's cryptographic hashes. + - name: name + type: keyword + description: Unique identifier for the script or macro, independent of the containing file, used for tracking, auditing, and security analysis. + - name: parent_uid + type: keyword + description: This attribute relates a sub-script to a parent script having the matching uid attribute. + - name: script_content + type: flattened + description: The script content, normalized to UTF-8 encoding irrespective of its original encoding. + - name: type + type: keyword + description: The script type, normalized to the caption of the type_id value. + - name: type_id + type: keyword + description: The normalized script type ID. + - name: uid + type: keyword + description: Some script engines assign a unique ID to each individual execution of a given script. + - name: severity + type: keyword + description: Represents the severity level of the threat indicator, typically reflecting its potential impact or damage. + - name: severity_id + type: keyword + description: The normalized severity level of the threat indicator, typically reflecting its potential impact or damage. + - name: signatures + type: group + fields: + - name: algorithm + type: keyword + description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. + - name: algorithm_id + type: keyword + description: The identifier of the normalized digital signature algorithm. + - name: certificate + type: flattened + description: The certificate object containing information about the digital certificate. + - name: created_time + type: date + description: The time when the digital signature was created. + - name: created_time_dt + type: date + description: The time when the digital signature was created. + - name: developer_uid + type: keyword + description: The developer ID on the certificate that signed the file. + - name: digest + type: flattened + description: The message digest attribute contains the fixed length message hash representation and the corresponding hashing algorithm information. + - name: state + type: keyword + description: The digital signature state defines the signature state, normalized to the caption of 'state_id'. + - name: state_id + type: keyword + description: The normalized identifier of the signature state. + - name: src_url + type: keyword + description: The source URL of an indicator or OSINT analysis. + - name: subdomains + type: keyword + description: Any pertinent subdomain information. + - name: subnet + type: keyword + description: A CIDR or network block related to an indicator or OSINT analysis. + - name: threat_actor + type: group + fields: + - name: name + type: keyword + description: The name of the threat actor. + - name: type + type: keyword + description: The classification of the threat actor based on their motivations, capabilities, or affiliations. Common types include nation-state actors, cybercriminal groups, hacktivists, or insider threats. + - name: type_id + type: keyword + description: The normalized datastore resource type identifier. + - name: tlp + type: keyword + description: The Traffic Light Protocol was created to facilitate greater sharing of potentially sensitive information and more effective collaboration. + - name: type + type: keyword + description: The OSINT indicator type. + - name: type_id + type: keyword + description: The OSINT indicator type ID. + - name: uid + type: keyword + description: The unique identifier for the OSINT object. + - name: uploaded_time + type: date + description: The timestamp indicating when the associated indicator or intelligence was added to the system or repository. + - name: uploaded_time_dt + type: date + description: The timestamp indicating when the associated indicator or intelligence was added to the system or repository. + - name: value + type: keyword + description: The actual indicator value in scope. + - name: vendor_name + type: keyword + description: The vendor name of a tool which generates intelligence or provides indicators. + - name: vulnerabilities + type: group + fields: + - name: advisory + type: flattened + description: Detail about the security advisory, that is used to publicly disclose cybersecurity vulnerabilities by a vendor. + - name: affected_code + type: nested + description: List of Affected Code objects that describe details about code blocks identified as vulnerable. + - name: affected_packages + type: nested + description: List of software packages identified as affected by a vulnerability/vulnerabilities. + - name: category + type: keyword + description: The category of a vulnerability or weakness, as reported by the source tool, such as Container Security or Open Source Security. + - name: cve + type: flattened + description: Describes the Common Vulnerabilities and Exposures (CVE) details related to the vulnerability. + - name: cwe + type: flattened + description: Describes the Common Weakness Enumeration (CWE) details related to the vulnerability. + - name: dependency_chain + type: keyword + description: Information about the chain of dependencies related to the issue as reported by an Application Security or Vulnerability Management tool. + - name: desc + type: keyword + description: The description of the vulnerability. + - name: exploit_last_seen_time + type: date + description: The time when the exploit was most recently observed. + - name: exploit_last_seen_time_dt + type: date + description: The time when the exploit was most recently observed. + - name: exploit_ref_url + type: keyword + description: The URL of the exploit code or Proof-of-Concept (PoC). + - name: exploit_requirement + type: keyword + description: The requirement description related to any constraints around exploit execution. + - name: exploit_type + type: keyword + description: The categorization or type of Exploit. + - name: first_seen_time + type: date + description: The time when the vulnerability was first observed. + - name: first_seen_time_dt + type: date + description: The time when the vulnerability was first observed. + - name: fix_coverage + type: keyword + description: The fix coverage, normalized to the caption of the fix_coverage_id value. + - name: fix_coverage_id + type: keyword + description: The normalized identifier for fix coverage, applicable to this vulnerability. + - name: is_exploit_available + type: boolean + description: Indicates if an exploit or a PoC (proof-of-concept) is available for the reported vulnerability. + - name: is_fix_available + type: boolean + description: Indicates if a fix is available for the reported vulnerability. + - name: last_seen_time + type: date + description: The time when the vulnerability was most recently observed. + - name: last_seen_time_dt + type: date + description: The time when the vulnerability was most recently observed. + - name: references + type: keyword + description: A list of reference URLs with additional information about the vulnerability. + - name: related_vulnerabilities + type: keyword + description: List of vulnerability IDs (e.g. CVE ID) that are related to this vulnerability. + - name: remediation + type: flattened + description: The remediation recommendations on how to mitigate the identified vulnerability. + - name: severity + type: keyword + description: The vendor assigned severity of the vulnerability. + - name: title + type: keyword + description: A title or a brief phrase summarizing the discovered vulnerability. + - name: vendor_name + type: keyword + description: The name of the vendor that identified the vulnerability. + - name: whois + type: group + fields: + - name: autonomous_system + type: flattened + description: The autonomous system information associated with a domain. + - name: created_time + type: date + description: When the domain was registered or WHOIS entry was created. + - name: created_time_dt + type: date + description: When the domain was registered or WHOIS entry was created. + - name: dnssec_status + type: keyword + description: The normalized value of dnssec_status_id. + - name: dnssec_status_id + type: keyword + description: Describes the normalized status of DNS Security Extensions (DNSSEC) for a domain. + - name: domain + type: keyword + description: The domain name corresponding to the WHOIS record. + - name: domain_contacts + type: nested + description: An array of Domain Contact objects. + - name: email_addr + type: keyword + description: The email address for the registrar's abuse contact. + - name: isp + type: keyword + description: The name of the Internet Service Provider (ISP). + - name: isp_org + type: keyword + description: The organization name of the Internet Service Provider (ISP). + - name: last_seen_time + type: date + description: When the WHOIS record was last updated or seen at. + - name: last_seen_time_dt + type: date + description: When the WHOIS record was last updated or seen at. + - name: name_servers + type: keyword + description: A collection of name servers related to a domain registration or other record. + - name: phone_number + type: keyword + description: The phone number for the registrar's abuse contact. + - name: registrar + type: keyword + description: The domain registrar. + - name: status + type: keyword + description: The status of a domain and its ability to be transferred. + - name: subdomains + type: keyword + description: An array of subdomain strings. + - name: subnet + type: keyword + description: The IP address block (CIDR) associated with a domain. + - name: policy + type: group + fields: + - name: data + type: flattened + description: Additional data about the policy such as the underlying JSON policy itself or other details. + - name: desc + type: keyword + description: The description of the policy. + - name: group + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: domain + type: keyword + description: The domain where the group is defined. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. + - name: is_applied + type: boolean + description: A determination if the content of a policy was applied to a target or request, or not. + - name: name + type: keyword + description: The policy name. + - name: uid + type: keyword + description: A unique identifier of the policy instance. + - name: version + type: keyword + description: The policy version number. + - name: priority + type: keyword + description: The priority, normalized to the caption of the priority_id value. + - name: priority_id + type: keyword + description: The normalized priority. + - name: raw_data + type: keyword + description: The raw event/finding data as received from the source. + - name: raw_data_size + type: long + description: The size of the raw data which was transformed into an OCSF event. + - name: resources + type: group + fields: + - name: agent_list + type: group + fields: + - name: name + type: keyword + description: The name of the agent or sensor. + - name: policies + type: nested + description: Describes the various policies that may be applied or enforced by an agent or sensor. + - name: type + type: keyword + description: The normalized caption of the type_id value for the agent or sensor. + - name: type_id + type: keyword + description: The normalized representation of an agent or sensor. + - name: uid + type: keyword + description: The UID of the agent or sensor, sometimes known as a Sensor ID or aid. + - name: uid_alt + type: keyword + description: An alternative or contextual identifier for the agent or sensor, such as a configuration, organization, or license UID. + - name: vendor_name + type: keyword + description: The company or author who created the agent or sensor. + - name: version + type: keyword + description: The semantic