diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 628b670d053..a1dc94f9159 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -58,6 +58,7 @@ /packages/aws/data_stream/s3_storage_lens @elastic/obs-infraobs-integrations /packages/aws/data_stream/s3access @elastic/obs-ds-hosted-services /packages/aws/data_stream/securityhub_findings @elastic/security-service-integrations +/packages/aws/data_stream/securityhub_findings_full_posture @elastic/security-service-integrations /packages/aws/data_stream/securityhub_insights @elastic/security-service-integrations /packages/aws/data_stream/sns @elastic/obs-infraobs-integrations /packages/aws/data_stream/sqs @elastic/obs-infraobs-integrations diff --git a/packages/aws/_dev/build/docs/securityhub.md b/packages/aws/_dev/build/docs/securityhub.md index cc2a8930e46..fd574dafa83 100644 --- a/packages/aws/_dev/build/docs/securityhub.md +++ b/packages/aws/_dev/build/docs/securityhub.md @@ -22,6 +22,7 @@ The [AWS Security Hub](https://docs.aws.amazon.com/securityhub/) integration col 1. For the current integration package, it is recommended to have interval in hours. 2. For the current integration package, it is compulsory to add Secret Access Key and Access Key ID. + 3. Findings Full Posture data stream request all the historical findings every 24 hours. ## Logs @@ -37,6 +38,18 @@ Please refer to the following [document](https://www.elastic.co/guide/en/ecs/cur {{fields "securityhub_findings"}} +### Findings Full Posture + +This is the [`securityhub_findings_full_posture`](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_GetFindings.html#API_GetFindings_ResponseElements) data stream. + +{{event "securityhub_findings_full_posture"}} + +**ECS Field Reference** + +Please refer to the following [document](https://www.elastic.co/guide/en/ecs/current/ecs-field-reference.html) for detailed information on ECS fields. + +{{fields "securityhub_findings_full_posture"}} + ### Insights This is the [`securityhub_insights`](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_GetInsights.html#API_GetInsights_ResponseElements) data stream. diff --git a/packages/aws/changelog.yml b/packages/aws/changelog.yml index bedd2316e1f..24baf932da4 100644 --- a/packages/aws/changelog.yml +++ b/packages/aws/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "3.0.0" + changes: + - description: Add new Security Hub Findings Full Posture data stream. If you rely on Findings > Misconfigurations view, enable this new data stream. + type: breaking-change + link: https://github.com/elastic/integrations/pull/13372 - version: "2.45.2" changes: - description: Update grok pattern for AWS S3 access ingest pipeline @@ -11,14 +16,14 @@ link: https://github.com/elastic/integrations/pull/13350 - version: "2.45.0" changes: - - description: Update default data_stream.dataset to aws.cloudwatch_logs for cloudwatch_logs data stream. - type: breaking-change - link: https://github.com/elastic/integrations/pull/13370 + - description: Update default data_stream.dataset to aws.cloudwatch_logs for cloudwatch_logs data stream. + type: breaking-change + link: https://github.com/elastic/integrations/pull/13370 - version: "2.44.0" changes: - - description: Add `actor.entity.id` and `target.entity.id` - type: enhancement - link: https://github.com/elastic/integrations/pull/12685 + - description: Add `actor.entity.id` and `target.entity.id` + type: enhancement + link: https://github.com/elastic/integrations/pull/12685 - version: "2.43.0" changes: - description: Set `event.type` and `event.action` fields in vpcflow logs. @@ -41,7 +46,7 @@ link: https://github.com/elastic/integrations/pull/12755 - version: "2.40.0" changes: - - description: Add support for Kibana `9.0.0` + - description: Add support for Kibana `9.0.0` type: enhancement link: https://github.com/elastic/integrations/pull/12637 - version: "2.39.0" diff --git a/packages/aws/data_stream/securityhub_findings_full_posture/_dev/deploy/docker/docker-compose.yml b/packages/aws/data_stream/securityhub_findings_full_posture/_dev/deploy/docker/docker-compose.yml new file mode 100644 index 00000000000..f238bfafe43 --- /dev/null +++ b/packages/aws/data_stream/securityhub_findings_full_posture/_dev/deploy/docker/docker-compose.yml @@ -0,0 +1,17 @@ +version: '2.3' +services: + securityhub_full_posture: + image: docker.elastic.co/observability/stream:v0.15.0 + hostname: securityhub.xxxx.amazonaws.cn + ports: + - 443 + volumes: + - ./files:/files:ro + environment: + PORT: "443" + command: + - http-server + - --addr=:443 + - --config=/files/config.yml + - --tls-cert=/files/certificate.crt + - --tls-key=/files/private.key diff --git a/packages/aws/data_stream/securityhub_findings_full_posture/_dev/deploy/docker/files/certificate.crt b/packages/aws/data_stream/securityhub_findings_full_posture/_dev/deploy/docker/files/certificate.crt new file mode 100644 index 00000000000..16e0b4e8c01 --- /dev/null +++ b/packages/aws/data_stream/securityhub_findings_full_posture/_dev/deploy/docker/files/certificate.crt @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDUjCCAjoCCQDQ1VVKJuqgWjANBgkqhkiG9w0BAQsFADBrMQswCQYDVQQGEwJY +WDEVMBMGA1UEBwwMRGVmYXVsdCBDaXR5MRwwGgYDVQQKDBNEZWZhdWx0IENvbXBh +bnkgTHRkMScwJQYDVQQDDB5zZWN1cml0eWh1Yi54eHh4LmFtYXpvbmF3cy5jb20w +HhcNMjIwNzA2MDg1MTUwWhcNMjMwNzA2MDg1MTUwWjBrMQswCQYDVQQGEwJYWDEV +MBMGA1UEBwwMRGVmYXVsdCBDaXR5MRwwGgYDVQQKDBNEZWZhdWx0IENvbXBhbnkg +THRkMScwJQYDVQQDDB5zZWN1cml0eWh1Yi54eHh4LmFtYXpvbmF3cy5jb20wggEi +MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDhyLkZGxIdXMUb8UuD16U67hGi +/W7SvhtHLkQGbHTWAD7+AAg5ybbBFa2LTf3G5lprgJ/nUAl5N2i7CnSOlRxm6yKU +VeyXPzQ8327sb7Y1pm07hU2Y+unKXcCjQi4lgF9GUXgRFYGxzIiwbG52XgZNJ4Cq +TWXAlRi8J4nJbSPty3R6wt2+bxIGf9/v6VoBpj0Ltal7aM9/YTGYkc+PprcoK6+x +o5IzXha4iedNLjVRl7MLkP57BmDTTJpdO8OraddWjm1/I3kG5Lyu19A9URMg47vW +L7IOtOZzfDNyCYbFwqNMHk62AVpTOYqL/icNlX+EpUxX4kyVhd4W0Y9xBs5HAgMB +AAEwDQYJKoZIhvcNAQELBQADggEBAFA+VI+UgD2ldDLkfoCG+BNtasm9dyJvuer+ +9+R8IyMDL0O8ppLSpKny7MbTLFKymIkTFJzCKf3+q5cL/y4W5YRPsm3tYD8wzBfN +o+sG2e1UlmMtv0vU4dsmoeHqYFyuxuDlgtH0FynCYgh+Xo6s6zPpNi48QsLebIf9 +Bp0lgklIyHpVhMTwUua5P0t00ecKvkCNf51x/apqyRYBdoAvrwQ9IRVPmvu/iQCR +3AMQH0dhaDjS3aVzKyRrhu+jjEAFRV5yVr64LTkQAWzMb6yz1KaQa0OjXNV1wX4F +/k5zhqX0C0HAvDkSKXqwtUXl8jKyvP3Ogwddzg17932lVJe/3jc= +-----END CERTIFICATE----- diff --git a/packages/aws/data_stream/securityhub_findings_full_posture/_dev/deploy/docker/files/config.yml b/packages/aws/data_stream/securityhub_findings_full_posture/_dev/deploy/docker/files/config.yml new file mode 100644 index 00000000000..412899845f4 --- /dev/null +++ b/packages/aws/data_stream/securityhub_findings_full_posture/_dev/deploy/docker/files/config.yml @@ -0,0 +1,7 @@ +rules: + - path: /findings + methods: ["POST"] + responses: + - status_code: 200 + body: | + {"Findings":[{"Action":{"ActionType":"PORT_PROBE","PortProbeAction":{"PortProbeDetails":[{"LocalPortDetails":{"Port":80,"PortName":"HTTP"},"LocalIpDetails":{"IpAddressV4":"1.128.0.0"},"RemoteIpDetails":{"Country":{"CountryName":"Example Country"},"City":{"CityName":"Example City"},"GeoLocation":{"Lon":0,"Lat":0},"Organization":{"AsnOrg":"ExampleASO","Org":"ExampleOrg","Isp":"ExampleISP","Asn":64496}}}],"Blocked":false}},"AwsAccountId":"111111111111","CompanyName":"AWS","Compliance":{"RelatedRequirements":["Req1","Req2"],"Status":"PASSED","StatusReasons":[{"ReasonCode":"CLOUDWATCH_ALARMS_NOT_PRESENT","Description":"CloudWatch alarms do not exist in the account"}]},"Confidence":42,"CreatedAt":"2017-03-22T13:22:13.933Z","Criticality":99,"Description":"The version of openssl found on instance i-abcd1234 is known to contain a vulnerability.","FindingProviderFields":{"Confidence":42,"Criticality":99,"RelatedFindings":[{"ProductArn":"arn:aws:securityhub:us-west-2::product/aws/guardduty","Id":"123e4567-e89b-12d3-a456-426655440000"}],"Severity":{"Label":"MEDIUM","Original":"MEDIUM"},"Types":["Software and Configuration Checks/Vulnerabilities/CVE"]},"FirstObservedAt":"2017-03-22T13:22:13.933Z","GeneratorId":"acme-vuln-9ab348","Id":"us-west-2/111111111111/98aebb2207407c87f51e89943f12b1ef","LastObservedAt":"2017-03-23T13:22:13.933Z","Malware":[{"Name":"Stringler","Type":"COIN_MINER","Path":"/usr/sbin/stringler","State":"OBSERVED"}],"Network":{"Direction":"IN","OpenPortRange":{"Begin":443,"End":443},"Protocol":"TCP","SourceIpV4":"1.128.0.0","SourceIpV6":"2a02:cf40::","SourcePort":"42","SourceDomain":"example1.com","SourceMac":"00:0d:83:b1:c0:8e","DestinationIpV4":"1.128.0.0","DestinationIpV6":"2a02:cf40::","DestinationPort":"80","DestinationDomain":"example2.com"},"NetworkPath":[{"ComponentId":"abc-01a234bc56d8901ee","ComponentType":"AWS::EC2::InternetGateway","Egress":{"Destination":{"Address":["1.128.0.0/24"],"PortRanges":[{"Begin":443,"End":443}]},"Protocol":"TCP","Source":{"Address":["175.16.199.1/24"]}},"Ingress":{"Destination":{"Address":["175.16.199.1/24"],"PortRanges":[{"Begin":443,"End":443}]},"Protocol":"TCP","Source":{"Address":["175.16.199.1/24"]}}}],"Note":{"Text":"Don't forget to check under the mat.","UpdatedBy":"jsmith","UpdatedAt":"2018-08-31T00:15:09Z"},"PatchSummary":{"Id":"pb-123456789098","InstalledCount":"100","MissingCount":"100","FailedCount":"0","InstalledOtherCount":"1023","InstalledRejectedCount":"0","InstalledPendingReboot":"0","OperationStartTime":"2018-09-27T23:37:31Z","OperationEndTime":"2018-09-27T23:39:31Z","RebootOption":"RebootIfNeeded","Operation":"Install"},"Process":{"Name":"syslogd","Path":"/usr/sbin/syslogd","Pid":12345,"ParentPid":56789,"LaunchedAt":"2018-09-27T22:37:31Z","TerminatedAt":"2018-09-27T23:37:31Z"},"ProductArn":"arn:aws:securityhub:us-east-1:111111111111:product/111111111111/default","ProductFields":{"generico/secure-pro/Count":"6","Service_Name":"cloudtrail.amazonaws.com","aws/inspector/AssessmentTemplateName":"My daily CVE assessment","aws/inspector/AssessmentTargetName":"My prod env","aws/inspector/RulesPackageName":"Common Vulnerabilities and Exposures"},"ProductName":"Security Hub","RecordState":"ACTIVE","Region":"us-east-1","RelatedFindings":[{"ProductArn":"arn:aws:securityhub:us-west-2::product/aws/guardduty","Id":"123e4567-e89b-12d3-a456-426655440000"},{"ProductArn":"arn:aws:securityhub:us-west-2::product/aws/guardduty","Id":"AcmeNerfHerder-111111111111-x189dx7824"}],"Remediation":{"Recommendation":{"Text":"Run sudo yum update and cross your fingers and toes.","Url":"http://myfp.com/recommendations/dangerous_things_and_how_to_fix_them.html"}},"Resources":[{"Type":"AwsEc2Instance","Id":"i-cafebabe","Partition":"aws","Region":"us-west-2","Tags":{"billingCode":"Lotus-1-2-3","needsPatching":"true"},"Details":{"IamInstanceProfileArn":"arn:aws:iam::123456789012:role/IamInstanceProfileArn","ImageId":"ami-79fd7eee","IpV4Addresses":["175.16.199.1"],"IpV6Addresses":["2a02:cf40::"],"KeyName":"testkey","LaunchedAt":"2018-09-29T01:25:54Z","MetadataOptions":{"HttpEndpoint":"enabled","HttpProtocolIpv6":"enabled","HttpPutResponseHopLimit":1,"HttpTokens":"optional","InstanceMetadataTags":"disabled"},"NetworkInterfaces":[{"NetworkInterfaceId":"eni-e5aa89a3"}],"SubnetId":"PublicSubnet","Type":"i3.xlarge","VirtualizationType":"hvm","VpcId":"TestVPCIpv6"}}],"Sample":true,"SchemaVersion":"2018-10-08","Severity":{"Label":"CRITICAL","Original":"8.3"},"SourceUrl":"http://threatintelweekly.org/backdoors/8888","ThreatIntelIndicators":[{"Type":"IPV4_ADDRESS","Value":"175.16.199.1","Category":"BACKDOOR","LastObservedAt":"2018-09-27T23:37:31Z","Source":"Threat Intel Weekly","SourceUrl":"http://threatintelweekly.org/backdoors/8888"}],"Threats":[{"FilePaths":[{"FileName":"b.txt","FilePath":"/tmp/b.txt","Hash":"sha256","ResourceId":"arn:aws:ec2:us-west-2:123456789012:volume/vol-032f3bdd89aee112f"}],"ItemCount":3,"Name":"Iot.linux.mirai.vwisi","Severity":"HIGH"}],"Title":"EC2.20 Both VPN tunnels for an AWS Site-to-Site VPN connection should be up","Types":["Software and Configuration Checks/Vulnerabilities/CVE"],"UpdatedAt":"2018-08-31T00:15:09Z","UserDefinedFields":{"reviewedByCio":"true","comeBackToLater":"Check this again on Monday"},"VerificationState":"UNKNOWN","Vulnerabilities":[{"Cvss":[{"BaseScore":4.7,"BaseVector":"AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","Version":"V3"},{"BaseScore":4.7,"BaseVector":"AV:L/AC:M/Au:N/C:C/I:N/A:N","Version":"V2"}],"Id":"CVE-2020-12345","ReferenceUrls":["http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12418","http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17563"],"RelatedVulnerabilities":["CVE-2020-12345"],"Vendor":{"Name":"Alas","Url":"https://alas.aws.amazon.com/ALAS-2020-1337.html","VendorCreatedAt":"2020-01-16T00:01:43Z","VendorSeverity":"Medium","VendorUpdatedAt":"2020-01-16T00:01:43Z"},"VulnerablePackages":[{"Architecture":"x86_64","Epoch":"1","Name":"openssl","Release":"16.amzn2.0.3","Version":"1.0.2k"}]}],"Workflow":{"Status":"NEW"},"WorkflowState":"NEW"}]} diff --git a/packages/aws/data_stream/securityhub_findings_full_posture/_dev/deploy/docker/files/private.key b/packages/aws/data_stream/securityhub_findings_full_posture/_dev/deploy/docker/files/private.key new file mode 100644 index 00000000000..53ac04ea3ca --- /dev/null +++ b/packages/aws/data_stream/securityhub_findings_full_posture/_dev/deploy/docker/files/private.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDhyLkZGxIdXMUb +8UuD16U67hGi/W7SvhtHLkQGbHTWAD7+AAg5ybbBFa2LTf3G5lprgJ/nUAl5N2i7 +CnSOlRxm6yKUVeyXPzQ8327sb7Y1pm07hU2Y+unKXcCjQi4lgF9GUXgRFYGxzIiw +bG52XgZNJ4CqTWXAlRi8J4nJbSPty3R6wt2+bxIGf9/v6VoBpj0Ltal7aM9/YTGY +kc+PprcoK6+xo5IzXha4iedNLjVRl7MLkP57BmDTTJpdO8OraddWjm1/I3kG5Lyu +19A9URMg47vWL7IOtOZzfDNyCYbFwqNMHk62AVpTOYqL/icNlX+EpUxX4kyVhd4W +0Y9xBs5HAgMBAAECggEAF21MR16XspQ9n3iZ7UQi0MqC6faB2TwAeJJEXKZEOTAt +WQ2HzPcxDzfAmgOtoUWlfCIMdWPIl9s38rBTB7hRChy7qciAk/Dq6qYETGQK8+Yg +z1w1gPoH6AdyRX5Ia3u2ZwVs/9jLbDdct3GIxJ9c6ASBRSpitGjD+EHh+hRo9fNE +bnTNCS9roukGIyXbRDJMplAoCLNI+HVjTkjWPq4mff6EeYuTCjPKoJVzsrp8Ecai +Rf9a444KeUFlE4rcNmFtHJiVohJiPpIF85DUb8RBfVr8xSdoG6QHxaTcjbk3nPd2 +/x+NSY5O5PkEXbQpsBZmEo1Aba1qjeRg2pCNsP9tgQKBgQDxNBtroNv7uWMeQMKf +fj4FtyvFfgfBt4fdUZblW60sWbRu2PnrwDyFxGGX+KKVFrKauS2R8SfSvX230kGl +vbKXSxo10XjmmY0Kaulet7z9awjK+yTcj3HKqVpjCdZK0KO1FXwZ45hwM7ewB6KI +xukbZPORJwbwIjBYAGt0mfSaTQKBgQDvondtX11L0qjDoqcW5a6o2cdkj1MjBfP+ +AKZqOKDNNeHG3hT/YWfcFUis/UXMV7TBG4NQuIRGu5xZn3WbxgynHx3/QiVKG90/ +m56hsAStcVHTVcPcAh48jgYF60u60jgUhBcyrAZpsskul+oY/v16Eutx5QqjGjnc +3bmFZe/s4wKBgB2SeOYqM65aHVfhMrthO/NxcLFm8UaD3Ol6jliSc9njKacJfSK1 +T/ZKjHiYaD6FKOKlX3vsKCjDSL2XzqqmZlX8RDti8kK7grpLP094kXg0fkB8qBlO +kPH673UDCL3ldJzIBI4cBF2FSbkQRpIkaQINz3r1YPliB7FSY9pI4d9lAoGAWGyz +8vjonUz7l00SqQFR5N6PlAzLGbZdpVGqFrIUrASA7ngOeXoA8BYufh7rPY7zlPpJ +B2U+8jbSZ8POiw+Wpah20jUfO2xyxMDw1Sr1Xubc0cXpAusJK0Eg+dgsVqCxruhb +Awi1SRV+5SGLcXPOJtiKZrmkpjDMPzLV/WJzGQ8CgYAbcMtnLshdYVNXfutWgSm2 +TqYfGm/L+njAFXfSnIxotIw0jQVt/uB0okcNAHKTn1elCxC0v0BZDsSUhxToUGk+ +x1wfip3SVhR5sYg8HBYbDCkTKZerleeW5PzcFFf+BY4DxR+8yWNEA1PrAejKyXk5 +Id0GFdKT0A2niGndkyL7/A== +-----END PRIVATE KEY----- diff --git a/packages/aws/data_stream/securityhub_findings_full_posture/_dev/test/pipeline/test-common-config.yml b/packages/aws/data_stream/securityhub_findings_full_posture/_dev/test/pipeline/test-common-config.yml new file mode 100644 index 00000000000..edaaf130bc2 --- /dev/null +++ b/packages/aws/data_stream/securityhub_findings_full_posture/_dev/test/pipeline/test-common-config.yml @@ -0,0 +1,6 @@ +fields: + tags: + - preserve_original_event + - preserve_duplicate_custom_fields +dynamic_fields: + "@timestamp": ".*" diff --git a/packages/aws/data_stream/securityhub_findings_full_posture/_dev/test/pipeline/test-securityhub-findings-full-posture.log b/packages/aws/data_stream/securityhub_findings_full_posture/_dev/test/pipeline/test-securityhub-findings-full-posture.log new file mode 100644 index 00000000000..8a5e52294b8 --- /dev/null +++ b/packages/aws/data_stream/securityhub_findings_full_posture/_dev/test/pipeline/test-securityhub-findings-full-posture.log @@ -0,0 +1,15 @@ +{"Action":{"ActionType":"PORT_PROBE","PortProbeAction":{"PortProbeDetails":[{"LocalPortDetails":{"Port":80,"PortName":"HTTP"},"LocalIpDetails":{"IpAddressV4":"1.128.0.0"},"RemoteIpDetails":{"Country":{"CountryName":"Example Country"},"City":{"CityName":"Example City"},"GeoLocation":{"Lon":0,"Lat":0},"Organization":{"AsnOrg":"ExampleASO","Org":"ExampleOrg","Isp":"ExampleISP","Asn":64496}}}],"Blocked":false}},"AwsAccountId":"111111111111","CompanyName":"AWS","Compliance":{"RelatedRequirements":["Req1","Req2"],"Status":"PASSED","StatusReasons":[{"ReasonCode":"CLOUDWATCH_ALARMS_NOT_PRESENT","Description":"CloudWatch alarms do not exist in the account"}]},"Confidence":42,"CreatedAt":"2017-03-22T13:22:13.933Z","Criticality":99,"Description":"The version of openssl found on instance i-abcd1234 is known to contain a vulnerability.","FindingProviderFields":{"Confidence":42,"Criticality":99,"RelatedFindings":[{"ProductArn":"arn:aws:securityhub:us-west-2::product/aws/guardduty","Id":"123e4567-e89b-12d3-a456-426655440000"}],"Severity":{"Label":"MEDIUM","Original":"MEDIUM"},"Types":["Software and Configuration Checks/Vulnerabilities/CVE"]},"FirstObservedAt":"2017-03-22T13:22:13.933Z","GeneratorId":"acme-vuln-9ab348","Id":"us-west-2/111111111111/98aebb2207407c87f51e89943f12b1ef","LastObservedAt":"2017-03-23T13:22:13.933Z","Malware":[{"Name":"Stringler","Type":"COIN_MINER","Path":"/usr/sbin/stringler","State":"OBSERVED"}],"Network":{"Direction":"IN","OpenPortRange":{"Begin":443,"End":443},"Protocol":"TCP","SourceIpV4":"1.128.0.0","SourceIpV6":"2a02:cf40::","SourcePort":"42","SourceDomain":"example1.com","SourceMac":"00:0d:83:b1:c0:8e","DestinationIpV4":"1.128.0.0","DestinationIpV6":"2a02:cf40::","DestinationPort":"80","DestinationDomain":"example2.com"},"NetworkPath":[{"ComponentId":"abc-01a234bc56d8901ee","ComponentType":"AWS::EC2::InternetGateway","Egress":{"Destination":{"Address":["1.128.0.0/24"],"PortRanges":[{"Begin":443,"End":443}]},"Protocol":"TCP","Source":{"Address":["175.16.199.1/24"]}},"Ingress":{"Destination":{"Address":["175.16.199.1/24"],"PortRanges":[{"Begin":443,"End":443}]},"Protocol":"TCP","Source":{"Address":["175.16.199.1/24"]}}}],"Note":{"Text":"Don't forget to check under the mat.","UpdatedBy":"jsmith","UpdatedAt":"2018-08-31T00:15:09Z"},"PatchSummary":{"Id":"pb-123456789098","InstalledCount":"100","MissingCount":"100","FailedCount":"0","InstalledOtherCount":"1023","InstalledRejectedCount":"0","InstalledPendingReboot":"0","OperationStartTime":"2018-09-27T23:37:31Z","OperationEndTime":"2018-09-27T23:39:31Z","RebootOption":"RebootIfNeeded","Operation":"Install"},"Process":{"Name":"syslogd","Path":"/usr/sbin/syslogd","Pid":12345,"ParentPid":56789,"LaunchedAt":"2018-09-27T22:37:31Z","TerminatedAt":"2018-09-27T23:37:31Z"},"ProductArn":"arn:aws:securityhub:us-east-1:111111111111:product/111111111111/default","ProductFields":{"generico/secure-pro/Count":"6","Service_Name":"cloudtrail.amazonaws.com","aws/inspector/AssessmentTemplateName":"My daily CVE assessment","aws/inspector/AssessmentTargetName":"My prod env","aws/inspector/RulesPackageName":"Common Vulnerabilities and Exposures"},"ProductName":"Security Hub","RecordState":"ACTIVE","Region":"us-east-1","RelatedFindings":[{"ProductArn":"arn:aws:securityhub:us-west-2::product/aws/guardduty","Id":"123e4567-e89b-12d3-a456-426655440000"},{"ProductArn":"arn:aws:securityhub:us-west-2::product/aws/guardduty","Id":"AcmeNerfHerder-111111111111-x189dx7824"}],"Remediation":{"Recommendation":{"Text":"Run sudo yum update and cross your fingers and toes.","Url":"http://myfp.com/recommendations/dangerous_things_and_how_to_fix_them.html"}},"Resources":[{"Type":"AwsEc2Instance","Id":"i-cafebabe","Partition":"aws","Region":"us-west-2","Tags":{"billingCode":"Lotus-1-2-3","needsPatching":"true"},"Details":{"IamInstanceProfileArn":"arn:aws:iam::123456789012:role/IamInstanceProfileArn","ImageId":"ami-79fd7eee","IpV4Addresses":["175.16.199.1"],"IpV6Addresses":["2a02:cf40::"],"KeyName":"testkey","LaunchedAt":"2018-09-29T01:25:54Z","MetadataOptions":{"HttpEndpoint":"enabled","HttpProtocolIpv6":"enabled","HttpPutResponseHopLimit":1,"HttpTokens":"optional","InstanceMetadataTags":"disabled"},"NetworkInterfaces":[{"NetworkInterfaceId":"eni-e5aa89a3"}],"SubnetId":"PublicSubnet","Type":"i3.xlarge","VirtualizationType":"hvm","VpcId":"TestVPCIpv6"}}],"Sample":true,"SchemaVersion":"2018-10-08","Severity":{"Label":"CRITICAL","Original":"8.3"},"SourceUrl":"http://threatintelweekly.org/backdoors/8888","ThreatIntelIndicators":[{"Type":"IPV4_ADDRESS","Value":"175.16.199.1","Category":"BACKDOOR","LastObservedAt":"2018-09-27T23:37:31Z","Source":"Threat Intel Weekly","SourceUrl":"http://threatintelweekly.org/backdoors/8888"}],"Threats":[{"FilePaths":[{"FileName":"b.txt","FilePath":"/tmp/b.txt","Hash":"sha256","ResourceId":"arn:aws:ec2:us-west-2:123456789012:volume/vol-032f3bdd89aee112f"}],"ItemCount":3,"Name":"Iot.linux.mirai.vwisi","Severity":"HIGH"}],"Title":"EC2.20 Both VPN tunnels for an AWS Site-to-Site VPN connection should be up","Types":["Software and Configuration Checks/Vulnerabilities/CVE"],"UpdatedAt":"2018-08-31T00:15:09Z","UserDefinedFields":{"reviewedByCio":"true","comeBackToLater":"Check this again on Monday"},"VerificationState":"UNKNOWN","Vulnerabilities":[{"Cvss":[{"BaseScore":4.7,"BaseVector":"AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","Version":"V3"},{"BaseScore":4.7,"BaseVector":"AV:L/AC:M/Au:N/C:C/I:N/A:N","Version":"V2"}],"Id":"CVE-2020-12345","ReferenceUrls":["http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12418","http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17563"],"RelatedVulnerabilities":["CVE-2020-12345"],"Vendor":{"Name":"Alas","Url":"https://alas.aws.amazon.com/ALAS-2020-1337.html","VendorCreatedAt":"2020-01-16T00:01:43Z","VendorSeverity":"Medium","VendorUpdatedAt":"2020-01-16T00:01:43Z"},"VulnerablePackages":[{"Architecture":"x86_64","Epoch":"1","Name":"openssl","Release":"16.amzn2.0.3","Version":"1.0.2k"}]}],"Workflow":{"Status":"NEW"},"WorkflowState":"NEW"} +{"Action":{"ActionType":"PORT_PROBE","PortProbeAction":{"PortProbeDetails":[{"LocalPortDetails":{"Port":80,"PortName":"HTTP"},"LocalIpDetails":{"IpAddressV4":"1.128.0.0"},"RemoteIpDetails":{"Country":{"CountryName":"Example Country"},"City":{"CityName":"Example City"},"GeoLocation":{"Lon":0,"Lat":0},"Organization":{"AsnOrg":"ExampleASO","Org":"ExampleOrg","Isp":"ExampleISP","Asn":64496}}}],"Blocked":false}},"AwsAccountId":"111111111111","CompanyName":"AWS","Compliance":{"RelatedRequirements":["Req1","Req2"],"Status":"PASSED","StatusReasons":[{"ReasonCode":"CLOUDWATCH_ALARMS_NOT_PRESENT","Description":"CloudWatch alarms do not exist in the account"}]},"Confidence":42,"CreatedAt":"2017-03-22T13:22:13.933Z","Criticality":99,"Description":"The version of openssl found on instance i-abcd1234 is known to contain a vulnerability.","FindingProviderFields":{"Confidence":42,"Criticality":99,"RelatedFindings":[{"ProductArn":"arn:aws:securityhub:us-west-2::product/aws/guardduty","Id":"123e4567-e89b-12d3-a456-426655440000"}],"Severity":{"Label":"MEDIUM","Original":"MEDIUM"},"Types":["Software and Configuration Checks/Vulnerabilities/CVE"]},"FirstObservedAt":"2017-03-22T13:22:13.933Z","GeneratorId":"acme-vuln-9ab348","Id":"us-west-2/111111111111/98aebb2207407c87f51e89943f12b1ef","LastObservedAt":"2017-03-23T13:22:13.933Z","Malware":[{"Name":"Stringler","Type":"COIN_MINER","Path":"/usr/sbin/stringler","State":"OBSERVED"}],"Network":{"Direction":"IN","OpenPortRange":{"Begin":443,"End":443},"Protocol":"TCP","SourceIpV4":"1.128.0.0","SourceIpV6":"2a02:cf40::","SourcePort":"42","SourceDomain":"example1.com","SourceMac":"00:0d:83:b1:c0:8e","DestinationIpV4":"1.128.0.0","DestinationIpV6":"2a02:cf40::","DestinationPort":"80","DestinationDomain":"example2.com"},"NetworkPath":[{"ComponentId":"abc-01a234bc56d8901ee","ComponentType":"AWS::EC2::InternetGateway","Egress":{"Destination":{"Address":["1.128.0.0/24"],"PortRanges":[{"Begin":443,"End":443}]},"Protocol":"TCP","Source":{"Address":["175.16.199.1/24"]}},"Ingress":{"Destination":{"Address":["175.16.199.1/24"],"PortRanges":[{"Begin":443,"End":443}]},"Protocol":"TCP","Source":{"Address":["175.16.199.1/24"]}}}],"Note":{"Text":"Don't forget to check under the mat.","UpdatedBy":"jsmith","UpdatedAt":"2018-08-31T00:15:09Z"},"PatchSummary":{"Id":"pb-123456789098","InstalledCount":"100","MissingCount":"100","FailedCount":"0","InstalledOtherCount":"1023","InstalledRejectedCount":"0","InstalledPendingReboot":"0","OperationStartTime":"2018-09-27T23:37:31Z","OperationEndTime":"2018-09-27T23:39:31Z","RebootOption":"RebootIfNeeded","Operation":"Install"},"Process":{"Name":"syslogd","Path":"/usr/sbin/syslogd","Pid":12345,"ParentPid":56789,"LaunchedAt":"2018-09-27T22:37:31Z","TerminatedAt":"2018-09-27T23:37:31Z"},"ProductArn":"arn:aws:securityhub:us-east-1:111111111111:product/111111111111/default","ProductFields":{"generico/secure-pro/Count":"6","Service_Name":"cloudtrail.amazonaws.com","aws/inspector/AssessmentTemplateName":"My daily CVE assessment","aws/inspector/AssessmentTargetName":"My prod env","aws/inspector/RulesPackageName":"Common Vulnerabilities and Exposures"},"ProductName":"Security Hub","RecordState":"ACTIVE","Region":"us-east-1","RelatedFindings":[{"ProductArn":"arn:aws:securityhub:us-west-2::product/aws/guardduty","Id":"123e4567-e89b-12d3-a456-426655440000"},{"ProductArn":"arn:aws:securityhub:us-west-2::product/aws/guardduty","Id":"AcmeNerfHerder-111111111111-x189dx7824"}],"Remediation":{"Recommendation":{"Text":"Run sudo yum update and cross your fingers and toes.","Url":"http://myfp.com/recommendations/dangerous_things_and_how_to_fix_them.html"}},"Resources":[{"Type":"AwsEc2Instance","Id":"i-cafebabe","Partition":"aws","Region":"us-west-2","Tags":{"billingCode":"Lotus-1-2-3","needsPatching":"true"},"Details":{"IamInstanceProfileArn":"arn:aws:iam::123456789012:role/IamInstanceProfileArn","ImageId":"ami-79fd7eee","IpV4Addresses":["175.16.199.1"],"IpV6Addresses":["2a02:cf40::"],"KeyName":"testkey","LaunchedAt":"2018-09-29T01:25:54Z","MetadataOptions":{"HttpEndpoint":"enabled","HttpProtocolIpv6":"enabled","HttpPutResponseHopLimit":1,"HttpTokens":"optional","InstanceMetadataTags":"disabled"},"NetworkInterfaces":[{"NetworkInterfaceId":"eni-e5aa89a3"}],"SubnetId":"PublicSubnet","Type":"i3.xlarge","VirtualizationType":"hvm","VpcId":"TestVPCIpv6"}}],"Sample":true,"SchemaVersion":"2018-10-08","Severity":{"Label":"CRITICAL","Original":"8.3"},"SourceUrl":"http://threatintelweekly.org/backdoors/8888","ThreatIntelIndicators":[{"Type":"HASH_MD5","Value":"ae2b1fca515949e5d54fb22b8ed95575","Category":"BACKDOOR","LastObservedAt":"2018-09-27T23:37:31Z","Source":"Threat Intel Weekly","SourceUrl":"http://threatintelweekly.org/backdoors/8888"}],"Threats":[{"FilePaths":[{"FileName":"b.txt","FilePath":"/tmp/b.txt","Hash":"sha256","ResourceId":"arn:aws:ec2:us-west-2:123456789012:volume/vol-032f3bdd89aee112f"}],"ItemCount":3,"Name":"Iot.linux.mirai.vwisi","Severity":"HIGH"}],"Title":"EC2.20 Both VPN tunnels for an AWS Site-to-Site VPN connection should be up","Types":["Software and Configuration Checks/Vulnerabilities/CVE"],"UpdatedAt":"2018-08-31T00:15:09Z","UserDefinedFields":{"reviewedByCio":"true","comeBackToLater":"Check this again on Monday"},"VerificationState":"UNKNOWN","Vulnerabilities":[{"Cvss":[{"BaseScore":4.7,"BaseVector":"AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","Version":"V3"},{"BaseScore":4.7,"BaseVector":"AV:L/AC:M/Au:N/C:C/I:N/A:N","Version":"V2"}],"Id":"CVE-2020-12345","ReferenceUrls":["http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12418","http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17563"],"RelatedVulnerabilities":["CVE-2020-12345"],"Vendor":{"Name":"Alas","Url":"https://alas.aws.amazon.com/ALAS-2020-1337.html","VendorCreatedAt":"2020-01-16T00:01:43Z","VendorSeverity":"Medium","VendorUpdatedAt":"2020-01-16T00:01:43Z"},"VulnerablePackages":[{"Architecture":"x86_64","Epoch":"1","Name":"openssl","Release":"16.amzn2.0.3","Version":"1.0.2k"}]}],"Workflow":{"Status":"NEW"},"WorkflowState":"NEW"} +{"ProductArn":"xxx","Types":["Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices"],"Description":"This control checks whether your Amazon Elastic Compute Cloud (Amazon EC2) instance metadata version is configured with Instance Metadata Service Version 2 (IMDSv2). The control passes if HttpTokens is set to required for IMDSv2. The control fails if HttpTokens is set to optional.","Compliance":{"Status":"FAILED"},"ProductName":"Security Hub","FirstObservedAt":"2022-06-02T16:14:34.949Z","CreatedAt":"2022-06-02T16:14:34.949Z","LastObservedAt":"2022-06-17T08:43:26.724Z","CompanyName":"AWS","FindingProviderFields":{"Types":["Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices"],"Severity":{"Normalized":70,"Label":"HIGH","Product":70,"Original":"HIGH"}},"ProductFields":{"StandardsArn":"xxx","StandardsSubscriptionArn":"xxx","ControlId":"EC2.8","RecommendationUrl":"https://example.com/","RelatedAWSResources:0/name":"xxx","RelatedAWSResources:0/type":"xxx","StandardsControlArn":"xxx","aws/securityhub/ProductName":"Security Hub","aws/securityhub/CompanyName":"AWS","Resources:0/Id":"xxx","aws/securityhub/FindingId":"xxx"},"Remediation":{"Recommendation":{"Text":"For directions on how to fix this issue, consult the AWS Security Hub Foundational Security Best Practices documentation.","Url":"https://example.com/"}},"SchemaVersion":"2018-10-08","GeneratorId":"xxx","RecordState":"ARCHIVED","Title":"EC2.8 EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)","Workflow":{"Status":"NEW"},"Severity":{"Normalized":70,"Label":"HIGH","Product":70,"Original":"HIGH"},"UpdatedAt":"2022-06-17T08:43:26.731Z","WorkflowState":"NEW","AwsAccountId":"xxx","Region":"us-east-1","Id":"xxxx","Resources":[{"Partition":"aws","Type":"AwsEc2Instance","Details":{"AwsEc2Instance":{"KeyName":"xxx","VpcId":"xxx","NetworkInterfaces":[{"NetworkInterfaceId":"xxx"}],"ImageId":"xxx","SubnetId":"xxx","LaunchedAt":"2022-06-02T16:11:39.000Z","IamInstanceProfileArn":"xxx"}},"Region":"us-east-1","Id":"xxx"}] } +{"ProductArn":"xxx","Types":["Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices"],"Description":"This AWS control checks whether the EBS volumes that are in an attached state are encrypted.","Compliance":{"Status":"NOT_AVAILABLE","StatusReasons":[{"Description":"This finding has a compliance status of NOT AVAILABLE because AWS Config sent Security Hub a finding with a compliance state of Not Applicable. The potential reasons for a Not Applicable finding from Config are that (1) a resource has been moved out of scope of the Config rule; (2) the Config rule has been deleted; (3) the resource has been deleted; or (4) the logic of the Config rule itself includes scenarios where Not Applicable is returned. The specific reason why Not Applicable is returned is not available in the Config rule evaluation.","ReasonCode":"CONFIG_RETURNS_NOT_APPLICABLE"}]},"ProductName":"Security Hub","FirstObservedAt":"2022-06-17T10:25:14.800Z","CreatedAt":"2022-06-17T10:25:14.800Z","LastObservedAt":"2022-06-17T10:25:18.568Z","CompanyName":"AWS","FindingProviderFields":{"Types":["Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices"],"Severity":{"Normalized":40,"Label":"MEDIUM","Product":40,"Original":"INFORMATIONAL"}},"ProductFields":{"StandardsArn":"xxx","StandardsSubscriptionArn":"xxx","ControlId":"EC2.3","RecommendationUrl":"https://example.com/","RelatedAWSResources:0/name":"xxx","RelatedAWSResources:0/type":"AWS::Config::ConfigRule","StandardsControlArn":"xxx","aws/securityhub/ProductName":"Security Hub","aws/securityhub/CompanyName":"AWS","aws/securityhub/annotation":"This finding has a compliance status of NOT AVAILABLE because AWS Config sent Security Hub a finding with a compliance state of Not Applicable. The potential reasons for a Not Applicable finding from Config are that (1) a resource has been moved out of scope of the Config rule; (2) the Config rule has been deleted; (3) the resource has been deleted; or (4) the logic of the Config rule itself includes scenarios where Not Applicable is returned. The specific reason why Not Applicable is returned is not available in the Config rule evaluation.","Resources:0/Id":"xxx","aws/securityhub/FindingId":"xxx"},"Remediation":{"Recommendation":{"Text":"For directions on how to fix this issue, consult the AWS Security Hub Foundational Security Best Practices documentation.","Url":"https://example.com/"}},"SchemaVersion":"2018-10-08","GeneratorId":"xxx","RecordState":"ARCHIVED","Title":"EC2.3 Attached EBS volumes should be encrypted at-rest","Workflow":{"Status":"NEW"},"Severity":{"Normalized":40,"Label":"MEDIUM","Product":40,"Original":"INFORMATIONAL"},"UpdatedAt":"2022-06-17T10:25:14.800Z","WorkflowState":"NEW","AwsAccountId":"xxx","Region":"us-east-1","Id":"xxx","Resources":[{"Partition":"aws","Type":"AwsEc2Volume","Region":"us-east-1","Id":"xxx"}] } +{"AwsAccountId":"111111111111","CompanyName":"AWS","Compliance":{"AssociatedStandards":[{"StandardsId":"standards/aws-foundational-security-best-practices/v/1.0.0"},{"StandardsId":"standards/cis-aws-foundations-benchmark/v/3.0.0"},{"StandardsId":"standards/nist-800-53/v/5.0.0"}],"RelatedRequirements":["CIS