version of the agent or sensor. + - name: cloud_partition + type: keyword + description: The canonical cloud partition name to which the region is assigned. + - name: created_time + type: date + description: The time when the resource was created. + - name: created_time_dt + type: date + description: The time when the resource was created. + - name: criticality + type: keyword + description: The criticality of the resource as defined by the event source. + - name: data + type: group + description: Additional data describing the resource. + fields: + - name: awsEc2InstanceDetails + type: group + fields: + - name: iamInstanceProfileArn + type: keyword + - name: imageId + type: keyword + - name: ipV4Addresses + type: ip + - name: launchedAt + type: date + - name: platform + type: keyword + - name: subnetId + type: keyword + - name: type + type: keyword + - name: vpcId + type: keyword + - name: awsLambdaFunctionDetails + type: group + fields: + - name: architectures + type: keyword + - name: codeSha256 + type: keyword + - name: executionRoleArn + type: keyword + - name: functionName + type: keyword + - name: lastModifiedAt + type: date + - name: layers + type: keyword + - name: packageType + type: keyword + - name: runtime + type: keyword + - name: version + type: keyword + - name: data_classifications + type: group + fields: + - name: category + type: keyword + description: The name of the data classification category that data matched into. + - name: category_id + type: keyword + description: The normalized identifier of the data classification category. + - name: classifier_details + type: flattened + description: Describes details about the classifier used for data classification. + - name: confidentiality + type: keyword + description: The file content confidentiality, normalized to the confidentiality_id value. + - name: confidentiality_id + type: keyword + description: The normalized identifier of the file content confidentiality indicator. + - name: discovery_details + type: nested + description: Details about the data discovered by classification job. + - name: policy + type: flattened + description: Details about the data policy that governs data handling and security measures related to classification. + - name: size + type: long + description: Size of the data classified. + - name: src_url + type: keyword + description: The source URL pointing towards the full classifcation job details. + - name: status + type: keyword + description: The resultant status of the classification job normalized to the caption of the status_id value. + - name: status_details + type: keyword + description: The contextual description of the status, status_id value. + - name: status_id + type: keyword + description: The normalized status identifier of the classification job. + - name: total + type: long + description: The total count of discovered entities, by the classification job. + - name: uid + type: keyword + description: The unique identifier of the classification job. + - name: group + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: domain + type: keyword + description: The domain where the group is defined. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. + - name: hostname + type: keyword + description: The fully qualified name of the resource. + - name: ip + type: ip + description: The IP address of the resource, in either IPv4 or IPv6 format. + - name: is_backed_up + type: boolean + description: Indicates whether the device or resource has a backup enabled, such as an automated snapshot or a cloud backup. + - name: labels + type: keyword + description: The list of labels associated to the resource. + - name: modified_time + type: date + description: The time when the resource was last modified. + - name: modified_time_dt + type: date + description: The time when the resource was last modified. + - name: name + type: keyword + description: The name of the resource. + - name: namespace + type: keyword + description: The namespace is useful when similar entities exist that you need to keep separate. + - name: owner + type: group + fields: + - name: account + type: flattened + description: The user's account or the account associated with the user. + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. + - name: display_name + type: keyword + description: The display name of the user, as reported by the product. + - name: domain + type: keyword + description: The domain where the user is defined. + - name: email_addr + type: keyword + description: The user's primary email address. + - name: forward_addr + type: keyword + description: The user's forwarding email address. + - name: full_name + type: keyword + description: The full name of the user, as reported by the product. + - name: groups + type: nested + description: The administrative groups to which the user belongs. + - name: has_mfa + type: boolean + description: The user has a multi-factor or secondary-factor device assigned. + - name: ldap_person + type: flattened + description: The additional LDAP attributes that describe a person. + - name: name + type: keyword + description: The username. + - name: org + type: flattened + description: Organization and org unit related to the user. + - name: phone_number + type: keyword + description: The telephone number of the user. + - name: risk_level + type: keyword + description: The risk level, normalized to the caption of the risk_level_id value. + - name: risk_level_id + type: keyword + description: The normalized risk level id. + - name: risk_score + type: long + description: The risk score as reported by the event source. + - name: type + type: keyword + description: The type of the user. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. + - name: uid_alt + type: keyword + description: The alternate user identifier. + - name: region + type: keyword + description: The cloud region of the resource. + - name: resource_relationship + type: group + fields: + - name: desc + type: keyword + description: The graph description - provides additional details about the graph's purpose and contents. + - name: edges + type: nested + description: The edges/connections between nodes in the graph - contains the collection of edge objects defining relationships between nodes. + - name: is_directed + type: boolean + description: Indicates if the graph is directed (true) or undirected (false). + - name: name + type: keyword + description: The graph name - a human readable identifier for the graph. + - name: nodes + type: flattened + description: The nodes/vertices of the graph - contains the collection of node objects that make up the graph. + - name: query_language + type: keyword + description: The graph query language, normalized to the caption of the query_language_id value. + - name: query_language_id + type: keyword + description: The normalized identifier of a graph query language that can be used to interact with the graph. + - name: type + type: keyword + description: The graph type. Typically useful to represent the specifc type of graph that is used. + - name: uid + type: keyword + description: Unique identifier of the graph - a unique ID to reference this specific graph. + - name: tags.* + type: object + description: The list of tags. + object_type: keyword + object_type_mapping_type: '*' + - name: type + type: keyword + description: The resource type as defined by the event source. + - name: uid + type: keyword + description: The unique identifier of the resource. + - name: uid_alt + type: keyword + description: The alternative unique identifier of the resource. + - name: version + type: keyword + description: The version of the resource. + - name: zone + type: keyword + description: The specific availability zone within a cloud region where the resource is located. + - name: risk_details + type: keyword + description: Describes the risk associated with the finding. + - name: risk_level + type: keyword + description: The risk level, normalized to the caption of the risk_level_id value. + - name: risk_level_id + type: keyword + description: The normalized risk level id. + - name: risk_score + type: long + description: The risk score as reported by the event source. + - name: severity + type: keyword + description: The event/finding severity, normalized to the caption of the severity_id value. + - name: severity_id + type: keyword + description: The normalized identifier of the event/finding severity. + - name: src_url + type: keyword + description: A Url link used to access the original incident. + - name: start_time + type: date + description: The time of the least recent event included in the finding. + - name: start_time_dt + type: date + description: The time of the least recent event included in the finding. + - name: status + type: keyword + description: The normalized status of the Finding set by the consumer normalized to the caption of the status_id value. + - name: status_code + type: keyword + description: The event status code, as reported by the event source. + - name: status_detail + type: keyword + description: The status detail contains additional information about the event/finding outcome. + - name: status_id + type: keyword + description: The normalized status identifier of the Finding. + - name: tickets + type: group + fields: + - name: src_url + type: keyword + description: The url of a ticket in the ticket system. + - name: status + type: keyword + description: The status of the ticket normalized to the caption of the status_id value. In the case of 99, this value should as defined by the source. + - name: status_details + type: keyword + description: A list of contextual descriptions of the status, status_id values. + - name: status_id + type: keyword + description: The normalized identifier for the ticket status. + - name: title + type: keyword + description: The title of the ticket. + - name: type + type: keyword + description: The linked ticket type determines whether the ticket is internal or in an external ticketing system. + - name: type_id + type: keyword + description: The normalized identifier for the ticket type. + - name: uid + type: keyword + description: Unique identifier of the ticket. + - name: time + type: date + description: The normalized event occurrence time or the finding creation time. + - name: time_dt + type: date + description: The normalized event occurrence time or the finding creation time. + - name: timezone_offset + type: long + description: The number of minutes that the reported event time is ahead or behind UTC. + - name: type_name + type: keyword + description: The event/finding type name, as defined by the type_uid. + - name: type_uid + type: keyword + description: The event/finding type ID. + - name: unmapped + type: flattened + description: The attributes that are not mapped to the event schema. + - name: vendor_attributes + type: group + fields: + - name: severity + type: keyword + description: The finding severity, as reported by the Vendor. + - name: severity_id + type: keyword + description: The finding severity ID, as reported by the Vendor. + - name: verdict + type: keyword + description: The verdict assigned to an Incident finding. + - name: verdict_id + type: keyword + description: The normalized verdict of an Incident. + - name: vulnerabilities + type: group + fields: + - name: advisory + type: group + fields: + - name: avg_timespan + type: flattened + description: The average time to patch. + - name: bulletin + type: keyword + description: The Advisory bulletin identifier. + - name: classification + type: keyword + description: The vendors classification of the Advisory. + - name: created_time + type: date + description: The