AWS Foundations Benchmark v3.0.0/5.6","NIST.800-53.r5 AC-3","NIST.800-53.r5 AC-3(15)","NIST.800-53.r5 AC-3(7)","NIST.800-53.r5 AC-6"],"SecurityControlId":"EC2.8","Status":"PASSED"},"CreatedAt":"2024-09-10T10:40:32.189Z","Description":"This control checks whether your Amazon Elastic Compute Cloud (Amazon EC2) instance metadata version is configured with Instance Metadata Service Version 2 (IMDSv2). The control passes if HttpTokens is set to required for IMDSv2. The control fails if HttpTokens is set to optional.","FindingProviderFields":{"Severity":{"Label":"INFORMATIONAL","Normalized":0,"Original":"INFORMATIONAL"},"Types":["Software and Configuration Checks/Industry and Regulatory Standards"]},"FirstObservedAt":"2024-09-10T10:40:32.189Z","GeneratorId":"security-control/EC2.8","Id":"arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.8/finding/8825ae3b-1f70-4c74-8337-baee8fcad8fd","LastObservedAt":"2024-09-11T08:00:01.828Z","ProcessedAt":"2024-09-11T08:00:03.516Z","ProductArn":"arn:aws:securityhub:ap-south-1::product/aws/securityhub","ProductFields":{"RelatedAWSResources:0/name":"securityhub-ec2-imdsv2-check-29027890","RelatedAWSResources:0/type":"AWS::Config::ConfigRule","Resources:0/Id":"arn:aws:ec2:ap-south-1:111111111111:instance/i-0e2ede89308a594d7","aws/securityhub/CompanyName":"AWS","aws/securityhub/FindingId":"arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.8/finding/8825ae3b-1f70-4c74-8337-baee8fcad8fd","aws/securityhub/ProductName":"Security Hub"},"ProductName":"Security Hub","RecordState":"ACTIVE","Region":"ap-south-1","Remediation":{"Recommendation":{"Text":"For information on how to correct this issue, consult the AWS Security Hub controls documentation.","Url":"https://docs.aws.amazon.com/console/securityhub/EC2.8/remediation"}},"Resources":[{"Details":{"AwsEc2Instance":{"IamInstanceProfileArn":"arn:aws:iam::111111111111:instance-profile/elastic-agent-instance-profile-e4f7caa0-6f61-11ef-bb07-02fe87118279","ImageId":"ami-04dffe071c46cddd4","LaunchedAt":"2024-09-10T10:39:35.000Z","MetadataOptions":{"HttpEndpoint":"enabled","HttpProtocolIpv6":"disabled","HttpPutResponseHopLimit":2,"HttpTokens":"required","InstanceMetadataTags":"disabled"},"Monitoring":{"State":"disabled"},"NetworkInterfaces":[{"NetworkInterfaceId":"eni-0de300eee88c5c7fd"}],"SubnetId":"subnet-5d15a111","VirtualizationType":"hvm","VpcId":"vpc-39017251"}},"Id":"arn:aws:ec2:ap-south-1:111111111111:instance/i-0e2ede89308a594d7","Partition":"aws","Region":"ap-south-1","Tags":{"Name":"elastic-agent-instance-e5f7caa0-6f60-11ef-bb07-02fe87118279","Task":"Cloud Security Posture Management Scanner","aws:cloudformation:logical-id":"ElasticAgentEc2Instance","aws:cloudformation:stack-id":"arn:aws:cloudformation:ap-south-1:111111111111:stack/Elastic-Cloud-Security-Posture-Management/e5f7caa0-6f60-11ef-bb07-02fe87118279","aws:cloudformation:stack-name":"Elastic-Cloud-Security-Posture-Management"},"Type":"AwsEc2Instance"}],"SchemaVersion":"2018-10-08","Severity":{"Label":"INFORMATIONAL","Normalized":0,"Original":"INFORMATIONAL"},"Title":"EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)","Types":["Software and Configuration Checks/Industry and Regulatory Standards"],"UpdatedAt":"2024-09-11T07:59:56.087Z","Workflow":{"Status":"RESOLVED"},"WorkflowState":"NEW"} +{"AwsAccountId":"111111111111","CompanyName":"AWS","Compliance":{"AssociatedStandards":[{"StandardsId":"standards/nist-800-53/v/5.0.0"}],"RelatedRequirements":["NIST.800-53.r5 SC-12(2)","NIST.800-53.r5 CM-3(6)","NIST.800-53.r5 SC-13","NIST.800-53.r5 SC-28","NIST.800-53.r5 SC-28(1)","NIST.800-53.r5 SC-7(10)","NIST.800-53.r5 CA-9(1)","NIST.800-53.r5 SI-7(6)","NIST.800-53.r5 AU-9"],"SecurityControlId":"S3.17","Status":"FAILED"},"CreatedAt":"2024-08-14T10:14:37.338Z","Description":"This control checks whether an Amazon S3 general purpose bucket is encrypted with an AWS KMS key (SSE-KMS or DSSE-KMS). The control fails if the bucket is encrypted with default encryption (SSE-S3).","FindingProviderFields":{"Severity":{"Label":"MEDIUM","Normalized":40,"Original":"MEDIUM"},"Types":["Software and Configuration Checks/Industry and Regulatory Standards"]},"FirstObservedAt":"2024-08-14T10:14:37.338Z","GeneratorId":"security-control/S3.17","Id":"arn:aws:securityhub:ap-south-1:111111111111:security-control/S3.17/finding/1d687c1f-ef1e-464f-985a-5000efa9d4a1","LastObservedAt":"2024-09-13T22:50:29.249Z","ProcessedAt":"2024-09-13T22:50:30.870Z","ProductArn":"arn:aws:securityhub:ap-south-1::product/aws/securityhub","ProductFields":{"RelatedAWSResources:0/name":"securityhub-s3-default-encryption-kms-3a38fc59","RelatedAWSResources:0/type":"AWS::Config::ConfigRule","Resources:0/Id":"arn:aws:s3:::s3-test-public-bucket","aws/securityhub/CompanyName":"AWS","aws/securityhub/FindingId":"arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/S3.17/finding/1d687c1f-ef1e-464f-985a-5000efa9d4a1","aws/securityhub/ProductName":"Security Hub","aws/securityhub/annotation":"Amazon S3 bucket is not encrypted with AWS KMS key."},"ProductName":"Security Hub","RecordState":"ACTIVE","Region":"ap-south-1","Remediation":{"Recommendation":{"Text":"For information on how to correct this issue, consult the AWS Security Hub controls documentation.","Url":"https://docs.aws.amazon.com/console/securityhub/S3.17/remediation"}},"Resources":[{"Details":{"AwsS3Bucket":{"CreatedAt":"2024-08-14T09:32:06.000Z","Name":"s3-test-public-bucket","OwnerId":"e106g9b5e13878d5133aadfac8a012130c4260091100b311ed476f9e77cdca46"}},"Id":"arn:aws:s3:::s3-test-public-bucket","Partition":"aws","Region":"ap-south-1","Type":"AwsS3Bucket"}],"SchemaVersion":"2018-10-08","Severity":{"Label":"MEDIUM","Normalized":40,"Original":"MEDIUM"},"Title":"S3 general purpose buckets should be encrypted at rest with AWS KMS keys","Types":["Software and Configuration Checks/Industry and Regulatory Standards"],"UpdatedAt":"2024-09-13T22:50:13.008Z","Workflow":{"Status":"NEW"},"WorkflowState":"NEW"} +{"AwsAccountId":"111111111111","CompanyName":"AWS","Compliance":{"AssociatedStandards":[{"StandardsId":"standards/cis-aws-foundations-benchmark/v/3.0.0"}],"RelatedRequirements":["CIS AWS Foundations Benchmark v3.0.0/5.2"],"SecurityControlId":"EC2.53","Status":"PASSED"},"CreatedAt":"2024-09-10T11:03:33.389Z","Description":"This control checks whether an Amazon EC2 security group allows ingress from 0.0.0.0/0 to remote server administration ports (ports 22 and 3389). The control fails if the security group allows ingress from 0.0.0.0/0 to port 22 or 3389.","FindingProviderFields":{"Severity":{"Label":"INFORMATIONAL","Normalized":0,"Original":"INFORMATIONAL"},"Types":["Software and Configuration Checks/Industry and Regulatory Standards"]},"FirstObservedAt":"2024-09-10T11:03:33.389Z","GeneratorId":"security-control/EC2.53","Id":"arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.53/finding/f21e28e2-1077-4062-ac39-624b2776eb23","LastObservedAt":"2024-09-11T08:00:06.960Z","ProcessedAt":"2024-09-11T08:00:08.685Z","ProductArn":"arn:aws:securityhub:ap-south-1::product/aws/securityhub","ProductFields":{"RelatedAWSResources:0/name":"securityhub-vpc-sg-port-restriction-check-8bef9db4","RelatedAWSResources:0/type":"AWS::Config::ConfigRule","Resources:0/Id":"arn:aws:ec2:ap-south-1:111111111111:security-group/sg-0dbc8c6200a0a9c51","aws/securityhub/CompanyName":"AWS","aws/securityhub/FindingId":"arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.53/finding/f21e28e2-1077-4062-ac39-624b2776eb23","aws/securityhub/ProductName":"Security Hub"},"ProductName":"Security Hub","RecordState":"ACTIVE","Region":"ap-south-1","Remediation":{"Recommendation":{"Text":"For information on how to correct this issue, consult the AWS Security Hub controls documentation.","Url":"https://docs.aws.amazon.com/console/securityhub/EC2.53/remediation"}},"Resources":[{"Details":{"AwsEc2SecurityGroup":{"GroupId":"sg-0dbc8c6200a0a9c51","GroupName":"elastic-agent-security-group-e4f7caa0-5f61-11ef-bb07-02fe87118279","IpPermissionsEgress":[{"IpProtocol":"-1","IpRanges":[{"CidrIp":"0.0.0.0/0"}]}],"OwnerId":"111111111111","VpcId":"vpc-39017251"}},"Id":"arn:aws:ec2:ap-south-1:111111111111:security-group/sg-0dbc9c6210a0a9c51","Partition":"aws","Region":"ap-south-1","Tags":{"aws:cloudformation:logical-id":"ElasticAgentSecurityGroup","aws:cloudformation:stack-id":"arn:aws:cloudformation:ap-south-1:111111111111:stack/Elastic-Cloud-Security-Posture-Management/e5f7caa0-6f60-11ef-bb07-02fe87118279","aws:cloudformation:stack-name":"Elastic-Cloud-Security-Posture-Management"},"Type":"AwsEc2SecurityGroup"}],"SchemaVersion":"2018-10-08","Severity":{"Label":"INFORMATIONAL","Normalized":0,"Original":"INFORMATIONAL"},"Title":"EC2 security groups should not allow ingress from 0.0.0.0/0 to remote server administration ports","Types":["Software and Configuration Checks/Industry and Regulatory Standards"],"UpdatedAt":"2024-09-11T07:59:56.364Z","Workflow":{"Status":"RESOLVED"},"WorkflowState":"NEW"} +{"AwsAccountId":"111111111111","CompanyName":"AWS","Compliance":{"AssociatedStandards":[{"StandardsId":"standards/aws-foundational-security-best-practices/v/1.0.0"},{"StandardsId":"standards/nist-800-53/v/5.0.0"}],"RelatedRequirements":["NIST.800-53.r5 CA-9(1)","NIST.800-53.r5 CM-3(6)","NIST.800-53.r5 SC-13","NIST.800-53.r5 SC-28","NIST.800-53.r5 SC-28(1)","NIST.800-53.r5 SC-7(10)","NIST.800-53.r5 SI-7(6)"],"SecurityControlId":"EC2.3","Status":"FAILED"},"CreatedAt":"2024-09-10T16:51:26.034Z","Description":"This AWS control checks whether the EBS volumes that are in an attached state are encrypted.","FindingProviderFields":{"Severity":{"Label":"MEDIUM","Normalized":40,"Original":"MEDIUM"},"Types":["Software and Configuration Checks/Industry and Regulatory Standards"]},"FirstObservedAt":"2024-09-10T16:50:59.623Z","GeneratorId":"security-control/EC2.3","Id":"arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.3/finding/972eddbf-43ae-4886-9416-ac9ddc2cecc0","LastObservedAt":"2024-09-10T16:50:59.623Z","ProcessedAt":"2024-09-10T16:51:39.864Z","ProductArn":"arn:aws:securityhub:ap-south-1::product/aws/securityhub","ProductFields":{"RelatedAWSResources:0/name":"securityhub-encrypted-volumes-4e81c587","RelatedAWSResources:0/type":"AWS::Config::ConfigRule","Resources:0/Id":"arn:aws:ec2:ap-south-1:111111111111:volume/vol-03822fa7de881616e","aws/securityhub/CompanyName":"AWS","aws/securityhub/FindingId":"arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.3/finding/972eddbf-43ae-4886-9416-ac9ddc2cecc0","aws/securityhub/ProductName":"Security Hub"},"ProductName":"Security Hub","RecordState":"ACTIVE","Region":"ap-south-1","Remediation":{"Recommendation":{"Text":"For information on how to correct this issue, consult the AWS Security Hub controls documentation.","Url":"https://docs.aws.amazon.com/console/securityhub/EC2.3/remediation"}},"Resources":[{"Details":{"AwsEc2Volume":{"Attachments":[{"AttachTime":"2024-09-10T10:39:36.000Z","DeleteOnTermination":true,"InstanceId":"i-0f1ede89308a584d8","Status":"attached"}],"CreateTime":"2024-09-10T10:39:36.313Z","Encrypted":false,"Size":32,"SnapshotId":"snap-07cb2350b59fa5cce","Status":"in-use"}},"Id":"arn:aws:ec2:ap-south-1:111111111111:volume/vol-03821fa7de881617e","Partition":"aws","Region":"ap-south-1","Type":"AwsEc2Volume"}],"SchemaVersion":"2018-10-08","Severity":{"Label":"MEDIUM","Normalized":40,"Original":"MEDIUM"},"Title":"Attached EBS volumes should be encrypted at-rest","Types":["Software and Configuration Checks/Industry and Regulatory Standards"],"UpdatedAt":"2024-09-10T16:51:26.034Z","Workflow":{"Status":"NEW"},"WorkflowState":"NEW"} +{"AwsAccountId":"111111111111","CompanyName":"AWS","Compliance":{"AssociatedStandards":[{"StandardsId":"standards/aws-foundational-security-best-practices/v/1.0.0"},{"StandardsId":"standards/nist-800-53/v/5.0.0"},{"StandardsId":"standards/pci-dss/v/3.2.1"}],"RelatedRequirements":["CIS AWS Foundations Benchmark v1.2.0/1.16"],"SecurityControlId":"IAM.2","Status":"FAILED"},"CreatedAt":"2024-09-10T12:40:36.785Z","Description":"This AWS control checks that none of your IAM users have policies attached. Instead, IAM users must inherit permissions from IAM groups or roles.","FindingProviderFields":{"Severity":{"Label":"LOW","Normalized":1,"Original":"LOW"},"Types":["Software and Configuration Checks/Industry and Regulatory Standards"]},"FirstObservedAt":"2024-09-10T12:40:36.785Z","GeneratorId":"security-control/SSM.1","Id":"arn:aws:iam::111111111111:user/developers/devuser@dev.dev","LastObservedAt":"2024-09-15T16:48:57.829Z","ProcessedAt":"2024-09-15T16:48:59.493Z","ProductArn":"arn:aws:securityhub:ap-south-1::product/aws/securityhub","ProductFields":{"RelatedAWSResources:0/name":"securityhub-iam-user-no-policies-check-832bb806","RelatedAWSResources:0/type":"AWS::Config::ConfigRule","Resources:0/Id":"arn:aws:iam::111111111111:user/developers/devuser@dev.dev","aws/securityhub/CompanyName":"AWS","aws/securityhub/FindingId":"arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/SSM.1/finding/12b0c84a-bba5-4fb4-bb36-3b0e62b1945c","aws/securityhub/ProductName":"Security Hub"},"ProductName":"Security Hub","RecordState":"ACTIVE","Region":"ap-south-1","Remediation":{"Recommendation":{"Text":"For information on how to correct this issue, consult the AWS Security Hub controls documentation.","Url":"https://docs.aws.amazon.com/console/securityhub/IAM.2/remediation"}},"Resources":[{"Partition":"aws","Type":"AwsIamUser","Details":{"AwsIamUser":{"Path":"/developers/","AttachedManagedPolicies":[{"PolicyArn":"arn:aws:iam::aws:policy/AWSSecurityHubFullAccess","PolicyName":"AWSSecurityHubFullAccess"}],"UserName":"Dev UserName","GroupList":["DevUsers"],"UserId":"DevUserId","CreateDate":"2023-01-10T01:07:37.000Z"}},"Region":"ap-south-1","Id":"arn:aws:iam::111111111111:user/developers/devuser@dev.dev"}],"SchemaVersion":"2018-10-08","Severity":{"Label":"LOW","Normalized":1,"Original":"LOW"},"Title":"IAM users should not have IAM policies attached","Types":["Software and Configuration Checks/Industry and Regulatory Standards"],"UpdatedAt":"2024-09-15T16:48:45.279Z","Workflow":{"Status":"NEW"},"WorkflowState":"NEW"} +{"AwsAccountId":"111111111111","CompanyName":"AWS","Compliance":{"SecurityControlId":"EKS.1","Status":"FAILED"},"CreatedAt":"2024-09-11T12:40:36.785Z","Description":"This control checks whether an Amazon EKS cluster endpoint is publicly accessible. The control fails if an EKS cluster has an endpoint that is publicly accessible.","FindingProviderFields":{"Severity":{"Label":"HIGH","Normalized":70,"Original":"HIGH"},"Types":["Software and Configuration Checks/Industry and Regulatory Standards"]},"FirstObservedAt":"2024-09-11T12:40:36.785Z","GeneratorId":"security-control/EKS.1","Id":"arn:aws:eks:ap-south-1:111111111111:cluster/democluster","LastObservedAt":"2024-09-15T16:48:57.829Z","ProcessedAt":"2024-09-15T16:48:59.493Z","ProductArn":"arn:aws:securityhub:ap-south-1::product/aws/securityhub","ProductFields":{"RelatedAWSResources:0/name":"securityhub-eks-endpoint-no-public-access-2dc35c63","RelatedAWSResources:0/type":"AWS::Config::ConfigRule","Resources:0/Id":"arn:aws:eks:ap-south-1:111111111111:cluster/democluster","aws/securityhub/CompanyName":"AWS","aws/securityhub/FindingId":"arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/SSM.1/finding/12b0c84a-bba5-4fb4-bb36-3b0e62b1945c","aws/securityhub/ProductName":"Security Hub","aws/securityhub/annotation":"Cluster Endpoint of democluster is Publicly accessible"},"ProductName":"Security Hub","RecordState":"ACTIVE","Region":"ap-south-1","Remediation":{"Recommendation":{"Text":"For information on how to correct this issue, consult the AWS Security Hub controls documentation.","Url":"https://docs.aws.amazon.com/console/securityhub/EKS.1/remediation"}},"Resources":[{"Partition":"aws","Type":"AwsEksCluster","Details":{"AwsEksCluster":{"Version":"1.27","Arn":"arn:aws:eks:ap-south-1:111111111111:cluster/democluster","ResourcesVpcConfig":{"EndpointPublicAccess":true,"SecurityGroupIds":["sg-111"],"SubnetIds":["subnet-aaa","subnet-bbb"]},"RoleArn":"arn:aws:iam::111111111111:role/EKSClusterRole","Name":"democluster"}},"Region":"ap-south-1","Id":"arn:aws:eks:ap-south-1:111111111111:cluster/democluster","Tags":{"environment":"dev","managed_by":"terraform","project":"demo","team":"dev"}}],"SchemaVersion":"2018-10-08","Severity":{"Label":"HIGH","Normalized":70,"Original":"HIGH"},"Title":"EKS cluster endpoints should not be publicly accessible","Types":["Software and Configuration Checks/Industry and Regulatory Standards"],"UpdatedAt":"2024-09-15T16:48:45.279Z","Workflow":{"Status":"NEW"},"WorkflowState":"NEW"} +{"AwsAccountId":"111111111111","CompanyName":"AWS","Compliance":{"AssociatedStandards":[{"StandardsId":"standards/cis-aws-foundations-benchmark/v/3.0.0"}],"RelatedRequirements":["CIS AWS Foundations Benchmark v3.0.0/1.22"],"SecurityControlId":"IAM.27","Status":"PASSED","StatusReasons":[{"Description":"AWS Config evaluated your resources against the rule. The rule did not apply to the AWS resources in its scope, the specified resources were deleted, or the evaluation results were deleted.","ReasonCode":"CONFIG_EVALUATIONS_EMPTY"}]},"CreatedAt":"2024-08-14T12:11:57.803Z","Description":"This control checks whether an IAM identity (user, role, or group) has the AWS managed policy AWSCloudShellFullAccess attached. The control fails if an IAM identity has the AWSCloudShellFullAccess policy attached.","FindingProviderFields":{"Severity":{"Label":"INFORMATIONAL","Normalized":0,"Original":"INFORMATIONAL"},"Types":["Software and Configuration Checks/Industry and Regulatory Standards"]},"FirstObservedAt":"2024-08-14T12:11:57.803Z","GeneratorId":"security-control/IAM.27","Id":"arn:aws:securityhub:ap-south-1:111111111111:security-control/IAM.27/finding/9ec777ec-6a92-416f-a27c-fa22b5827b6f","LastObservedAt":"2024-09-11T07:53:19.500Z","ProcessedAt":"2024-09-11T07:53:27.460Z","ProductArn":"arn:aws:securityhub:ap-south-1::product/aws/securityhub","ProductFields":{"RelatedAWSResources:0/name":"securityhub-iam-policy-blacklisted-check-0ab52b49","RelatedAWSResources:0/type":"AWS::Config::ConfigRule","Resources:0/Id":"arn:aws:iam::111111111111:root","aws/securityhub/CompanyName":"AWS","aws/securityhub/FindingId":"arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/IAM.27/finding/9ec777ec-6a92-416f-a27c-fa22b5827b6f","aws/securityhub/ProductName":"Security Hub","aws/securityhub/annotation":"AWS Config evaluated your resources against the rule. The rule did not apply to the AWS resources in its scope, the specified resources were deleted, or the evaluation results were deleted."},"ProductName":"Security Hub","RecordState":"ACTIVE","Region":"ap-south-1","Remediation":{"Recommendation":{"Text":"For information on how to correct this issue, consult the AWS Security Hub controls documentation.","Url":"https://docs.aws.amazon.com/console/securityhub/IAM.27/remediation"}},"Resources":[{"Id":"AWS::::Account:111111111111","Partition":"aws","Region":"ap-south-1","Type":"AwsAccount"}],"SchemaVersion":"2018-10-08","Severity":{"Label":"INFORMATIONAL","Normalized":0,"Original":"INFORMATIONAL"},"Title":"IAM identities should not have the AWSCloudShellFullAccess policy attached","Types":["Software and Configuration Checks/Industry and Regulatory Standards"],"UpdatedAt":"2024-09-11T07:53:19.500Z","Workflow":{"Status":"RESOLVED"},"WorkflowState":"NEW"} +{"AwsAccountId":"111111111111","CompanyName":"AWS","Compliance":{"AssociatedStandards":[{"StandardsId":"standards/aws-resource-tagging-standard/v/1.0.0"}],"SecurityControlId":"EC2.44","SecurityControlParameters":[{"Name":"requiredTagKeys","Value":[]}],"Status":"FAILED"},"CreatedAt":"2024-08-14T10:14:50.020Z","Description":"This control checks whether an Amazon EC2 subnet has tags with the specific keys defined in the parameter requiredTagKeys. The control fails if the subnet doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter requiredTagKeys. If the parameter requiredTagKeys isn't provided, the control only checks for the existence of a tag key and fails if the subnet isn't tagged with any key. System tags, which are automatically applied and begin with aws:, are ignored.","FindingProviderFields":{"Severity":{"Label":"LOW","Normalized":1,"Original":"LOW"},"Types":["Software and Configuration Checks/Industry and Regulatory Standards"]},"FirstObservedAt":"2024-08-14T10:14:50.020Z","GeneratorId":"security-control/EC2.44","Id":"arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.44/finding/0397ae8e-d2b2-4a75-964f-fde027670405","LastObservedAt":"2024-09-13T22:50:24.617Z","ProcessedAt":"2024-09-13T22:50:27.295Z","ProductArn":"arn:aws:securityhub:ap-south-1::product/aws/securityhub","ProductFields":{"RelatedAWSResources:0/name":"securityhub-tagged-ec2-subnet-4c30afd3","RelatedAWSResources:0/type":"AWS::Config::ConfigRule","Resources:0/Id":"arn:aws:ec2:ap-south-1:111111111111:subnet/subnet-c28c74b9","aws/securityhub/CompanyName":"AWS","aws/securityhub/FindingId":"arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.44/finding/0397ae8e-d2b2-4a75-964f-fde027670405","aws/securityhub/ProductName":"Security Hub","aws/securityhub/annotation":"No tags are present."},"ProductName":"Security Hub","RecordState":"ACTIVE","Region":"ap-south-1","Remediation":{"Recommendation":{"Text":"For information on how to correct this issue, consult the AWS Security Hub controls documentation.","Url":"https://docs.aws.amazon.com/console/securityhub/EC2.44/remediation"}},"Resources":[{"Details":{"AwsEc2Subnet":{"AssignIpv6AddressOnCreation":false,"AvailabilityZone":"ap-south-1c","AvailabilityZoneId":"aps1-az2","AvailableIpAddressCount":4091,"CidrBlock":"171.32.32.0/20","DefaultForAz":true,"MapPublicIpOnLaunch":true,"OwnerId":"111111111111","State":"available","SubnetArn":"arn:aws:ec2:ap-south-1:111111111111:subnet/subnet-c19c74b9","SubnetId":"subnet-c19c74b9","VpcId":"vpc-39017152"}},"Id":"arn:aws:ec2:ap-south-1:111111111111:subnet/subnet-c28c74b9","Partition":"aws","Region":"ap-south-1","Type":"AwsEc2Subnet"}],"SchemaVersion":"2018-10-08","Severity":{"Label":"LOW","Normalized":1,"Original":"LOW"},"Title":"EC2 subnets should be tagged","Types":["Software and Configuration Checks/Industry and Regulatory Standards"],"UpdatedAt":"2024-09-13T22:50:15.737Z","Workflow":{"Status":"NEW"},"WorkflowState":"NEW"} +{"AwsAccountId":"111111111111","CompanyName":"AWS","Compliance":{"SecurityControlId":"ELB.6","Status":"FAILED"},"CreatedAt":"2024-08-14T10:14:50.020Z","Description":"This control checks whether Application, Gateway, and Network Load Balancers have deletion protection enabled. The control fails if deletion protection is disabled.","FindingProviderFields":{"Severity":{"Label":"MEDIUM","Normalized":40,"Original":"MEDIUM"},"Types":["Software and Configuration Checks/Industry and Regulatory Standards"]},"FirstObservedAt":"2024-08-14T10:14:50.020Z","GeneratorId":"security-control/EC2.44","Id":"arn:aws:elasticloadbalancing:ap-south-1:111111111111:loadbalancer/net/a799f20cd3754462297d4874c25e67ae/894921ab8833ff1e","LastObservedAt":"2024-09-13T22:50:24.617Z","ProcessedAt":"2024-09-13T22:50:27.295Z","ProductArn":"arn:aws:securityhub:ap-south-1::product/aws/securityhub","ProductFields":{"RelatedAWSResources:0/name":"securityhub-tagged-ec2-subnet-4c30afd3","RelatedAWSResources:0/type":"AWS::Config::ConfigRule","Resources:0/Id":"arn:aws:elasticloadbalancing:ap-south-1:111111111111:loadbalancer/net/a799f20cd3754462297d4874c25e67ae/894921ab8833ff1e","aws/securityhub/CompanyName":"AWS","aws/securityhub/FindingId":"arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/ELB.6/finding/9e7771db-5b77-48df-a103-1370cf6d401a","aws/securityhub/ProductName":"Security Hub","aws/securityhub/annotation":"No tags are present."},"ProductName":"Security Hub","RecordState":"ACTIVE","Region":"ap-south-1","Remediation":{"Recommendation":{"Text":"For information on how to correct this issue, consult the AWS Security Hub controls documentation.","Url":"https://docs.aws.amazon.com/console/securityhub/ELB.6/remediation"}},"Resources":[{"Partition":"aws","Type":"AwsElbv2LoadBalancer","Details":{"AwsElbv2LoadBalancer":{"IpAddressType":"ipv4","Type":"network","CreatedTime":"2024-04-17T21:35:20.303Z","Scheme":"internet-facing","VpcId":"vpc-132ddf1f407252a0a","CanonicalHostedZoneId":"ZLPOA36VPKAMP","AvailabilityZones":[{"ZoneName":"ap-south-1b","SubnetId":"subnet-aaa"},{"ZoneName":"ap-south-1a","SubnetId":"subnet-bbb"}],"State":{"Code":"active"},"DNSName":"a799f20cd3754462297d4874c25e67ae-894921ab8833ff1e.elb.ap-south-1.amazonaws.com"}},"Region":"ap-south-1","Id":"arn:aws:elasticloadbalancing:ap-south-1:111111111111:loadbalancer/net/a799f20cd3754462297d4874c25e67ae/894921ab8833ff1e","Tags":{"kubernetes.io/service-name":"default/traefik","kubernetes.io/cluster/demo":"owned"}}],"SchemaVersion":"2018-10-08","Severity":{"Label":"LOW","Normalized":1,"Original":"LOW"},"Title":"EC2 subnets should be tagged","Types":["Software and Configuration Checks/Industry and Regulatory Standards"],"UpdatedAt":"2024-09-13T22:50:15.737Z","Workflow":{"Status":"NEW"},"WorkflowState":"NEW"} +{"AwsAccountId":"111111111111","CompanyName":"AWS","Compliance":{"SecurityControlId":"ELB.6","Status":"FAILED"},"CreatedAt":"2024-08-14T10:14:50.020Z","Description":"This control checks whether Application, Gateway, and Network Load Balancers have deletion protection enabled. The control fails if deletion protection is disabled.","FindingProviderFields":{"Severity":{"Label":"MEDIUM","Normalized":40,"Original":"MEDIUM"},"Types":["Software and Configuration Checks/Industry and Regulatory Standards"]},"FirstObservedAt":"2024-08-14T10:14:50.020Z","GeneratorId":"security-control/EC2.44","Id":"arn:aws:elasticloadbalancing:ap-south-1:111111111111:loadbalancer/net/a799f20cd3754462297d4874c25e67ae/894921ab8833ff1e","LastObservedAt":"2024-09-13T22:50:24.617Z","ProcessedAt":"2024-09-13T22:50:27.295Z","ProductArn":"arn:aws:securityhub:ap-south-1::product/aws/securityhub","ProductFields":{"RelatedAWSResources:0/name":"securityhub-tagged-ec2-subnet-4c30afd3","RelatedAWSResources:0/type":"AWS::Config::ConfigRule","Resources:0/Id":"arn:aws:elasticloadbalancing:ap-south-1:111111111111:loadbalancer/net/a799f20cd3754462297d4874c25e67ae/894921ab8833ff1e","aws/securityhub/CompanyName":"AWS","aws/securityhub/FindingId":"arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/ELB.6/finding/9e7771db-5b77-48df-a103-1370cf6d401a","aws/securityhub/ProductName":"Security Hub","aws/securityhub/annotation":"No tags are present."},"ProductName":"Security Hub","RecordState":"ACTIVE","Region":"ap-south-1","Remediation":{"Recommendation":{"Text":"For information on how to correct this issue, consult the AWS Security Hub controls documentation.","Url":"https://docs.aws.amazon.com/console/securityhub/ELB.6/remediation"}},"Resources":[{"Partition":"aws","Type":"AwsElbv2LoadBalancer","Details":{"AwsElbv2LoadBalancer":{"IpAddressType":"ipv4","Type":"network","CreatedTime":"2024-04-17T21:35:20.303Z","Scheme":"internet-facing","VpcId":"vpc-132ddf1f407252a0a","CanonicalHostedZoneId":"ZLPOA36VPKAMP","AvailabilityZones":[{"ZoneName":"ap-south-1b","SubnetId":"subnet-aaa"},{"ZoneName":"ap-south-1a","SubnetId":"subnet-bbb"}],"State":{"Code":"active"},"DNSName":"a799f20cd3754462297d4874c25e67ae-894921ab8833ff1e.elb.ap-south-1.amazonaws.com"}},"Region":"ap-south-1","Id":"arn:aws:elasticloadbalancing:ap-south-1:111111111111:loadbalancer/net/a799f20cd3754462297d4874c25e67ae/894921ab8833ff1e","Tags":{"kubernetes.io/service-name":"default/traefik","kubernetes.io/cluster/demo":"owned"}},{"Partition":"aws","Type":"AwsElbv2LoadBalancer","Details":{"AwsElbv2LoadBalancer":{"IpAddressType":"ipv4","Type":"network","CreatedTime":"2024-04-18T21:35:20.303Z","Scheme":"internet-facing","VpcId":"vpc-132ddf1f407252a0a","CanonicalHostedZoneId":"ZLPOA36VPKAMP","AvailabilityZones":[{"ZoneName":"ap-south-1b","SubnetId":"subnet-aaa"},{"ZoneName":"ap-south-1a","SubnetId":"subnet-bbb"}],"State":{"Code":"active"},"DNSName":"a888f20cd3754462297d4874c25e67ae-994921ab8833ff1e.elb.ap-south-1.amazonaws.com"}},"Region":"ap-south-1","Id":"arn:aws:elasticloadbalancing:ap-south-1:111111111111:loadbalancer/net/a888f20cd3754462297d4874c25e67ae/994921ab8833ff1e","Tags":{"kubernetes.io/cluster/demo":"owned"}}],"SchemaVersion":"2018-10-08","Severity":{"Label":"LOW","Normalized":1,"Original":"LOW"},"Title":"EC2 subnets should be tagged","Types":["Software and Configuration Checks/Industry and Regulatory Standards"],"UpdatedAt":"2024-09-13T22:50:15.737Z","Workflow":{"Status":"NEW"},"WorkflowState":"NEW"} +{"AwsAccountId":"111111111111","CompanyName":"AWS","Compliance":{"AssociatedStandards":[{"StandardsId":"standards/aws-foundational-security-best-practices/v/1.0.0"},{"StandardsId":"standards/cis-aws-foundations-benchmark/v/3.0.0"},{"StandardsId":"standards/nist-800-53/v/5.0.0"}],"RelatedRequirements":["CIS AWS Foundations Benchmark v3.0.0/5.6","NIST.800-53.r5 AC-3","NIST.800-53.r5 AC-3(15)","NIST.800-53.r5 AC-3(7)","NIST.800-53.r5 AC-6"],"SecurityControlId":"EC2.8","Status":"PASSED"},"CreatedAt":"2024-09-20T10:40:32.189Z","Description":"This control checks whether your Amazon Elastic Compute Cloud (Amazon EC2) instance metadata version is configured with Instance Metadata Service Version 2 (IMDSv2). The control passes if HttpTokens is set to required for IMDSv2. The control fails if HttpTokens is set to optional.","FindingProviderFields":{"Severity":{"Label":"INFORMATIONAL","Normalized":0,"Original":"INFORMATIONAL"},"Types":["Software and Configuration Checks/Industry and Regulatory Standards"]},"FirstObservedAt":"2024-09-20T10:40:32.189Z","GeneratorId":"security-control/EC2.8","Id":"arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.8/finding/8925ae3b-1f70-4c74-8337-baee8fcad8fe","LastObservedAt":"2024-09-21T08:00:01.828Z","ProcessedAt":"2024-09-21T08:00:03.516Z","ProductArn":"arn:aws:securityhub:ap-south-1::product/aws/securityhub","ProductFields":{"RelatedAWSResources:0/name":"securityhub-ec2-imdsv2-check-29027890","RelatedAWSResources:0/type":"AWS::Config::ConfigRule","Resources:0/Id":"arn:aws:ec2:ap-south-1:111111111111:instance/i-0f2ede89308a594d8","aws/securityhub/CompanyName":"AWS","aws/securityhub/FindingId":"arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.8/finding/8925ae3b-1f70-4c74-8337-baee8fcad8fe","aws/securityhub/ProductName":"Security Hub"},"ProductName":"Security Hub","RecordState":"ACTIVE","Region":"ap-south-1","Remediation":{"Recommendation":{"Text":"For information on how to correct this issue, consult the AWS Security Hub controls documentation.","Url":"https://docs.aws.amazon.com/console/securityhub/EC2.8/remediation"}},"Resources":[{"Details":{"AwsEc2Instance":{"IamInstanceProfileArn":"arn:aws:iam::111111111111:instance-profile/elastic-agent-instance-profile-e4f7caa0-6f61-11ef-bb07-02fe87118279","ImageId":"ami-04dffe071c46cddd4","IpV4Addresses":["89.160.20.156","89.160.20.157"],"IpV6Addresses":["2a02:cf40::"],"LaunchedAt":"2024-09-20T10:39:35.000Z","MetadataOptions":{"HttpEndpoint":"enabled","HttpProtocolIpv6":"disabled","HttpPutResponseHopLimit":2,"HttpTokens":"required","InstanceMetadataTags":"disabled"},"Monitoring":{"State":"disabled"},"NetworkInterfaces":[{"NetworkInterfaceId":"eni-0de300eee88c5c7fd"}],"SubnetId":"subnet-5d15a111","VirtualizationType":"hvm","VpcId":"vpc-39017251"}},"Id":"arn:aws:ec2:ap-south-1:111111111111:instance/i-0f2ede89308a594d8","Partition":"aws","Region":"ap-south-1","Tags":{"Name":"elastic-agent-instance-e5f7caa0-6f60-11ef-bb07-02fe87118279","Task":"Cloud Security Posture Management Scanner","aws:cloudformation:logical-id":"ElasticAgentEc2Instance","aws:cloudformation:stack-id":"arn:aws:cloudformation:ap-south-1:111111111111:stack/Elastic-Cloud-Security-Posture-Management/e5f7caa0-6f60-11ef-bb07-02fe87118279","aws:cloudformation:stack-name":"Elastic-Cloud-Security-Posture-Management"},"Type":"AwsEc2Instance"}],"SchemaVersion":"2018-10-08","Severity":{"Label":"INFORMATIONAL","Normalized":0,"Original":"INFORMATIONAL"},"Title":"EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)","Types":["Software and Configuration Checks/Industry and Regulatory Standards"],"UpdatedAt":"2024-09-21T07:59:56.087Z","Workflow":{"Status":"RESOLVED"},"WorkflowState":"NEW"} \ No newline at end of file diff --git a/packages/aws/data_stream/securityhub_findings_full_posture/_dev/test/pipeline/test-securityhub-findings-full-posture.log-expected.json b/packages/aws/data_stream/securityhub_findings_full_posture/_dev/test/pipeline/test-securityhub-findings-full-posture.log-expected.json new file mode 100644 index 00000000000..2d3d82f1c6b --- /dev/null +++ b/packages/aws/data_stream/securityhub_findings_full_posture/_dev/test/pipeline/test-securityhub-findings-full-posture.log-expected.json @@ -0,0 +1,3123 @@ +{ + "expected": [ + { + "@timestamp": "2018-08-31T00:15:09.000Z", + "aws": { + "securityhub_findings_full_posture": { + "action": { + "port_probe": { + "blocked": false, + "details": [ + { + "local": { + "ip": { + "address_v4": "1.128.0.0" + }, + "port": { + "name": "HTTP", + "number": 80 + } + }, + "remote_ip": { + "city": { + "name": "Example City" + }, + "country": { + "name": "Example