time when the Advisory record was created. + - name: created_time_dt + type: date + description: The time when the Advisory record was created. + - name: desc + type: keyword + description: A brief description of the Advisory Record. + - name: install_state + type: keyword + description: The install state of the Advisory. + - name: install_state_id + type: keyword + description: The normalized install state ID of the Advisory. + - name: is_superseded + type: boolean + description: The Advisory has been replaced by another. + - name: modified_time + type: date + description: The time when the Advisory record was last updated. + - name: modified_time_dt + type: date + description: The time when the Advisory record was last updated. + - name: os + type: flattened + description: The operating system the Advisory applies to. + - name: product + type: flattened + description: The product where the vulnerability was discovered. + - name: references + type: keyword + description: A list of reference URLs with additional information about the vulnerabilities disclosed in the Advisory. + - name: related_cves + type: nested + description: A list of Common Vulnerabilities and Exposures (CVE) identifiers related to the vulnerabilities disclosed in the Advisory. + - name: related_cwes + type: nested + description: A list of Common Weakness Enumeration (CWE) identifiers related to the vulnerabilities disclosed in the Advisory. + - name: size + type: long + description: The size in bytes for the Advisory. Usually populated for a KB Article patch. + - name: src_url + type: keyword + description: The Advisory link from the source vendor. + - name: title + type: keyword + description: A title or a brief phrase summarizing the Advisory. + - name: uid + type: keyword + description: The unique identifier assigned to the advisory or disclosed vulnerability. + - name: affected_code + type: group + fields: + - name: end_column + type: long + description: The column number of the last part of the assessed code identified as vulnerable. + - name: end_line + type: long + description: The line number of the last line of code block identified as vulnerable. + - name: file + type: flattened + description: Details about the file that contains the affected code block. + - name: owner + type: flattened + description: Details about the user that owns the affected file. + - name: remediation + type: flattened + description: Describes the recommended remediation steps to address identified issue(s). + - name: rule + type: flattened + description: Details about the specific rule. + - name: start_column + type: long + description: The column number of the first part of the assessed code identified as vulnerable. + - name: start_line + type: long + description: The line number of the first line of code block identified as vulnerable. + - name: affected_packages + type: group + fields: + - name: architecture + type: keyword + description: Architecture is a shorthand name describing the type of computer hardware the packaged software is meant to run on. + - name: cpe_name + type: keyword + description: The Common Platform Enumeration (CPE) name as described by (NIST). + - name: epoch + type: long + description: The software package epoch. Epoch is a way to define weighted dependencies based on version numbers. + - name: fixed_in_version + type: keyword + description: The software package version in which a reported vulnerability was patched/fixed. + - name: hash + type: flattened + description: Cryptographic hash to identify the binary instance of a software component. + - name: license + type: keyword + description: The software license applied to this package. + - name: license_url + type: keyword + description: The URL pointing to the license applied on package or software. + - name: name + type: keyword + description: The software package name. + - name: package_manager + type: keyword + description: The software packager manager utilized to manage a package on a system. + - name: package_manager_url + type: keyword + description: The URL of the package or library at the package manager, or the specific URL or URI of an internal package manager link. + - name: path + type: keyword + description: The installation path of the affected package. + - name: purl + type: keyword + description: A purl is a URL keyword used to identify and locate a software package in a mostly universal and uniform way across programming languages, package managers, packaging conventions, tools, APIs and databases. + - name: release + type: keyword + description: Release is the number of times a version of the software has been packaged. + - name: remediation + type: flattened + description: Describes the recommended remediation steps to address identified issue(s). + - name: src_url + type: keyword + description: The link to the specific library or package such as within GitHub, this is different from the link to the package manager where the library or package is hosted. + - name: type + type: keyword + description: The type of software package, normalized to the caption of the type_id value. + - name: type_id + type: keyword + description: The type of software package. + - name: uid + type: keyword + description: A unique identifier for the package or library reported by the source tool. + - name: vendor_name + type: keyword + description: The name of the vendor who published the software package. + - name: version + type: keyword + description: The software package version. + - name: category + type: keyword + description: The category of a vulnerability or weakness, as reported by the source tool, such as Container Security or Open Source Security. + - name: cve + type: group + fields: + - name: created_time + type: date + description: The Record Creation Date identifies when the CVE ID was issued to a CVE