Country" + }, + "geolocation": { + "latitude": 0.0, + "longitude": 0.0 + }, + "organization": { + "asn": "64496", + "asn_organization": "ExampleASO", + "internet_provider": "ExampleOrg", + "internet_service_provider": "ExampleISP" + } + } + } + ] + }, + "type": "PORT_PROBE" + }, + "aws_account_id": "111111111111", + "company": { + "name": "AWS" + }, + "compliance": { + "related_requirements": [ + "Req1", + "Req2" + ], + "status": "PASSED", + "status_reasons": [ + { + "description": "CloudWatch alarms do not exist in the account", + "reason_code": "CLOUDWATCH_ALARMS_NOT_PRESENT" + } + ] + }, + "confidence": 42, + "created_at": "2017-03-22T13:22:13.933Z", + "criticality": 99, + "description": "The version of openssl found on instance i-abcd1234 is known to contain a vulnerability.", + "first_observed_at": "2017-03-22T13:22:13.933Z", + "generator": { + "id": "acme-vuln-9ab348" + }, + "id": "us-west-2/111111111111/98aebb2207407c87f51e89943f12b1ef", + "last_observed_at": "2017-03-23T13:22:13.933Z", + "malware": [ + { + "name": "Stringler", + "path": "/usr/sbin/stringler", + "state": "OBSERVED", + "type": "COIN_MINER" + } + ], + "network": { + "destination": { + "domain": "example2.com", + "ip": { + "v4": "1.128.0.0", + "v6": "2a02:cf40::" + }, + "port": 80 + }, + "direction": "IN", + "open_port_range": { + "begin": 443, + "end": 443 + }, + "protocol": "TCP", + "source": { + "domain": "example1.com", + "ip": { + "v4": "1.128.0.0", + "v6": "2a02:cf40::" + }, + "mac": "00-0D-83-B1-C0-8E", + "port": 42 + } + }, + "network_path": [ + { + "component": { + "id": "abc-01a234bc56d8901ee", + "type": "AWS::EC2::InternetGateway" + }, + "egress": { + "destination": { + "address": [ + "1.128.0.0/24" + ], + "port_ranges": [ + { + "begin": 443, + "end": 443 + } + ] + }, + "protocol": "TCP", + "source": { + "address": [ + "175.16.199.1/24" + ] + } + }, + "ingress": { + "destination": { + "address": [ + "175.16.199.1/24" + ], + "port_ranges": [ + { + "begin": 443, + "end": 443 + } + ] + }, + "protocol": "TCP", + "source": { + "address": [ + "175.16.199.1/24" + ] + } + } + } + ], + "note": { + "text": "Don't forget to check under the mat.", + "updated_at": "2018-08-31T00:15:09.000Z", + "updated_by": "jsmith" + }, + "patch_summary": { + "failed": { + "count": 0 + }, + "id": "pb-123456789098", + "installed": { + "count": 100, + "other": { + "count": 1023 + }, + "pending_reboot": 0, + "rejected": { + "count": 0 + } + }, + "missing": { + "count": 100 + }, + "operation": { + "end_time": "2018-09-27T23:39:31.000Z", + "start_time": "2018-09-27T23:37:31.000Z", + "type": "Install" + }, + "reboot_option": "RebootIfNeeded" + }, + "process": { + "launched_at": "2018-09-27T22:37:31.000Z", + "name": "syslogd", + "parent": { + "pid": 56789 + }, + "path": "/usr/sbin/syslogd", + "pid": 12345, + "terminated_at": "2018-09-27T23:37:31.000Z" + }, + "product": { + "arn": "arn:aws:securityhub:us-east-1:111111111111:product/111111111111/default", + "fields": { + "Service_Name": "cloudtrail.amazonaws.com", + "aws/inspector/AssessmentTargetName": "My prod env", + "aws/inspector/AssessmentTemplateName": "My daily CVE assessment", + "aws/inspector/RulesPackageName": "Common Vulnerabilities and Exposures", + "generico/secure-pro/Count": "6" + }, + "name": "Security Hub" + }, + "provider_fields": { + "confidence": 42, + "criticality": 99, + "related_findings": [ + { + "id": "123e4567-e89b-12d3-a456-426655440000", + "product": { + "arn": "arn:aws:securityhub:us-west-2::product/aws/guardduty" + } + } + ], + "severity": { + "label": "MEDIUM", + "original": "MEDIUM" + }, + "types": [ + "Software and Configuration Checks/Vulnerabilities/CVE" + ] + }, + "record_state": "ACTIVE", + "region": "us-east-1", + "related_findings": [ + { + "id": "123e4567-e89b-12d3-a456-426655440000", + "product": { + "arn": "arn:aws:securityhub:us-west-2::product/aws/guardduty" + } + }, + { + "id": "AcmeNerfHerder-111111111111-x189dx7824", + "product": { + "arn": "arn:aws:securityhub:us-west-2::product/aws/guardduty" + } + } + ], + "remediation": { + "recommendation": { + "text": "Run sudo yum update and cross your fingers and toes.", + "url": "http://myfp.com/recommendations/dangerous_things_and_how_to_fix_them.html" + } + }, + "resources": [ + { + "Details": { + "IamInstanceProfileArn": "arn:aws:iam::123456789012:role/IamInstanceProfileArn", + "ImageId": "ami-79fd7eee", + "IpV4Addresses": [ + "175.16.199.1" + ], + "IpV6Addresses": [ + "2a02:cf40::" + ], + "KeyName": "testkey", + "LaunchedAt": "2018-09-29T01:25:54Z", + "MetadataOptions": { + "HttpEndpoint": "enabled", + "HttpProtocolIpv6": "enabled", + "HttpPutResponseHopLimit": 1, + "HttpTokens": "optional", + "InstanceMetadataTags": "disabled" + }, + "NetworkInterfaces": [ + { + "NetworkInterfaceId": "eni-e5aa89a3" + } + ], + "SubnetId": "PublicSubnet", + "Type": "i3.xlarge", + "VirtualizationType": "hvm", + "VpcId": "TestVPCIpv6" + }, + "Id": "i-cafebabe", + "Partition": "aws", + "Region": "us-west-2", + "Tags": { + "billingCode": "Lotus-1-2-3", + "needsPatching": "true" + }, + "Type": "AwsEc2Instance" + } + ], + "sample": true, + "schema": { + "version": "2018-10-08" + }, + "severity": { + "label": "CRITICAL", + "original": "8.3" + }, + "source_url": "http://threatintelweekly.org/backdoors/8888", + "threat_intel_indicators": [ + { + "category": "BACKDOOR", + "last_observed_at": "2018-09-27T23:37:31.000Z", + "source": "Threat Intel Weekly", + "source_url": "http://threatintelweekly.org/backdoors/8888", + "type": "IPV4_ADDRESS", + "value": "175.16.199.1" + } + ], + "title": "EC2.20 Both VPN tunnels for an AWS Site-to-Site VPN connection should be up", + "types": [ + "Software and Configuration Checks/Vulnerabilities/CVE" + ], + "updated_at": "2018-08-31T00:15:09.000Z", + "user_defined_fields": { + "comeBackToLater": "Check this again on Monday", + "reviewedByCio": "true" + }, + "verification_state": "UNKNOWN", + "vulnerabilities": [ + { + "cvss": [ + { + "base_score": 4.7, + "base_vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "version": "V3" + }, + { + "base_score": 4.7, + "base_vector": "AV:L/AC:M/Au:N/C:C/I:N/A:N", + "version": "V2" + } + ], + "id": "CVE-2020-12345", + "reference_urls": [ + "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12418", + "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17563" + ], + "related_vulnerabilities": [ + "CVE-2020-12345" + ], + "vendor": { + "created_at": "2020-01-16T00:01:43.000Z", + "name": "Alas", + "severity": "Medium", + "updated_at": "2020-01-16T00:01:43.000Z", + "url": "https://alas.aws.amazon.com/ALAS-2020-1337.html" + }, + "vulnerable_packages": [ + { + "architecture": "x86_64", + "epoch": "1", + "name": "openssl", + "release": "16.amzn2.0.3", + "version": "1.0.2k" + } + ] + } + ], + "workflow": { + "state": "NEW", + "status": "NEW" + } + } + }, + "cloud": { + "account": { + "id": "111111111111" + }, + "instance": { + "id": "i-cafebabe", + "name": "i-cafebabe" + }, + "provider": "aws", + "region": "us-east-1" + }, + "destination": { + "domain": "example2.com", + "ip": [ + "1.128.0.0", + "2a02:cf40::" + ], + "port": 80 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "port_probe", + "category": [ + "configuration" + ], + "id": "us-west-2/111111111111/98aebb2207407c87f51e89943f12b1ef", + "kind": "state", + "original": "{\"Action\":{\"ActionType\":\"PORT_PROBE\",\"PortProbeAction\":{\"PortProbeDetails\":[{\"LocalPortDetails\":{\"Port\":80,\"PortName\":\"HTTP\"},\"LocalIpDetails\":{\"IpAddressV4\":\"1.128.0.0\"},\"RemoteIpDetails\":{\"Country\":{\"CountryName\":\"Example Country\"},\"City\":{\"CityName\":\"Example City\"},\"GeoLocation\":{\"Lon\":0,\"Lat\":0},\"Organization\":{\"AsnOrg\":\"ExampleASO\",\"Org\":\"ExampleOrg\",\"Isp\":\"ExampleISP\",\"Asn\":64496}}}],\"Blocked\":false}},\"AwsAccountId\":\"111111111111\",\"CompanyName\":\"AWS\",\"Compliance\":{\"RelatedRequirements\":[\"Req1\",\"Req2\"],\"Status\":\"PASSED\",\"StatusReasons\":[{\"ReasonCode\":\"CLOUDWATCH_ALARMS_NOT_PRESENT\",\"Description\":\"CloudWatch alarms do not exist in the account\"}]},\"Confidence\":42,\"CreatedAt\":\"2017-03-22T13:22:13.933Z\",\"Criticality\":99,\"Description\":\"The version of openssl found on instance i-abcd1234 is known to contain a vulnerability.\",\"FindingProviderFields\":{\"Confidence\":42,\"Criticality\":99,\"RelatedFindings\":[{\"ProductArn\":\"arn:aws:securityhub:us-west-2::product/aws/guardduty\",\"Id\":\"123e4567-e89b-12d3-a456-426655440000\"}],\"Severity\":{\"Label\":\"MEDIUM\",\"Original\":\"MEDIUM\"},\"Types\":[\"Software and Configuration Checks/Vulnerabilities/CVE\"]},\"FirstObservedAt\":\"2017-03-22T13:22:13.933Z\",\"GeneratorId\":\"acme-vuln-9ab348\",\"Id\":\"us-west-2/111111111111/98aebb2207407c87f51e89943f12b1ef\",\"LastObservedAt\":\"2017-03-23T13:22:13.933Z\",\"Malware\":[{\"Name\":\"Stringler\",\"Type\":\"COIN_MINER\",\"Path\":\"/usr/sbin/stringler\",\"State\":\"OBSERVED\"}],\"Network\":{\"Direction\":\"IN\",\"OpenPortRange\":{\"Begin\":443,\"End\":443},\"Protocol\":\"TCP\",\"SourceIpV4\":\"1.128.0.0\",\"SourceIpV6\":\"2a02:cf40::\",\"SourcePort\":\"42\",\"SourceDomain\":\"example1.com\",\"SourceMac\":\"00:0d:83:b1:c0:8e\",\"DestinationIpV4\":\"1.128.0.0\",\"DestinationIpV6\":\"2a02:cf40::\",\"DestinationPort\":\"80\",\"DestinationDomain\":\"example2.com\"},\"NetworkPath\":[{\"ComponentId\":\"abc-01a234bc56d8901ee\",\"ComponentType\":\"AWS::EC2::InternetGateway\",\"Egress\":{\"Destination\":{\"Address\":[\"1.128.0.0/24\"],\"PortRanges\":[{\"Begin\":443,\"End\":443}]},\"Protocol\":\"TCP\",\"Source\":{\"Address\":[\"175.16.199.1/24\"]}},\"Ingress\":{\"Destination\":{\"Address\":[\"175.16.199.1/24\"],\"PortRanges\":[{\"Begin\":443,\"End\":443}]},\"Protocol\":\"TCP\",\"Source\":{\"Address\":[\"175.16.199.1/24\"]}}}],\"Note\":{\"Text\":\"Don't forget to check under the mat.\",\"UpdatedBy\":\"jsmith\",\"UpdatedAt\":\"2018-08-31T00:15:09Z\"},\"PatchSummary\":{\"Id\":\"pb-123456789098\",\"InstalledCount\":\"100\",\"MissingCount\":\"100\",\"FailedCount\":\"0\",\"InstalledOtherCount\":\"1023\",\"InstalledRejectedCount\":\"0\",\"InstalledPendingReboot\":\"0\",\"OperationStartTime\":\"2018-09-27T23:37:31Z\",\"OperationEndTime\":\"2018-09-27T23:39:31Z\",\"RebootOption\":\"RebootIfNeeded\",\"Operation\":\"Install\"},\"Process\":{\"Name\":\"syslogd\",\"Path\":\"/usr/sbin/syslogd\",\"Pid\":12345,\"ParentPid\":56789,\"LaunchedAt\":\"2018-09-27T22:37:31Z\",\"TerminatedAt\":\"2018-09-27T23:37:31Z\"},\"ProductArn\":\"arn:aws:securityhub:us-east-1:111111111111:product/111111111111/default\",\"ProductFields\":{\"generico/secure-pro/Count\":\"6\",\"Service_Name\":\"cloudtrail.amazonaws.com\",\"aws/inspector/AssessmentTemplateName\":\"My daily CVE assessment\",\"aws/inspector/AssessmentTargetName\":\"My prod env\",\"aws/inspector/RulesPackageName\":\"Common Vulnerabilities and Exposures\"},\"ProductName\":\"Security Hub\",\"RecordState\":\"ACTIVE\",\"Region\":\"us-east-1\",\"RelatedFindings\":[{\"ProductArn\":\"arn:aws:securityhub:us-west-2::product/aws/guardduty\",\"Id\":\"123e4567-e89b-12d3-a456-426655440000\"},{\"ProductArn\":\"arn:aws:securityhub:us-west-2::product/aws/guardduty\",\"Id\":\"AcmeNerfHerder-111111111111-x189dx7824\"}],\"Remediation\":{\"Recommendation\":{\"Text\":\"Run sudo yum update and cross your fingers and toes.\",\"Url\":\"http://myfp.com/recommendations/dangerous_things_and_how_to_fix_them.html\"}},\"Resources\":[{\"Type\":\"AwsEc2Instance\",\"Id\":\"i-cafebabe\",\"Partition\":\"aws\",\"Region\":\"us-west-2\",\"Tags\":{\"billingCode\":\"Lotus-1-2-3\",\"needsPatching\":\"true\"},\"Details\":{\"IamInstanceProfileArn\":\"arn:aws:iam::123456789012:role/IamInstanceProfileArn\",\"ImageId\":\"ami-79fd7eee\",\"IpV4Addresses\":[\"175.16.199.1\"],\"IpV6Addresses\":[\"2a02:cf40::\"],\"KeyName\":\"testkey\",\"LaunchedAt\":\"2018-09-29T01:25:54Z\",\"MetadataOptions\":{\"HttpEndpoint\":\"enabled\",\"HttpProtocolIpv6\":\"enabled\",\"HttpPutResponseHopLimit\":1,\"HttpTokens\":\"optional\",\"InstanceMetadataTags\":\"disabled\"},\"NetworkInterfaces\":[{\"NetworkInterfaceId\":\"eni-e5aa89a3\"}],\"SubnetId\":\"PublicSubnet\",\"Type\":\"i3.xlarge\",\"VirtualizationType\":\"hvm\",\"VpcId\":\"TestVPCIpv6\"}}],\"Sample\":true,\"SchemaVersion\":\"2018-10-08\",\"Severity\":{\"Label\":\"CRITICAL\",\"Original\":\"8.3\"},\"SourceUrl\":\"http://threatintelweekly.org/backdoors/8888\",\"ThreatIntelIndicators\":[{\"Type\":\"IPV4_ADDRESS\",\"Value\":\"175.16.199.1\",\"Category\":\"BACKDOOR\",\"LastObservedAt\":\"2018-09-27T23:37:31Z\",\"Source\":\"Threat Intel Weekly\",\"SourceUrl\":\"http://threatintelweekly.org/backdoors/8888\"}],\"Threats\":[{\"FilePaths\":[{\"FileName\":\"b.txt\",\"FilePath\":\"/tmp/b.txt\",\"Hash\":\"sha256\",\"ResourceId\":\"arn:aws:ec2:us-west-2:123456789012:volume/vol-032f3bdd89aee112f\"}],\"ItemCount\":3,\"Name\":\"Iot.linux.mirai.vwisi\",\"Severity\":\"HIGH\"}],\"Title\":\"EC2.20 Both VPN tunnels for an AWS Site-to-Site VPN connection should be up\",\"Types\":[\"Software and Configuration Checks/Vulnerabilities/CVE\"],\"UpdatedAt\":\"2018-08-31T00:15:09Z\",\"UserDefinedFields\":{\"reviewedByCio\":\"true\",\"comeBackToLater\":\"Check this again on Monday\"},\"VerificationState\":\"UNKNOWN\",\"Vulnerabilities\":[{\"Cvss\":[{\"BaseScore\":4.7,\"BaseVector\":\"AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\",\"Version\":\"V3\"},{\"BaseScore\":4.7,\"BaseVector\":\"AV:L/AC:M/Au:N/C:C/I:N/A:N\",\"Version\":\"V2\"}],\"Id\":\"CVE-2020-12345\",\"ReferenceUrls\":[\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12418\",\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17563\"],\"RelatedVulnerabilities\":[\"CVE-2020-12345\"],\"Vendor\":{\"Name\":\"Alas\",\"Url\":\"https://alas.aws.amazon.com/ALAS-2020-1337.html\",\"VendorCreatedAt\":\"2020-01-16T00:01:43Z\",\"VendorSeverity\":\"Medium\",\"VendorUpdatedAt\":\"2020-01-16T00:01:43Z\"},\"VulnerablePackages\":[{\"Architecture\":\"x86_64\",\"Epoch\":\"1\",\"Name\":\"openssl\",\"Release\":\"16.amzn2.0.3\",\"Version\":\"1.0.2k\"}]}],\"Workflow\":{\"Status\":\"NEW\"},\"WorkflowState\":\"NEW\"}", + "outcome": "success", + "type": [ + "info" + ] + }, + "host": { + "id": "i-cafebabe" + }, + "network": { + "direction": "inbound", + "protocol": "tcp" + }, + "observer": { + "vendor": "AWS Security Hub" + }, + "organization": { + "name": "AWS" + }, + "process": { + "end": "2018-09-27T23:37:31.000Z", + "executable": "/usr/sbin/syslogd", + "name": "syslogd", + "parent": { + "pid": 56789 + }, + "pid": 12345, + "start": "2018-09-27T22:37:31.000Z" + }, + "related": { + "ip": [ + "1.128.0.0", + "2a02:cf40::" + ] + }, + "resource": { + "id": "i-cafebabe", + "name": "i-cafebabe", + "type": "AwsEc2Instance" + }, + "result": { + "evaluation": "passed" + }, + "rule": { + "description": "The version of openssl found on instance i-abcd1234 is known to contain a vulnerability.", + "id": "acme-vuln-9ab348", + "name": "EC2.20 Both VPN tunnels for an AWS Site-to-Site VPN connection should be up", + "reference": "http://myfp.com/recommendations/dangerous_things_and_how_to_fix_them.html", + "remediation": "Run sudo yum update and cross your fingers and toes.\r\nhttp://myfp.com/recommendations/dangerous_things_and_how_to_fix_them.html", + "ruleset": [ + "Req1", + "Req2" + ] + }, + "source": { + "domain": "example1.com", + "ip": [ + "1.128.0.0", + "2a02:cf40::" + ], + "mac": "00-0D-83-B1-C0-8E", + "port": 42 + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "threat": { + "indicator": { + "last_seen": "2018-09-27T23:37:31.000Z", + "type": "ipv4-addr" + } + }, + "url": { + "domain": "threatintelweekly.org", + "full": "http://threatintelweekly.org/backdoors/8888", + "original": "http://threatintelweekly.org/backdoors/8888", + "path": "/backdoors/8888", + "scheme": "http" + }, + "vulnerability": { + "id": "CVE-2020-12345", + "reference": [ + "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12418", + "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17563" + ], + "scanner": { + "vendor": "Alas" + }, + "score": { + "base": 4.7, + "version": "V2" + } + } + }, + { + "@timestamp": "2018-08-31T00:15:09.000Z", + "aws": { + "securityhub_findings_full_posture": { + "action": { + "port_probe": { + "blocked": false, + "details": [ + { + "local": { + "ip": { + "address_v4": "1.128.0.0" + }, + "port": { + "name": "HTTP", + "number": 80 + } + }, + "remote_ip": { + "city": { + "name": "Example City" + }, + "country": { + "name": "Example Country" + }, + "geolocation": { + "latitude": 0.0, + "longitude": 0.0 + }, + "organization": { + "asn": "64496", + "asn_organization": "ExampleASO", + "internet_provider": "ExampleOrg", + "internet_service_provider": "ExampleISP" + } + } + } + ] + }, + "type": "PORT_PROBE" + }, + "aws_account_id": "111111111111", + "company": { + "name": "AWS" + }, + "compliance": { + "related_requirements": [ + "Req1", + "Req2" + ], + "status": "PASSED", + "status_reasons": [ + { + "description": "CloudWatch alarms do not exist in the account", + "reason_code": "CLOUDWATCH_ALARMS_NOT_PRESENT" + } + ] + }, + "confidence": 42, + "created_at": "2017-03-22T13:22:13.933Z", + "criticality": 99, + "description": "The version of openssl found on instance i-abcd1234 is known to contain a vulnerability.", + "first_observed_at": "2017-03-22T13:22:13.933Z", + "generator": { + "id": "acme-vuln-9ab348" + }, + "id": "us-west-2/111111111111/98aebb2207407c87f51e89943f12b1ef", + "last_observed_at": "2017-03-23T13:22:13.933Z", + "malware": [ + { + "name": "Stringler", + "path": "/usr/sbin/stringler", + "state": "OBSERVED", + "type": "COIN_MINER" + } + ], + "network": { + "destination": { + "domain": "example2.com", + "ip": { + "v4": "1.128.0.0", + "v6": "2a02:cf40::" + }, + "port": 80 + }, + "direction": "IN", + "open_port_range": { + "begin": 443, + "end": 443 + }, + "protocol": "TCP", + "source": { + "domain": "example1.com", + "ip": { + "v4": "1.128.0.0", + "v6": "2a02:cf40::" + }, + "mac": "00-0D-83-B1-C0-8E", + "port": 42 + } + }, + "network_path": [ + { + "component": { + "id": "abc-01a234bc56d8901ee", + "type": "AWS::EC2::InternetGateway" + }, + "egress": { + "destination": { + "address": [ + "1.128.0.0/24" + ], + "port_ranges": [ + { + "begin": 443, + "end": 443 + } + ] + }, + "protocol": "TCP", + "source": { + "address": [ + "175.16.199.1/24" + ] + } + }, + "ingress": { + "destination": { + "address": [ + "175.16.199.1/24" + ], + "port_ranges": [ + { + "begin": 443, + "end": 443 + } + ] + }, + "protocol": "TCP", + "source": { + "address": [ + "175.16.199.1/24" + ] + } + } + } + ], + "note": { + "text": "Don't forget to check under the mat.", + "updated_at": "2018-08-31T00:15:09.000Z", + "updated_by": "jsmith" + }, + "patch_summary": { + "failed": { + "count": 0 + }, + "id": "pb-123456789098", + "installed": { + "count": 100, + "other": { + "count": 1023 + }, + "pending_reboot": 0, + "rejected": { + "count": 0 + } + }, + "missing": { + "count": 100 + }, + "operation": { + "end_time": "2018-09-27T23:39:31.000Z", + "start_time": "2018-09-27T23:37:31.000Z", + "type": "Install" + }, + "reboot_option": "RebootIfNeeded" + }, + "process": { + "launched_at": "2018-09-27T22:37:31.000Z", + "name": "syslogd", + "parent": { + "pid": 56789 + }, + "path": "/usr/sbin/syslogd", + "pid": 12345, + "terminated_at": "2018-09-27T23:37:31.000Z" + }, + "product": { + "arn": "arn:aws:securityhub:us-east-1:111111111111:product/111111111111/default", + "fields": { + "Service_Name": "cloudtrail.amazonaws.com", + "aws/inspector/AssessmentTargetName": "My prod env", + "aws/inspector/AssessmentTemplateName": "My daily CVE assessment", + "aws/inspector/RulesPackageName": "Common Vulnerabilities and Exposures", + "generico/secure-pro/Count": "6" + }, + "name": "Security Hub" + }, + "provider_fields": { + "confidence": 42, + "criticality": 99, + "related_findings": [ + { + "id": "123e4567-e89b-12d3-a456-426655440000", + "product": { + "arn": "arn:aws:securityhub:us-west-2::product/aws/guardduty" + } + } + ], + "severity": { + "label": "MEDIUM", + "original": "MEDIUM" + }, + "types": [ + "Software and Configuration Checks/Vulnerabilities/CVE" + ] + }, + "record_state": "ACTIVE", + "region": "us-east-1", + "related_findings": [ + { + "id": "123e4567-e89b-12d3-a456-426655440000", + "product": { + "arn": "arn:aws:securityhub:us-west-2::product/aws/guardduty" + } + }, + { + "id": "AcmeNerfHerder-111111111111-x189dx7824", + "product": { + "arn": "arn:aws:securityhub:us-west-2::product/aws/guardduty" + } + } + ], + "remediation": { + "recommendation": { + "text": "Run sudo yum update and cross your fingers and toes.", + "url": "http://myfp.com/recommendations/dangerous_things_and_how_to_fix_them.html" + } + }, + "resources": [ + { + "Details": { + "IamInstanceProfileArn": "arn:aws:iam::123456789012:role/IamInstanceProfileArn", + "ImageId": "ami-79fd7eee", + "IpV4Addresses": [ + "175.16.199.1" + ], + "IpV6Addresses": [ + "2a02:cf40::" + ], + "KeyName": "testkey", + "LaunchedAt": "2018-09-29T01:25:54Z", + "MetadataOptions": { + "HttpEndpoint": "enabled", + "HttpProtocolIpv6": "enabled", + "HttpPutResponseHopLimit": 1, + "HttpTokens": "optional", + "InstanceMetadataTags": "disabled" + }, + "NetworkInterfaces": [ + { + "NetworkInterfaceId": "eni-e5aa89a3" + } + ], + "SubnetId": "PublicSubnet", + "Type": "i3.xlarge", + "VirtualizationType": "hvm", + "VpcId": "TestVPCIpv6" + }, + "Id": "i-cafebabe", + "Partition": "aws", + "Region": "us-west-2", + "Tags": { + "billingCode": "Lotus-1-2-3", + "needsPatching": "true" + }, + "Type": "AwsEc2Instance" + } + ], + "sample": true, + "schema": { + "version": "2018-10-08" + }, + "severity": { + "label": "CRITICAL", + "original": "8.3" + }, + "source_url": "http://threatintelweekly.org/backdoors/8888", + "threat_intel_indicators": [ + { + "category": "BACKDOOR", + "last_observed_at": "2018-09-27T23:37:31.000Z", + "source": "Threat Intel Weekly", + "source_url": "http://threatintelweekly.org/backdoors/8888", + "type": "HASH_MD5", + "value": "ae2b1fca515949e5d54fb22b8ed95575" + } + ], + "title": "EC2.20 Both VPN tunnels for an AWS Site-to-Site VPN connection should be up", + "types": [ + "Software and Configuration Checks/Vulnerabilities/CVE" + ], + "updated_at": "2018-08-31T00:15:09.000Z", + "user_defined_fields": { + "comeBackToLater": "Check this again on Monday", + "reviewedByCio": "true" + }, + "verification_state": "UNKNOWN", + "vulnerabilities": [ + { + "cvss": [ + { + "base_score": 4.7, + "base_vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "version": "V3" + }, + { + "base_score": 4.7, + "base_vector": "AV:L/AC:M/Au:N/C:C/I:N/A:N", + "version": "V2" + } + ], + "id": "CVE-2020-12345", + "reference_urls": [ + "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12418", + "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17563" + ], + "related_vulnerabilities": [ + "CVE-2020-12345" + ], + "vendor": { + "created_at": "2020-01-16T00:01:43.000Z", + "name": "Alas", + "severity": "Medium", + "updated_at": "2020-01-16T00:01:43.000Z", + "url": "https://alas.aws.amazon.com/ALAS-2020-1337.html" + }, + "vulnerable_packages": [ + { + "architecture": "x86_64", + "epoch": "1", + "name": "openssl", + "release": "16.amzn2.0.3", + "version": "1.0.2k" + } + ] + } + ], + "workflow": { + "state": "NEW", + "status": "NEW" + } + } + }, + "cloud": { + "account": { + "id": "111111111111" + }, + "instance": { + "id": "i-cafebabe", + "name": "i-cafebabe" + }, + "provider": "aws", + "region": "us-east-1" + }, + "destination": { + "domain": "example2.com", + "ip": [ + "1.128.0.0", + "2a02:cf40::" + ], + "port": 80 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "port_probe", + "category": [ + "configuration" + ], + "id": "us-west-2/111111111111/98aebb2207407c87f51e89943f12b1ef", + "kind": "state", + "original": "{\"Action\":{\"ActionType\":\"PORT_PROBE\",\"PortProbeAction\":{\"PortProbeDetails\":[{\"LocalPortDetails\":{\"Port\":80,\"PortName\":\"HTTP\"},\"LocalIpDetails\":{\"IpAddressV4\":\"1.128.0.0\"},\"RemoteIpDetails\":{\"Country\":{\"CountryName\":\"Example Country\"},\"City\":{\"CityName\":\"Example City\"},\"GeoLocation\":{\"Lon\":0,\"Lat\":0},\"Organization\":{\"AsnOrg\":\"ExampleASO\",\"Org\":\"ExampleOrg\",\"Isp\":\"ExampleISP\",\"Asn\":64496}}}],\"Blocked\":false}},\"AwsAccountId\":\"111111111111\",\"CompanyName\":\"AWS\",\"Compliance\":{\"RelatedRequirements\":[\"Req1\",\"Req2\"],\"Status\":\"PASSED\",\"StatusReasons\":[{\"ReasonCode\":\"CLOUDWATCH_ALARMS_NOT_PRESENT\",\"Description\":\"CloudWatch alarms do not exist in the account\"}]},\"Confidence\":42,\"CreatedAt\":\"2017-03-22T13:22:13.933Z\",\"Criticality\":99,\"Description\":\"The version of openssl found on instance i-abcd1234 is known to contain a vulnerability.\",\"FindingProviderFields\":{\"Confidence\":42,\"Criticality\":99,\"RelatedFindings\":[{\"ProductArn\":\"arn:aws:securityhub:us-west-2::product/aws/guardduty\",\"Id\":\"123e4567-e89b-12d3-a456-426655440000\"}],\"Severity\":{\"Label\":\"MEDIUM\",\"Original\":\"MEDIUM\"},\"Types\":[\"Software and Configuration Checks/Vulnerabilities/CVE\"]},\"FirstObservedAt\":\"2017-03-22T13:22:13.933Z\",\"GeneratorId\":\"acme-vuln-9ab348\",\"Id\":\"us-west-2/111111111111/98aebb2207407c87f51e89943f12b1ef\",\"LastObservedAt\":\"2017-03-23T13:22:13.933Z\",\"Malware\":[{\"Name\":\"Stringler\",\"Type\":\"COIN_MINER\",\"Path\":\"/usr/sbin/stringler\",\"State\":\"OBSERVED\"}],\"Network\":{\"Direction\":\"IN\",\"OpenPortRange\":{\"Begin\":443,\"End\":443},\"Protocol\":\"TCP\",\"SourceIpV4\":\"1.128.0.0\",\"SourceIpV6\":\"2a02:cf40::\",\"SourcePort\":\"42\",\"SourceDomain\":\"example1.com\",\"SourceMac\":\"00:0d:83:b1:c0:8e\",\"DestinationIpV4\":\"1.128.0.0\",\"DestinationIpV6\":\"2a02:cf40::\",\"DestinationPort\":\"80\",\"DestinationDomain\":\"example2.com\"},\"NetworkPath\":[{\"ComponentId\":\"abc-01a234bc56d8901ee\",\"ComponentType\":\"AWS::EC2::InternetGateway\",\"Egress\":{\"Destination\":{\"Address\":[\"1.128.0.0/24\"],\"PortRanges\":[{\"Begin\":443,\"End\":443}]},\"Protocol\":\"TCP\",\"Source\":{\"Address\":[\"175.16.199.1/24\"]}},\"Ingress\":{\"Destination\":{\"Address\":[\"175.16.199.1/24\"],\"PortRanges\":[{\"Begin\":443,\"End\":443}]},\"Protocol\":\"TCP\",\"Source\":{\"Address\":[\"175.16.199.1/24\"]}}}],\"Note\":{\"Text\":\"Don't forget to check under the mat.\",\"UpdatedBy\":\"jsmith\",\"UpdatedAt\":\"2018-08-31T00:15:09Z\"},\"PatchSummary\":{\"Id\":\"pb-123456789098\",\"InstalledCount\":\"100\",\"MissingCount\":\"100\",\"FailedCount\":\"0\",\"InstalledOtherCount\":\"1023\",\"InstalledRejectedCount\":\"0\",\"InstalledPendingReboot\":\"0\",\"OperationStartTime\":\"2018-09-27T23:37:31Z\",\"OperationEndTime\":\"2018-09-27T23:39:31Z\",\"RebootOption\":\"RebootIfNeeded\",\"Operation\":\"Install\"},\"Process\":{\"Name\":\"syslogd\",\"Path\":\"/usr/sbin/syslogd\",\"Pid\":12345,\"ParentPid\":56789,\"LaunchedAt\":\"2018-09-27T22:37:31Z\",\"TerminatedAt\":\"2018-09-27T23:37:31Z\"},\"ProductArn\":\"arn:aws:securityhub:us-east-1:111111111111:product/111111111111/default\",\"ProductFields\":{\"generico/secure-pro/Count\":\"6\",\"Service_Name\":\"cloudtrail.amazonaws.com\",\"aws/inspector/AssessmentTemplateName\":\"My daily CVE assessment\",\"aws/inspector/AssessmentTargetName\":\"My prod env\",\"aws/inspector/RulesPackageName\":\"Common Vulnerabilities and Exposures\"},\"ProductName\":\"Security Hub\",\"RecordState\":\"ACTIVE\",\"Region\":\"us-east-1\",\"RelatedFindings\":[{\"ProductArn\":\"arn:aws:securityhub:us-west-2::product/aws/guardduty\",\"Id\":\"123e4567-e89b-12d3-a456-426655440000\"},{\"ProductArn\":\"arn:aws:securityhub:us-west-2::product/aws/guardduty\",\"Id\":\"AcmeNerfHerder-111111111111-x189dx7824\"}],\"Remediation\":{\"Recommendation\":{\"Text\":\"Run sudo yum update and cross your fingers and toes.\",\"Url\":\"http://myfp.com/recommendations/dangerous_things_and_how_to_fix_them.html\"}},\"Resources\":[{\"Type\":\"AwsEc2Instance\",\"Id\":\"i-cafebabe\",\"Partition\":\"aws\",\"Region\":\"us-west-2\",\"Tags\":{\"billingCode\":\"Lotus-1-2-3\",\"needsPatching\":\"true\"},\"Details\":{\"IamInstanceProfileArn\":\"arn:aws:iam::123456789012:role/IamInstanceProfileArn\",\"ImageId\":\"ami-79fd7eee\",\"IpV4Addresses\":[\"175.16.199.1\"],\"IpV6Addresses\":[\"2a02:cf40::\"],\"KeyName\":\"testkey\",\"LaunchedAt\":\"2018-09-29T01:25:54Z\",\"MetadataOptions\":{\"HttpEndpoint\":\"enabled\",\"HttpProtocolIpv6\":\"enabled\",\"HttpPutResponseHopLimit\":1,\"HttpTokens\":\"optional\",\"InstanceMetadataTags\":\"disabled\"},\"NetworkInterfaces\":[{\"NetworkInterfaceId\":\"eni-e5aa89a3\"}],\"SubnetId\":\"PublicSubnet\",\"Type\":\"i3.xlarge\",\"VirtualizationType\":\"hvm\",\"VpcId\":\"TestVPCIpv6\"}}],\"Sample\":true,\"SchemaVersion\":\"2018-10-08\",\"Severity\":{\"Label\":\"CRITICAL\",\"Original\":\"8.3\"},\"SourceUrl\":\"http://threatintelweekly.org/backdoors/8888\",\"ThreatIntelIndicators\":[{\"Type\":\"HASH_MD5\",\"Value\":\"ae2b1fca515949e5d54fb22b8ed95575\",\"Category\":\"BACKDOOR\",\"LastObservedAt\":\"2018-09-27T23:37:31Z\",\"Source\":\"Threat Intel Weekly\",\"SourceUrl\":\"http://threatintelweekly.org/backdoors/8888\"}],\"Threats\":[{\"FilePaths\":[{\"FileName\":\"b.txt\",\"FilePath\":\"/tmp/b.txt\",\"Hash\":\"sha256\",\"ResourceId\":\"arn:aws:ec2:us-west-2:123456789012:volume/vol-032f3bdd89aee112f\"}],\"ItemCount\":3,\"Name\":\"Iot.linux.mirai.vwisi\",\"Severity\":\"HIGH\"}],\"Title\":\"EC2.20 Both VPN tunnels for an AWS Site-to-Site VPN connection should be up\",\"Types\":[\"Software and Configuration Checks/Vulnerabilities/CVE\"],\"UpdatedAt\":\"2018-08-31T00:15:09Z\",\"UserDefinedFields\":{\"reviewedByCio\":\"true\",\"comeBackToLater\":\"Check this again on Monday\"},\"VerificationState\":\"UNKNOWN\",\"Vulnerabilities\":[{\"Cvss\":[{\"BaseScore\":4.7,\"BaseVector\":\"AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\",\"Version\":\"V3\"},{\"BaseScore\":4.7,\"BaseVector\":\"AV:L/AC:M/Au:N/C:C/I:N/A:N\",\"Version\":\"V2\"}],\"Id\":\"CVE-2020-12345\",\"ReferenceUrls\":[\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12418\",\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17563\"],\"RelatedVulnerabilities\":[\"CVE-2020-12345\"],\"Vendor\":{\"Name\":\"Alas\",\"Url\":\"https://alas.aws.amazon.com/ALAS-2020-1337.html\",\"VendorCreatedAt\":\"2020-01-16T00:01:43Z\",\"VendorSeverity\":\"Medium\",\"VendorUpdatedAt\":\"2020-01-16T00:01:43Z\"},\"VulnerablePackages\":[{\"Architecture\":\"x86_64\",\"Epoch\":\"1\",\"Name\":\"openssl\",\"Release\":\"16.amzn2.0.3\",\"Version\":\"1.0.2k\"}]}],\"Workflow\":{\"Status\":\"NEW\"},\"WorkflowState\":\"NEW\"}", + "outcome": "success", + "type": [ + "info" + ] + }, + "host": { + "id": "i-cafebabe" + }, + "network": { + "direction": "inbound", + "protocol": "tcp" + }, + "observer": { + "vendor": "AWS Security Hub" + }, + "organization": { + "name": "AWS" + }, + "process": { + "end": "2018-09-27T23:37:31.000Z", + "executable": "/usr/sbin/syslogd", + "name": "syslogd", + "parent": { + "pid": 56789 + }, + "pid": 12345, + "start": "2018-09-27T22:37:31.000Z" + }, + "related": { + "ip": [ + "1.128.0.0", + "2a02:cf40::" + ] + }, + "resource": { + "id": "i-cafebabe", + "name": "i-cafebabe", + "type": "AwsEc2Instance" + }, + "result": { + "evaluation": "passed" + }, + "rule": { + "description": "The version of openssl found on instance i-abcd1234 is known to contain a vulnerability.", + "id": "acme-vuln-9ab348", + "name": "EC2.20 Both VPN tunnels for an AWS Site-to-Site VPN connection should be up", + "reference": "http://myfp.com/recommendations/dangerous_things_and_how_to_fix_them.html", + "remediation": "Run sudo yum update and cross your fingers and toes.