Numbering Authority (CNA) or the CVE Record was published on the CVE List. + - name: created_time_dt + type: date + description: The Record Creation Date identifies when the CVE ID was issued to a CVE Numbering Authority (CNA) or the CVE Record was published on the CVE List. + - name: cvss + type: group + fields: + - name: base_score + type: double + description: The CVSS base score. + - name: depth + type: keyword + description: The CVSS depth represents a depth of the equation used to calculate CVSS score. + - name: metrics + type: group + fields: + - name: name + type: keyword + description: The Common Vulnerability Scoring System metrics. + - name: value + type: keyword + description: The Common Vulnerability Scoring System metrics. + - name: overall_score + type: double + description: The CVSS overall score, impacted by base, temporal, and environmental metrics. + - name: severity + type: keyword + description: The Common Vulnerability Scoring System (CVSS) Qualitative Severity Rating. + - name: src_url + type: keyword + description: The source URL for the CVSS score. + - name: vector_string + type: keyword + description: The CVSS vector string is a text representation of a set of CVSS metrics. + - name: vendor_name + type: keyword + description: The vendor that provided the CVSS score. + - name: version + type: keyword + description: The CVSS version. + - name: desc + type: keyword + description: A brief description of the CVE Record. + - name: epss + type: group + fields: + - name: created_time + type: date + description: The timestamp indicating when the EPSS score was calculated. + - name: created_time_dt + type: date + description: The timestamp indicating when the EPSS score was calculated. + - name: percentile + type: double + description: The EPSS score's percentile representing relative importance and ranking of the score in the larger EPSS dataset. + - name: score + type: keyword + description: The EPSS score representing the probability [0-1] of exploitation in the wild in the next 30 days (following score publication). + - name: version + type: keyword + description: The version of the EPSS model used to calculate the score. + - name: modified_time + type: date + description: The Record Modified Date identifies when the CVE record was last updated. + - name: modified_time_dt + type: date + description: The Record Modified Date identifies when the CVE record was last updated. + - name: product + type: flattened + description: The product where the vulnerability was discovered. + - name: references + type: keyword + description: A list of reference URLs with additional information about the CVE Record. + - name: related_cwes + type: nested + description: Describes the Common Weakness Enumeration (CWE) details related to the CVE Record. + - name: title + type: keyword + description: A title or a brief phrase summarizing the CVE record. + - name: type + type: keyword + description: The vulnerability type as selected from a large dropdown menu during CVE refinement. + - name: uid + type: keyword + description: The Common Vulnerabilities and Exposures unique number assigned to a specific computer vulnerability. + - name: cwe + type: group + fields: + - name: caption + type: keyword + description: The caption assigned to the Common Weakness Enumeration unique identifier. + - name: src_url + type: keyword + description: URL pointing to the CWE Specification. For more information see CWE. + - name: uid + type: keyword + description: The Common Weakness Enumeration unique number assigned to a specific weakness. + - name: dependency_chain + type: keyword + description: Information about the chain of dependencies related to the issue as reported by an Application Security or Vulnerability Management tool. + - name: desc + type: keyword + description: The description of the vulnerability. + - name: exploit_last_seen_time + type: date + description: The time when the exploit was most recently observed. + - name: exploit_last_seen_time_dt + type: date + description: The time when the exploit was most recently observed. + - name: exploit_ref_url + type: keyword + description: The URL of the exploit code or Proof-of-Concept (PoC). + - name: exploit_requirement + type: keyword + description: The requirement description related to any constraints around exploit execution. + - name: exploit_type + type: keyword + description: The categorization or type of Exploit. + - name: first_seen_time + type: date + description: The time when the vulnerability was first observed. + - name: first_seen_time_dt + type: date + description: The time when the vulnerability was first observed. + - name: fix_coverage + type: keyword + description: The fix coverage, normalized to the caption of the fix_coverage_id value. + - name: fix_coverage_id + type: keyword + description: The normalized identifier for fix coverage, applicable to this vulnerability. + - name: is_exploit_available + type: boolean + description: Indicates if an exploit or a PoC (proof-of-concept) is available for the reported vulnerability. + - name: is_fix_available + type: boolean + description: Indicates if a fix is available for the reported vulnerability. + - name: last_seen_time + type: date + description: The time when the vulnerability was most recently observed. + - name: last_seen_time_dt + type: date + description: The time when the vulnerability was most recently observed. + - name: references + type: keyword + description: A list of reference URLs with additional information about the vulnerability. + - name: related_vulnerabilities + type: keyword + description: List of vulnerability IDs (e.g. CVE ID) that are related to this vulnerability. + - name: remediation + type: group + fields: + - name: cis_controls + type: nested + description: An array of Center for Internet Security (CIS) Controls