\r\nhttp://myfp.com/recommendations/dangerous_things_and_how_to_fix_them.html", + "ruleset": [ + "Req1", + "Req2" + ] + }, + "source": { + "domain": "example1.com", + "ip": [ + "1.128.0.0", + "2a02:cf40::" + ], + "mac": "00-0D-83-B1-C0-8E", + "port": 42 + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "threat": { + "enrichments": [ + { + "indicator": { + "file": { + "hash": { + "md5": "ae2b1fca515949e5d54fb22b8ed95575" + } + } + } + } + ], + "indicator": { + "last_seen": "2018-09-27T23:37:31.000Z", + "type": "file" + } + }, + "url": { + "domain": "threatintelweekly.org", + "full": "http://threatintelweekly.org/backdoors/8888", + "original": "http://threatintelweekly.org/backdoors/8888", + "path": "/backdoors/8888", + "scheme": "http" + }, + "vulnerability": { + "id": "CVE-2020-12345", + "reference": [ + "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12418", + "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17563" + ], + "scanner": { + "vendor": "Alas" + }, + "score": { + "base": 4.7, + "version": "V2" + } + } + }, + { + "@timestamp": "2022-06-17T08:43:26.731Z", + "aws": { + "securityhub_findings_full_posture": { + "aws_account_id": "xxx", + "company": { + "name": "AWS" + }, + "compliance": { + "status": "FAILED" + }, + "created_at": "2022-06-02T16:14:34.949Z", + "description": "This control checks whether your Amazon Elastic Compute Cloud (Amazon EC2) instance metadata version is configured with Instance Metadata Service Version 2 (IMDSv2). The control passes if HttpTokens is set to required for IMDSv2. The control fails if HttpTokens is set to optional.", + "first_observed_at": "2022-06-02T16:14:34.949Z", + "generator": { + "id": "xxx" + }, + "id": "xxxx", + "last_observed_at": "2022-06-17T08:43:26.724Z", + "product": { + "arn": "xxx", + "fields": { + "ControlId": "EC2.8", + "RecommendationUrl": "https://example.com/", + "RelatedAWSResources:0/name": "xxx", + "RelatedAWSResources:0/type": "xxx", + "Resources:0/Id": "xxx", + "StandardsArn": "xxx", + "StandardsControlArn": "xxx", + "StandardsSubscriptionArn": "xxx", + "aws/securityhub/CompanyName": "AWS", + "aws/securityhub/FindingId": "xxx", + "aws/securityhub/ProductName": "Security Hub" + }, + "name": "Security Hub" + }, + "provider_fields": { + "severity": { + "label": "HIGH", + "normalized": "70", + "original": "HIGH", + "product": "70" + }, + "types": [ + "Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices" + ] + }, + "record_state": "ARCHIVED", + "region": "us-east-1", + "remediation": { + "recommendation": { + "text": "For directions on how to fix this issue, consult the AWS Security Hub Foundational Security Best Practices documentation.", + "url": "https://example.com/" + } + }, + "resources": [ + { + "Details": { + "AwsEc2Instance": { + "IamInstanceProfileArn": "xxx", + "ImageId": "xxx", + "KeyName": "xxx", + "LaunchedAt": "2022-06-02T16:11:39.000Z", + "NetworkInterfaces": [ + { + "NetworkInterfaceId": "xxx" + } + ], + "SubnetId": "xxx", + "VpcId": "xxx" + } + }, + "Id": "xxx", + "Partition": "aws", + "Region": "us-east-1", + "Type": "AwsEc2Instance" + } + ], + "schema": { + "version": "2018-10-08" + }, + "severity": { + "label": "HIGH", + "normalized": "70", + "original": "HIGH", + "product": "70" + }, + "title": "EC2.8 EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)", + "types": [ + "Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices" + ], + "updated_at": "2022-06-17T08:43:26.731Z", + "workflow": { + "state": "NEW", + "status": "NEW" + } + } + }, + "cloud": { + "account": { + "id": "xxx" + }, + "instance": { + "id": "xxx", + "name": "xxx" + }, + "provider": "aws", + "region": "us-east-1" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "configuration" + ], + "id": "xxxx", + "kind": "state", + "original": "{\"ProductArn\":\"xxx\",\"Types\":[\"Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices\"],\"Description\":\"This control checks whether your Amazon Elastic Compute Cloud (Amazon EC2) instance metadata version is configured with Instance Metadata Service Version 2 (IMDSv2). The control passes if HttpTokens is set to required for IMDSv2. The control fails if HttpTokens is set to optional.\",\"Compliance\":{\"Status\":\"FAILED\"},\"ProductName\":\"Security Hub\",\"FirstObservedAt\":\"2022-06-02T16:14:34.949Z\",\"CreatedAt\":\"2022-06-02T16:14:34.949Z\",\"LastObservedAt\":\"2022-06-17T08:43:26.724Z\",\"CompanyName\":\"AWS\",\"FindingProviderFields\":{\"Types\":[\"Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices\"],\"Severity\":{\"Normalized\":70,\"Label\":\"HIGH\",\"Product\":70,\"Original\":\"HIGH\"}},\"ProductFields\":{\"StandardsArn\":\"xxx\",\"StandardsSubscriptionArn\":\"xxx\",\"ControlId\":\"EC2.8\",\"RecommendationUrl\":\"https://example.com/\",\"RelatedAWSResources:0/name\":\"xxx\",\"RelatedAWSResources:0/type\":\"xxx\",\"StandardsControlArn\":\"xxx\",\"aws/securityhub/ProductName\":\"Security Hub\",\"aws/securityhub/CompanyName\":\"AWS\",\"Resources:0/Id\":\"xxx\",\"aws/securityhub/FindingId\":\"xxx\"},\"Remediation\":{\"Recommendation\":{\"Text\":\"For directions on how to fix this issue, consult the AWS Security Hub Foundational Security Best Practices documentation.\",\"Url\":\"https://example.com/\"}},\"SchemaVersion\":\"2018-10-08\",\"GeneratorId\":\"xxx\",\"RecordState\":\"ARCHIVED\",\"Title\":\"EC2.8 EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)\",\"Workflow\":{\"Status\":\"NEW\"},\"Severity\":{\"Normalized\":70,\"Label\":\"HIGH\",\"Product\":70,\"Original\":\"HIGH\"},\"UpdatedAt\":\"2022-06-17T08:43:26.731Z\",\"WorkflowState\":\"NEW\",\"AwsAccountId\":\"xxx\",\"Region\":\"us-east-1\",\"Id\":\"xxxx\",\"Resources\":[{\"Partition\":\"aws\",\"Type\":\"AwsEc2Instance\",\"Details\":{\"AwsEc2Instance\":{\"KeyName\":\"xxx\",\"VpcId\":\"xxx\",\"NetworkInterfaces\":[{\"NetworkInterfaceId\":\"xxx\"}],\"ImageId\":\"xxx\",\"SubnetId\":\"xxx\",\"LaunchedAt\":\"2022-06-02T16:11:39.000Z\",\"IamInstanceProfileArn\":\"xxx\"}},\"Region\":\"us-east-1\",\"Id\":\"xxx\"}] }", + "outcome": "failure", + "severity": 70, + "type": [ + "info" + ] + }, + "host": { + "id": "xxx" + }, + "observer": { + "vendor": "AWS Security Hub" + }, + "organization": { + "name": "AWS" + }, + "resource": { + "id": "xxx", + "name": "xxx", + "type": "AwsEc2Instance" + }, + "result": { + "evaluation": "failed" + }, + "rule": { + "description": "This control checks whether your Amazon Elastic Compute Cloud (Amazon EC2) instance metadata version is configured with Instance Metadata Service Version 2 (IMDSv2). The control passes if HttpTokens is set to required for IMDSv2. The control fails if HttpTokens is set to optional.", + "id": "xxx", + "name": "EC2.8 EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)", + "reference": "https://example.com/", + "remediation": "For directions on how to fix this issue, consult the AWS Security Hub Foundational Security Best Practices documentation.\r\nhttps://example.com/" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] + }, + { + "@timestamp": "2022-06-17T10:25:14.800Z", + "aws": { + "securityhub_findings_full_posture": { + "aws_account_id": "xxx", + "company": { + "name": "AWS" + }, + "compliance": { + "status": "NOT_AVAILABLE", + "status_reasons": [ + { + "description": "This finding has a compliance status of NOT AVAILABLE because AWS Config sent Security Hub a finding with a compliance state of Not Applicable. The potential reasons for a Not Applicable finding from Config are that (1) a resource has been moved out of scope of the Config rule; (2) the Config rule has been deleted; (3) the resource has been deleted; or (4) the logic of the Config rule itself includes scenarios where Not Applicable is returned. The specific reason why Not Applicable is returned is not available in the Config rule evaluation.", + "reason_code": "CONFIG_RETURNS_NOT_APPLICABLE" + } + ] + }, + "created_at": "2022-06-17T10:25:14.800Z", + "description": "This AWS control checks whether the EBS volumes that are in an attached state are encrypted.", + "first_observed_at": "2022-06-17T10:25:14.800Z", + "generator": { + "id": "xxx" + }, + "id": "xxx", + "last_observed_at": "2022-06-17T10:25:18.568Z", + "product": { + "arn": "xxx", + "fields": { + "ControlId": "EC2.3", + "RecommendationUrl": "https://example.com/", + "RelatedAWSResources:0/name": "xxx", + "RelatedAWSResources:0/type": "AWS::Config::ConfigRule", + "Resources:0/Id": "xxx", + "StandardsArn": "xxx", + "StandardsControlArn": "xxx", + "StandardsSubscriptionArn": "xxx", + "aws/securityhub/CompanyName": "AWS", + "aws/securityhub/FindingId": "xxx", + "aws/securityhub/ProductName": "Security Hub", + "aws/securityhub/annotation": "This finding has a compliance status of NOT AVAILABLE because AWS Config sent Security Hub a finding with a compliance state of Not Applicable. The potential reasons for a Not Applicable finding from Config are that (1) a resource has been moved out of scope of the Config rule; (2) the Config rule has been deleted; (3) the resource has been deleted; or (4) the logic of the Config rule itself includes scenarios where Not Applicable is returned. The specific reason why Not Applicable is returned is not available in the Config rule evaluation." + }, + "name": "Security Hub" + }, + "provider_fields": { + "severity": { + "label": "MEDIUM", + "normalized": "40", + "original": "INFORMATIONAL", + "product": "40" + }, + "types": [ + "Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices" + ] + }, + "record_state": "ARCHIVED", + "region": "us-east-1", + "remediation": { + "recommendation": { + "text": "For directions on how to fix this issue, consult the AWS Security Hub Foundational Security Best Practices documentation.", + "url": "https://example.com/" + } + }, + "resources": [ + { + "Id": "xxx", + "Partition": "aws", + "Region": "us-east-1", + "Type": "AwsEc2Volume" + } + ], + "schema": { + "version": "2018-10-08" + }, + "severity": { + "label": "MEDIUM", + "normalized": "40", + "original": "INFORMATIONAL", + "product": "40" + }, + "title": "EC2.3 Attached EBS volumes should be encrypted at-rest", + "types": [ + "Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices" + ], + "updated_at": "2022-06-17T10:25:14.800Z", + "workflow": { + "state": "NEW", + "status": "NEW" + } + } + }, + "cloud": { + "account": { + "id": "xxx" + }, + "provider": "aws", + "region": "us-east-1" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "configuration" + ], + "id": "xxx", + "kind": "state", + "original": "{\"ProductArn\":\"xxx\",\"Types\":[\"Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices\"],\"Description\":\"This AWS control checks whether the EBS volumes that are in an attached state are encrypted.\",\"Compliance\":{\"Status\":\"NOT_AVAILABLE\",\"StatusReasons\":[{\"Description\":\"This finding has a compliance status of NOT AVAILABLE because AWS Config sent Security Hub a finding with a compliance state of Not Applicable. The potential reasons for a Not Applicable finding from Config are that (1) a resource has been moved out of scope of the Config rule; (2) the Config rule has been deleted; (3) the resource has been deleted; or (4) the logic of the Config rule itself includes scenarios where Not Applicable is returned. The specific reason why Not Applicable is returned is not available in the Config rule evaluation.\",\"ReasonCode\":\"CONFIG_RETURNS_NOT_APPLICABLE\"}]},\"ProductName\":\"Security Hub\",\"FirstObservedAt\":\"2022-06-17T10:25:14.800Z\",\"CreatedAt\":\"2022-06-17T10:25:14.800Z\",\"LastObservedAt\":\"2022-06-17T10:25:18.568Z\",\"CompanyName\":\"AWS\",\"FindingProviderFields\":{\"Types\":[\"Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices\"],\"Severity\":{\"Normalized\":40,\"Label\":\"MEDIUM\",\"Product\":40,\"Original\":\"INFORMATIONAL\"}},\"ProductFields\":{\"StandardsArn\":\"xxx\",\"StandardsSubscriptionArn\":\"xxx\",\"ControlId\":\"EC2.3\",\"RecommendationUrl\":\"https://example.com/\",\"RelatedAWSResources:0/name\":\"xxx\",\"RelatedAWSResources:0/type\":\"AWS::Config::ConfigRule\",\"StandardsControlArn\":\"xxx\",\"aws/securityhub/ProductName\":\"Security Hub\",\"aws/securityhub/CompanyName\":\"AWS\",\"aws/securityhub/annotation\":\"This finding has a compliance status of NOT AVAILABLE because AWS Config sent Security Hub a finding with a compliance state of Not Applicable. The potential reasons for a Not Applicable finding from Config are that (1) a resource has been moved out of scope of the Config rule; (2) the Config rule has been deleted; (3) the resource has been deleted; or (4) the logic of the Config rule itself includes scenarios where Not Applicable is returned. The specific reason why Not Applicable is returned is not available in the Config rule evaluation.\",\"Resources:0/Id\":\"xxx\",\"aws/securityhub/FindingId\":\"xxx\"},\"Remediation\":{\"Recommendation\":{\"Text\":\"For directions on how to fix this issue, consult the AWS Security Hub Foundational Security Best Practices documentation.\",\"Url\":\"https://example.com/\"}},\"SchemaVersion\":\"2018-10-08\",\"GeneratorId\":\"xxx\",\"RecordState\":\"ARCHIVED\",\"Title\":\"EC2.3 Attached EBS volumes should be encrypted at-rest\",\"Workflow\":{\"Status\":\"NEW\"},\"Severity\":{\"Normalized\":40,\"Label\":\"MEDIUM\",\"Product\":40,\"Original\":\"INFORMATIONAL\"},\"UpdatedAt\":\"2022-06-17T10:25:14.800Z\",\"WorkflowState\":\"NEW\",\"AwsAccountId\":\"xxx\",\"Region\":\"us-east-1\",\"Id\":\"xxx\",\"Resources\":[{\"Partition\":\"aws\",\"Type\":\"AwsEc2Volume\",\"Region\":\"us-east-1\",\"Id\":\"xxx\"}] }", + "outcome": "unknown", + "severity": 40, + "type": [ + "info" + ] + }, + "observer": { + "vendor": "AWS Security Hub" + }, + "organization": { + "name": "AWS" + }, + "resource": { + "id": "xxx", + "name": "xxx", + "type": "AwsEc2Volume" + }, + "result": { + "evaluation": "unknown" + }, + "rule": { + "description": "This AWS control checks whether the EBS volumes that are in an attached state are encrypted.", + "id": "xxx", + "name": "EC2.3 Attached EBS volumes should be encrypted at-rest", + "reference": "https://example.com/", + "remediation": "For directions on how to fix this issue, consult the AWS Security Hub Foundational Security Best Practices documentation.\r\nhttps://example.com/" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] + }, + { + "@timestamp": "2024-09-11T07:59:56.087Z", + "aws": { + "securityhub_findings_full_posture": { + "aws_account_id": "111111111111", + "company": { + "name": "AWS" + }, + "compliance": { + "related_requirements": [ + "CIS AWS Foundations Benchmark v3.0.0/5.6", + "NIST.800-53.r5 AC-3", + "NIST.800-53.r5 AC-3(15)", + "NIST.800-53.r5 AC-3(7)", + "NIST.800-53.r5 AC-6" + ], + "security_control_id": "EC2.8", + "status": "PASSED" + }, + "created_at": "2024-09-10T10:40:32.189Z", + "description": "This control checks whether your Amazon Elastic Compute Cloud (Amazon EC2) instance metadata version is configured with Instance Metadata Service Version 2 (IMDSv2). The control passes if HttpTokens is set to required for IMDSv2. The control fails if HttpTokens is set to optional.", + "first_observed_at": "2024-09-10T10:40:32.189Z", + "generator": { + "id": "security-control/EC2.8" + }, + "id": "arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.8/finding/8825ae3b-1f70-4c74-8337-baee8fcad8fd", + "last_observed_at": "2024-09-11T08:00:01.828Z", + "processed_at": "2024-09-11T08:00:03.516Z", + "product": { + "arn": "arn:aws:securityhub:ap-south-1::product/aws/securityhub", + "fields": { + "RelatedAWSResources:0/name": "securityhub-ec2-imdsv2-check-29027890", + "RelatedAWSResources:0/type": "AWS::Config::ConfigRule", + "Resources:0/Id": "arn:aws:ec2:ap-south-1:111111111111:instance/i-0e2ede89308a594d7", + "aws/securityhub/CompanyName": "AWS", + "aws/securityhub/FindingId": "arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.8/finding/8825ae3b-1f70-4c74-8337-baee8fcad8fd", + "aws/securityhub/ProductName": "Security Hub" + }, + "name": "Security Hub" + }, + "provider_fields": { + "severity": { + "label": "INFORMATIONAL", + "normalized": "0", + "original": "INFORMATIONAL" + }, + "types": [ + "Software and Configuration Checks/Industry and Regulatory Standards" + ] + }, + "record_state": "ACTIVE", + "region": "ap-south-1", + "remediation": { + "recommendation": { + "text": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.", + "url": "https://docs.aws.amazon.com/console/securityhub/EC2.8/remediation" + } + }, + "resources": [ + { + "Details": { + "AwsEc2Instance": { + "IamInstanceProfileArn": "arn:aws:iam::111111111111:instance-profile/elastic-agent-instance-profile-e4f7caa0-6f61-11ef-bb07-02fe87118279", + "ImageId": "ami-04dffe071c46cddd4", + "LaunchedAt": "2024-09-10T10:39:35.000Z", + "MetadataOptions": { + "HttpEndpoint": "enabled", + "HttpProtocolIpv6": "disabled", + "HttpPutResponseHopLimit": 2, + "HttpTokens": "required", + "InstanceMetadataTags": "disabled" + }, + "Monitoring": { + "State": "disabled" + }, + "NetworkInterfaces": [ + { + "NetworkInterfaceId": "eni-0de300eee88c5c7fd" + } + ], + "SubnetId": "subnet-5d15a111", + "VirtualizationType": "hvm", + "VpcId": "vpc-39017251" + } + }, + "Id": "arn:aws:ec2:ap-south-1:111111111111:instance/i-0e2ede89308a594d7", + "Partition": "aws", + "Region": "ap-south-1", + "Tags": { + "Name": "elastic-agent-instance-e5f7caa0-6f60-11ef-bb07-02fe87118279", + "Task": "Cloud Security Posture Management Scanner", + "aws:cloudformation:logical-id": "ElasticAgentEc2Instance", + "aws:cloudformation:stack-id": "arn:aws:cloudformation:ap-south-1:111111111111:stack/Elastic-Cloud-Security-Posture-Management/e5f7caa0-6f60-11ef-bb07-02fe87118279", + "aws:cloudformation:stack-name": "Elastic-Cloud-Security-Posture-Management" + }, + "Type": "AwsEc2Instance" + } + ], + "schema": { + "version": "2018-10-08" + }, + "severity": { + "label": "INFORMATIONAL", + "normalized": "0", + "original": "INFORMATIONAL" + }, + "title": "EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)", + "types": [ + "Software and Configuration Checks/Industry and Regulatory Standards" + ], + "updated_at": "2024-09-11T07:59:56.087Z", + "workflow": { + "state": "NEW", + "status": "RESOLVED" + } + } + }, + "cloud": { + "account": { + "id": "111111111111" + }, + "instance": { + "id": "arn:aws:ec2:ap-south-1:111111111111:instance/i-0e2ede89308a594d7", + "name": "instance/i-0e2ede89308a594d7" + }, + "provider": "aws", + "region": "ap-south-1", + "service": { + "name": "ec2" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "configuration" + ], + "created": "2024-09-11T08:00:03.516Z", + "id": "arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.8/finding/8825ae3b-1f70-4c74-8337-baee8fcad8fd", + "kind": "state", + "original": "{\"AwsAccountId\":\"111111111111\",\"CompanyName\":\"AWS\",\"Compliance\":{\"AssociatedStandards\":[{\"StandardsId\":\"standards/aws-foundational-security-best-practices/v/1.0.0\"},{\"StandardsId\":\"standards/cis-aws-foundations-benchmark/v/3.0.0\"},{\"StandardsId\":\"standards/nist-800-53/v/5.0.0\"}],\"RelatedRequirements\":[\"CIS AWS Foundations Benchmark v3.0.0/5.6\",\"NIST.800-53.r5 AC-3\",\"NIST.800-53.r5 AC-3(15)\",\"NIST.800-53.r5 AC-3(7)\",\"NIST.800-53.r5 AC-6\"],\"SecurityControlId\":\"EC2.8\",\"Status\":\"PASSED\"},\"CreatedAt\":\"2024-09-10T10:40:32.189Z\",\"Description\":\"This control checks whether your Amazon Elastic Compute Cloud (Amazon EC2) instance metadata version is configured with Instance Metadata Service Version 2 (IMDSv2). The control passes if HttpTokens is set to required for IMDSv2. The control fails if HttpTokens is set to optional.