that can be optionally mapped to provide additional remediation details. + - name: desc + type: keyword + description: The description of the remediation strategy. + - name: kb_article_list + type: nested + description: A list of KB articles or patches related to an endpoint. A KB Article contains metadata that describes the patch or an update. + - name: references + type: keyword + description: A list of supporting URL/s, references that help describe the remediation strategy. + - name: severity + type: keyword + description: The vendor assigned severity of the vulnerability. + - name: title + type: keyword + description: A title or a brief phrase summarizing the discovered vulnerability. + - name: vendor_name + type: keyword + description: The name of the vendor that identified the vulnerability. diff --git a/packages/aws_securityhub/elasticsearch/transform/latest_cdr_vulnerabilities/fields/package.yml b/packages/aws_securityhub/elasticsearch/transform/latest_cdr_vulnerabilities/fields/package.yml new file mode 100644 index 00000000000..592d9cde4a0 --- /dev/null +++ b/packages/aws_securityhub/elasticsearch/transform/latest_cdr_vulnerabilities/fields/package.yml @@ -0,0 +1,6 @@ +- name: package + type: group + fields: + - name: fixed_version + type: keyword + description: In which version of the package the vulnerability was fixed. diff --git a/packages/aws_securityhub/elasticsearch/transform/latest_cdr_vulnerabilities/fields/resource.yml b/packages/aws_securityhub/elasticsearch/transform/latest_cdr_vulnerabilities/fields/resource.yml new file mode 100644 index 00000000000..9d1b905c724 --- /dev/null +++ b/packages/aws_securityhub/elasticsearch/transform/latest_cdr_vulnerabilities/fields/resource.yml @@ -0,0 +1,12 @@ +- name: resource + type: group + fields: + - name: id + type: keyword + description: The ID of the resource. + - name: name + type: keyword + description: The name of the resource. + - name: type + type: keyword + description: The type of the resource. diff --git a/packages/aws_securityhub/elasticsearch/transform/latest_cdr_vulnerabilities/fields/result.yml b/packages/aws_securityhub/elasticsearch/transform/latest_cdr_vulnerabilities/fields/result.yml new file mode 100644 index 00000000000..aa0a3ab2afd --- /dev/null +++ b/packages/aws_securityhub/elasticsearch/transform/latest_cdr_vulnerabilities/fields/result.yml @@ -0,0 +1,6 @@ +- name: result + type: group + fields: + - name: evaluation + type: keyword + description: The result of the evaluation. diff --git a/packages/aws_securityhub/elasticsearch/transform/latest_cdr_vulnerabilities/fields/rule.yml b/packages/aws_securityhub/elasticsearch/transform/latest_cdr_vulnerabilities/fields/rule.yml new file mode 100644 index 00000000000..fcf7b7a18af --- /dev/null +++ b/packages/aws_securityhub/elasticsearch/transform/latest_cdr_vulnerabilities/fields/rule.yml @@ -0,0 +1,6 @@ +- name: rule + type: group + fields: + - name: remediation + type: keyword + description: The remediation actions for the rule. diff --git a/packages/aws_securityhub/elasticsearch/transform/latest_cdr_vulnerabilities/fields/vulnerability.yml b/packages/aws_securityhub/elasticsearch/transform/latest_cdr_vulnerabilities/fields/vulnerability.yml new file mode 100644 index 00000000000..2f60449e636 --- /dev/null +++ b/packages/aws_securityhub/elasticsearch/transform/latest_cdr_vulnerabilities/fields/vulnerability.yml @@ -0,0 +1,12 @@ +- name: vulnerability + type: group + fields: + - name: cve + type: keyword + description: The CVE id of the vulnerability. + - name: published_date + type: date + description: When the vulnerability was published. + - name: title + type: keyword + description: The human readable title of the vulnerability. diff --git a/packages/aws_securityhub/elasticsearch/transform/latest_cdr_vulnerabilities/manifest.yml b/packages/aws_securityhub/elasticsearch/transform/latest_cdr_vulnerabilities/manifest.yml new file mode 100644 index 00000000000..b32edb356e0 --- /dev/null +++ b/packages/aws_securityhub/elasticsearch/transform/latest_cdr_vulnerabilities/manifest.yml @@ -0,0 +1,7 @@ +start: true +destination_index_template: + settings: + index: + mapping: + total_fields: + limit: 2000 diff --git a/packages/aws_securityhub/elasticsearch/transform/latest_cdr_vulnerabilities/transform.yml b/packages/aws_securityhub/elasticsearch/transform/latest_cdr_vulnerabilities/transform.yml new file mode 100644 index 00000000000..d88aaddaddf --- /dev/null +++ b/packages/aws_securityhub/elasticsearch/transform/latest_cdr_vulnerabilities/transform.yml @@ -0,0 +1,45 @@ +source: + index: + - "logs-aws_securityhub.finding-*" + query: + bool: + must: + - match: + aws_securityhub.finding.class_uid: '2002' # Vulnerability finding + - exists: + field: package.name + must_not: + - match: + aws_securityhub.finding.activity_id: '3' # Close + - exists: + field: error.message +dest: + index: "security_solution-aws_securityhub.vulnerability_latest-v1" + aliases: + - alias: "security_solution-aws_securityhub.vulnerability_latest" + move_on_creation: true +latest: + unique_key: + - event.id + - vulnerability.id + - resource.id + - package.name + - package.version + - data_stream.namespace + sort: "@timestamp" +description: Latest Vulnerabilities Findings from AWS Security Hub. +settings: + unattended: true +frequency: 5m +sync: + time: + field: event.ingested +retention_policy: + time: + field: "@timestamp" + max_age: 90d +_meta: + managed: true + # Bump this version to delete, reinstall, and restart the transform during package. + # Version bump is needed if there is any code change in transform. + fleet_transform_version: 0.1.0 diff --git a/packages/aws_securityhub/img/logo_securityhub.svg b/packages/aws_securityhub/img/logo_securityhub.svg new file mode 100644 index 00000000000..b869adb6e7c --- /dev/null +++ b/packages/aws_securityhub/img/logo_securityhub.svg @@ -0,0 +1,18 @@ + + + + Icon-Architecture/64/Arch_AWS-Security-Hub_64 + Created with Sketch. + + + + + + + + + + + + + \ No newline at end of file diff --git a/packages/aws_securityhub/manifest.yml b/packages/aws_securityhub/manifest.yml new file mode 100644 index 00000000000..fb42295bedb --- /dev/null +++ b/packages/aws_securityhub/manifest.yml @@ -0,0 +1,131 @@ +format_version: 3.5.0 +name: aws_securityhub +title: "AWS Security Hub" +version: 0.1.0 +source: + license: "Elastic-2.0" +description: Collect logs from AWS Security Hub with Elastic Agent. +type: integration +categories: + - aws + - security + - cloudsecurity_cdr + - vulnerability_workflow +conditions: + kibana: + version: "^9.3.0" + elastic: + subscription: "basic" +icons: + - src: /img/logo_securityhub.svg + title: AWS Security Hub logo + size: 33x39 + type: image/svg+xml +policy_templates: + - name: aws_securityhub + title: AWS Security Hub logs + description: Collect AWS Security Hub logs. + deployment_modes: + default: + enabled: true + agentless: + enabled: true + organization: security + division: engineering + team: security-service-integrations + inputs: + - type: cel + title: Collect AWS Security Hub logs via API + description: Collecting AWS Security Hub logs via API. + vars: + - name: access_key_id + type: password + title: Access Key ID + multi: false + required: false + show_user: true + description: First part of access key. This parameter along with the secret_access_key parameter is required if we are not providing shared_credential_file. + secret: true + - name: secret_access_key + type: password + title: Secret Access Key + multi: false + required: false + show_user: true + description: Second part of access key. This parameter along with the access_key_id parameter is required if we are not providing shared_credential_file. + secret: true + - name: session_token + type: password + title: Session Token + multi: false + required: false + show_user: true + description: Required when using temporary security credentials. + secret: true + - name: shared_credential_file + type: text + title: Shared Credential File + multi: false + required: false + show_user: false + description: Directory of the shared credentials file. This parameter is required if we are not providing value for the parameters - secret_access_key and access_key_id. + - name: credential_profile_name + type: text + title: Credential Profile Name + multi: false + required: false + show_user: false + description: Profile name in shared credentials file. + - name: role_arn + type: text + title: Role ARN + multi: false + required: false + show_user: false + description: AWS IAM Role to assume. + - name: external_id + type: text + title: External ID + multi: false + required: false + show_user: false + description: External ID to use when assuming a role in another account, see [the AWS documentation for use of external IDs](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html) + - name: proxy_url + type: text + title: Proxy URL + multi: false + required: false + show_user: false + description: URL to proxy connections in the form of http[s]://:@:. Please ensure your username and password are in URL encoded format. + - name: ssl + type: yaml + title: SSL Configuration + description: SSL configuration options. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html#ssl-common-config) for details. + multi: false + required: false + show_user: false + default: | + #certificate_authorities: + # - | + # -----BEGIN CERTIFICATE----- + # MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF + # ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2 + # MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB + # BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n + # fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl + # 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t + # /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP + # PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41 + # CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O + # BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux + # 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D + # 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw + # 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA + # H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu + # 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0 + # yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk + # sxSmbIUfc2SGJGCJD4I= + # -----END CERTIFICATE----- +owner: + github: elastic/security-service-integrations + type: elastic From be3cd178f9421b1b398d9e76975ac21fb0685a5b Mon Sep 17 00:00:00 2001 From: brijesh-elastic Date: Tue, 11 Nov 2025 16:49:37 +0530 Subject: [PATCH 2/2] Update changelog entry and codeowners --- .github/CODEOWNERS | 1 + packages/aws_securityhub/changelog.yml | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 9cb68625579..73012e170f1 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -87,6 +87,7 @@ /packages/aws_billing @elastic/obs-infraobs-integrations /packages/aws_logs @elastic/obs-ds-hosted-services /packages/aws_mq @elastic/obs-infraobs-integrations +/packages/aws_securityhub @elastic/security-service-integrations /packages/aws_vpcflow_otel @elastic/obs-infraobs-integrations /packages/awsfargate @elastic/obs-infraobs-integrations /packages/awsfirehose @elastic/obs-ds-hosted-services diff --git a/packages/aws_securityhub/changelog.yml b/packages/aws_securityhub/changelog.yml index 7ff18e0caed..07309ebda27 100644 --- a/packages/aws_securityhub/changelog.yml +++ b/packages/aws_securityhub/changelog.yml @@ -3,4 +3,4 @@ changes: - description: Initial release. type: enhancement - link: https://github.com/elastic/integrations/pull/1 + link: https://github.com/elastic/integrations/pull/15932