\",\"FindingProviderFields\":{\"Severity\":{\"Label\":\"INFORMATIONAL\",\"Normalized\":0,\"Original\":\"INFORMATIONAL\"},\"Types\":[\"Software and Configuration Checks/Industry and Regulatory Standards\"]},\"FirstObservedAt\":\"2024-09-10T10:40:32.189Z\",\"GeneratorId\":\"security-control/EC2.8\",\"Id\":\"arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.8/finding/8825ae3b-1f70-4c74-8337-baee8fcad8fd\",\"LastObservedAt\":\"2024-09-11T08:00:01.828Z\",\"ProcessedAt\":\"2024-09-11T08:00:03.516Z\",\"ProductArn\":\"arn:aws:securityhub:ap-south-1::product/aws/securityhub\",\"ProductFields\":{\"RelatedAWSResources:0/name\":\"securityhub-ec2-imdsv2-check-29027890\",\"RelatedAWSResources:0/type\":\"AWS::Config::ConfigRule\",\"Resources:0/Id\":\"arn:aws:ec2:ap-south-1:111111111111:instance/i-0e2ede89308a594d7\",\"aws/securityhub/CompanyName\":\"AWS\",\"aws/securityhub/FindingId\":\"arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.8/finding/8825ae3b-1f70-4c74-8337-baee8fcad8fd\",\"aws/securityhub/ProductName\":\"Security Hub\"},\"ProductName\":\"Security Hub\",\"RecordState\":\"ACTIVE\",\"Region\":\"ap-south-1\",\"Remediation\":{\"Recommendation\":{\"Text\":\"For information on how to correct this issue, consult the AWS Security Hub controls documentation.\",\"Url\":\"https://docs.aws.amazon.com/console/securityhub/EC2.8/remediation\"}},\"Resources\":[{\"Details\":{\"AwsEc2Instance\":{\"IamInstanceProfileArn\":\"arn:aws:iam::111111111111:instance-profile/elastic-agent-instance-profile-e4f7caa0-6f61-11ef-bb07-02fe87118279\",\"ImageId\":\"ami-04dffe071c46cddd4\",\"LaunchedAt\":\"2024-09-10T10:39:35.000Z\",\"MetadataOptions\":{\"HttpEndpoint\":\"enabled\",\"HttpProtocolIpv6\":\"disabled\",\"HttpPutResponseHopLimit\":2,\"HttpTokens\":\"required\",\"InstanceMetadataTags\":\"disabled\"},\"Monitoring\":{\"State\":\"disabled\"},\"NetworkInterfaces\":[{\"NetworkInterfaceId\":\"eni-0de300eee88c5c7fd\"}],\"SubnetId\":\"subnet-5d15a111\",\"VirtualizationType\":\"hvm\",\"VpcId\":\"vpc-39017251\"}},\"Id\":\"arn:aws:ec2:ap-south-1:111111111111:instance/i-0e2ede89308a594d7\",\"Partition\":\"aws\",\"Region\":\"ap-south-1\",\"Tags\":{\"Name\":\"elastic-agent-instance-e5f7caa0-6f60-11ef-bb07-02fe87118279\",\"Task\":\"Cloud Security Posture Management Scanner\",\"aws:cloudformation:logical-id\":\"ElasticAgentEc2Instance\",\"aws:cloudformation:stack-id\":\"arn:aws:cloudformation:ap-south-1:111111111111:stack/Elastic-Cloud-Security-Posture-Management/e5f7caa0-6f60-11ef-bb07-02fe87118279\",\"aws:cloudformation:stack-name\":\"Elastic-Cloud-Security-Posture-Management\"},\"Type\":\"AwsEc2Instance\"}],\"SchemaVersion\":\"2018-10-08\",\"Severity\":{\"Label\":\"INFORMATIONAL\",\"Normalized\":0,\"Original\":\"INFORMATIONAL\"},\"Title\":\"EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)\",\"Types\":[\"Software and Configuration Checks/Industry and Regulatory Standards\"],\"UpdatedAt\":\"2024-09-11T07:59:56.087Z\",\"Workflow\":{\"Status\":\"RESOLVED\"},\"WorkflowState\":\"NEW\"}", + "outcome": "success", + "severity": 0, + "type": [ + "info" + ] + }, + "host": { + "id": "arn:aws:ec2:ap-south-1:111111111111:instance/i-0e2ede89308a594d7" + }, + "observer": { + "vendor": "AWS Security Hub" + }, + "organization": { + "name": "AWS" + }, + "resource": { + "id": "arn:aws:ec2:ap-south-1:111111111111:instance/i-0e2ede89308a594d7", + "name": "instance/i-0e2ede89308a594d7", + "type": "AwsEc2Instance" + }, + "result": { + "evaluation": "passed" + }, + "rule": { + "description": "This control checks whether your Amazon Elastic Compute Cloud (Amazon EC2) instance metadata version is configured with Instance Metadata Service Version 2 (IMDSv2). The control passes if HttpTokens is set to required for IMDSv2. The control fails if HttpTokens is set to optional.", + "id": "security-control/EC2.8", + "name": "EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)", + "reference": "https://docs.aws.amazon.com/console/securityhub/EC2.8/remediation", + "remediation": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.\r\nhttps://docs.aws.amazon.com/console/securityhub/EC2.8/remediation", + "ruleset": [ + "CIS AWS Foundations Benchmark v3.0.0/5.6", + "NIST.800-53.r5 AC-3", + "NIST.800-53.r5 AC-3(15)", + "NIST.800-53.r5 AC-3(7)", + "NIST.800-53.r5 AC-6" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] + }, + { + "@timestamp": "2024-09-13T22:50:13.008Z", + "aws": { + "securityhub_findings_full_posture": { + "aws_account_id": "111111111111", + "company": { + "name": "AWS" + }, + "compliance": { + "related_requirements": [ + "NIST.800-53.r5 SC-12(2)", + "NIST.800-53.r5 CM-3(6)", + "NIST.800-53.r5 SC-13", + "NIST.800-53.r5 SC-28", + "NIST.800-53.r5 SC-28(1)", + "NIST.800-53.r5 SC-7(10)", + "NIST.800-53.r5 CA-9(1)", + "NIST.800-53.r5 SI-7(6)", + "NIST.800-53.r5 AU-9" + ], + "security_control_id": "S3.17", + "status": "FAILED" + }, + "created_at": "2024-08-14T10:14:37.338Z", + "description": "This control checks whether an Amazon S3 general purpose bucket is encrypted with an AWS KMS key (SSE-KMS or DSSE-KMS). The control fails if the bucket is encrypted with default encryption (SSE-S3).", + "first_observed_at": "2024-08-14T10:14:37.338Z", + "generator": { + "id": "security-control/S3.17" + }, + "id": "arn:aws:securityhub:ap-south-1:111111111111:security-control/S3.17/finding/1d687c1f-ef1e-464f-985a-5000efa9d4a1", + "last_observed_at": "2024-09-13T22:50:29.249Z", + "processed_at": "2024-09-13T22:50:30.870Z", + "product": { + "arn": "arn:aws:securityhub:ap-south-1::product/aws/securityhub", + "fields": { + "RelatedAWSResources:0/name": "securityhub-s3-default-encryption-kms-3a38fc59", + "RelatedAWSResources:0/type": "AWS::Config::ConfigRule", + "Resources:0/Id": "arn:aws:s3:::s3-test-public-bucket", + "aws/securityhub/CompanyName": "AWS", + "aws/securityhub/FindingId": "arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/S3.17/finding/1d687c1f-ef1e-464f-985a-5000efa9d4a1", + "aws/securityhub/ProductName": "Security Hub", + "aws/securityhub/annotation": "Amazon S3 bucket is not encrypted with AWS KMS key." + }, + "name": "Security Hub" + }, + "provider_fields": { + "severity": { + "label": "MEDIUM", + "normalized": "40", + "original": "MEDIUM" + }, + "types": [ + "Software and Configuration Checks/Industry and Regulatory Standards" + ] + }, + "record_state": "ACTIVE", + "region": "ap-south-1", + "remediation": { + "recommendation": { + "text": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.", + "url": "https://docs.aws.amazon.com/console/securityhub/S3.17/remediation" + } + }, + "resources": [ + { + "Details": { + "AwsS3Bucket": { + "CreatedAt": "2024-08-14T09:32:06.000Z", + "Name": "s3-test-public-bucket", + "OwnerId": "e106g9b5e13878d5133aadfac8a012130c4260091100b311ed476f9e77cdca46" + } + }, + "Id": "arn:aws:s3:::s3-test-public-bucket", + "Partition": "aws", + "Region": "ap-south-1", + "Type": "AwsS3Bucket" + } + ], + "schema": { + "version": "2018-10-08" + }, + "severity": { + "label": "MEDIUM", + "normalized": "40", + "original": "MEDIUM" + }, + "title": "S3 general purpose buckets should be encrypted at rest with AWS KMS keys", + "types": [ + "Software and Configuration Checks/Industry and Regulatory Standards" + ], + "updated_at": "2024-09-13T22:50:13.008Z", + "workflow": { + "state": "NEW", + "status": "NEW" + } + } + }, + "cloud": { + "account": { + "id": "111111111111" + }, + "provider": "aws", + "region": "ap-south-1", + "service": { + "name": "s3" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "configuration" + ], + "created": "2024-09-13T22:50:30.870Z", + "id": "arn:aws:securityhub:ap-south-1:111111111111:security-control/S3.17/finding/1d687c1f-ef1e-464f-985a-5000efa9d4a1", + "kind": "state", + "original": "{\"AwsAccountId\":\"111111111111\",\"CompanyName\":\"AWS\",\"Compliance\":{\"AssociatedStandards\":[{\"StandardsId\":\"standards/nist-800-53/v/5.0.0\"}],\"RelatedRequirements\":[\"NIST.800-53.r5 SC-12(2)\",\"NIST.800-53.r5 CM-3(6)\",\"NIST.800-53.r5 SC-13\",\"NIST.800-53.r5 SC-28\",\"NIST.800-53.r5 SC-28(1)\",\"NIST.800-53.r5 SC-7(10)\",\"NIST.800-53.r5 CA-9(1)\",\"NIST.800-53.r5 SI-7(6)\",\"NIST.800-53.r5 AU-9\"],\"SecurityControlId\":\"S3.17\",\"Status\":\"FAILED\"},\"CreatedAt\":\"2024-08-14T10:14:37.338Z\",\"Description\":\"This control checks whether an Amazon S3 general purpose bucket is encrypted with an AWS KMS key (SSE-KMS or DSSE-KMS). The control fails if the bucket is encrypted with default encryption (SSE-S3).\",\"FindingProviderFields\":{\"Severity\":{\"Label\":\"MEDIUM\",\"Normalized\":40,\"Original\":\"MEDIUM\"},\"Types\":[\"Software and Configuration Checks/Industry and Regulatory Standards\"]},\"FirstObservedAt\":\"2024-08-14T10:14:37.338Z\",\"GeneratorId\":\"security-control/S3.17\",\"Id\":\"arn:aws:securityhub:ap-south-1:111111111111:security-control/S3.17/finding/1d687c1f-ef1e-464f-985a-5000efa9d4a1\",\"LastObservedAt\":\"2024-09-13T22:50:29.249Z\",\"ProcessedAt\":\"2024-09-13T22:50:30.870Z\",\"ProductArn\":\"arn:aws:securityhub:ap-south-1::product/aws/securityhub\",\"ProductFields\":{\"RelatedAWSResources:0/name\":\"securityhub-s3-default-encryption-kms-3a38fc59\",\"RelatedAWSResources:0/type\":\"AWS::Config::ConfigRule\",\"Resources:0/Id\":\"arn:aws:s3:::s3-test-public-bucket\",\"aws/securityhub/CompanyName\":\"AWS\",\"aws/securityhub/FindingId\":\"arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/S3.17/finding/1d687c1f-ef1e-464f-985a-5000efa9d4a1\",\"aws/securityhub/ProductName\":\"Security Hub\",\"aws/securityhub/annotation\":\"Amazon S3 bucket is not encrypted with AWS KMS key.\"},\"ProductName\":\"Security Hub\",\"RecordState\":\"ACTIVE\",\"Region\":\"ap-south-1\",\"Remediation\":{\"Recommendation\":{\"Text\":\"For information on how to correct this issue, consult the AWS Security Hub controls documentation.\",\"Url\":\"https://docs.aws.amazon.com/console/securityhub/S3.17/remediation\"}},\"Resources\":[{\"Details\":{\"AwsS3Bucket\":{\"CreatedAt\":\"2024-08-14T09:32:06.000Z\",\"Name\":\"s3-test-public-bucket\",\"OwnerId\":\"e106g9b5e13878d5133aadfac8a012130c4260091100b311ed476f9e77cdca46\"}},\"Id\":\"arn:aws:s3:::s3-test-public-bucket\",\"Partition\":\"aws\",\"Region\":\"ap-south-1\",\"Type\":\"AwsS3Bucket\"}],\"SchemaVersion\":\"2018-10-08\",\"Severity\":{\"Label\":\"MEDIUM\",\"Normalized\":40,\"Original\":\"MEDIUM\"},\"Title\":\"S3 general purpose buckets should be encrypted at rest with AWS KMS keys\",\"Types\":[\"Software and Configuration Checks/Industry and Regulatory Standards\"],\"UpdatedAt\":\"2024-09-13T22:50:13.008Z\",\"Workflow\":{\"Status\":\"NEW\"},\"WorkflowState\":\"NEW\"}", + "outcome": "failure", + "severity": 40, + "type": [ + "info" + ] + }, + "observer": { + "vendor": "AWS Security Hub" + }, + "organization": { + "name": "AWS" + }, + "resource": { + "id": "arn:aws:s3:::s3-test-public-bucket", + "name": "s3-test-public-bucket", + "type": "AwsS3Bucket" + }, + "result": { + "evaluation": "failed" + }, + "rule": { + "description": "This control checks whether an Amazon S3 general purpose bucket is encrypted with an AWS KMS key (SSE-KMS or DSSE-KMS). The control fails if the bucket is encrypted with default encryption (SSE-S3).", + "id": "security-control/S3.17", + "name": "S3 general purpose buckets should be encrypted at rest with AWS KMS keys", + "reference": "https://docs.aws.amazon.com/console/securityhub/S3.17/remediation", + "remediation": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.\r\nhttps://docs.aws.amazon.com/console/securityhub/S3.17/remediation", + "ruleset": [ + "NIST.800-53.r5 SC-12(2)", + "NIST.800-53.r5 CM-3(6)", + "NIST.800-53.r5 SC-13", + "NIST.800-53.r5 SC-28", + "NIST.800-53.r5 SC-28(1)", + "NIST.800-53.r5 SC-7(10)", + "NIST.800-53.r5 CA-9(1)", + "NIST.800-53.r5 SI-7(6)", + "NIST.800-53.r5 AU-9" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "user": { + "id": "e106g9b5e13878d5133aadfac8a012130c4260091100b311ed476f9e77cdca46" + } + }, + { + "@timestamp": "2024-09-11T07:59:56.364Z", + "aws": { + "securityhub_findings_full_posture": { + "aws_account_id": "111111111111", + "company": { + "name": "AWS" + }, + "compliance": { + "related_requirements": [ + "CIS AWS Foundations Benchmark v3.0.0/5.2" + ], + "security_control_id": "EC2.53", + "status": "PASSED" + }, + "created_at": "2024-09-10T11:03:33.389Z", + "description": "This control checks whether an Amazon EC2 security group allows ingress from 0.0.0.0/0 to remote server administration ports (ports 22 and 3389). The control fails if the security group allows ingress from 0.0.0.0/0 to port 22 or 3389.", + "first_observed_at": "2024-09-10T11:03:33.389Z", + "generator": { + "id": "security-control/EC2.53" + }, + "id": "arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.53/finding/f21e28e2-1077-4062-ac39-624b2776eb23", + "last_observed_at": "2024-09-11T08:00:06.960Z", + "processed_at": "2024-09-11T08:00:08.685Z", + "product": { + "arn": "arn:aws:securityhub:ap-south-1::product/aws/securityhub", + "fields": { + "RelatedAWSResources:0/name": "securityhub-vpc-sg-port-restriction-check-8bef9db4", + "RelatedAWSResources:0/type": "AWS::Config::ConfigRule", + "Resources:0/Id": "arn:aws:ec2:ap-south-1:111111111111:security-group/sg-0dbc8c6200a0a9c51", + "aws/securityhub/CompanyName": "AWS", + "aws/securityhub/FindingId": "arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.53/finding/f21e28e2-1077-4062-ac39-624b2776eb23", + "aws/securityhub/ProductName": "Security Hub" + }, + "name": "Security Hub" + }, + "provider_fields": { + "severity": { + "label": "INFORMATIONAL", + "normalized": "0", + "original": "INFORMATIONAL" + }, + "types": [ + "Software and Configuration Checks/Industry and Regulatory Standards" + ] + }, + "record_state": "ACTIVE", + "region": "ap-south-1", + "remediation": { + "recommendation": { + "text": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.", + "url": "https://docs.aws.amazon.com/console/securityhub/EC2.53/remediation" + } + }, + "resources": [ + { + "Details": { + "AwsEc2SecurityGroup": { + "GroupId": "sg-0dbc8c6200a0a9c51", + "GroupName": "elastic-agent-security-group-e4f7caa0-5f61-11ef-bb07-02fe87118279", + "IpPermissionsEgress": [ + { + "IpProtocol": "-1", + "IpRanges": [ + { + "CidrIp": "0.0.0.0/0" + } + ] + } + ], + "OwnerId": "111111111111", + "VpcId": "vpc-39017251" + } + }, + "Id": "arn:aws:ec2:ap-south-1:111111111111:security-group/sg-0dbc9c6210a0a9c51", + "Partition": "aws", + "Region": "ap-south-1", + "Tags": { + "aws:cloudformation:logical-id": "ElasticAgentSecurityGroup", + "aws:cloudformation:stack-id": "arn:aws:cloudformation:ap-south-1:111111111111:stack/Elastic-Cloud-Security-Posture-Management/e5f7caa0-6f60-11ef-bb07-02fe87118279", + "aws:cloudformation:stack-name": "Elastic-Cloud-Security-Posture-Management" + }, + "Type": "AwsEc2SecurityGroup" + } + ], + "schema": { + "version": "2018-10-08" + }, + "severity": { + "label": "INFORMATIONAL", + "normalized": "0", + "original": "INFORMATIONAL" + }, + "title": "EC2 security groups should not allow ingress from 0.0.0.0/0 to remote server administration ports", + "types": [ + "Software and Configuration Checks/Industry and Regulatory Standards" + ], + "updated_at": "2024-09-11T07:59:56.364Z", + "workflow": { + "state": "NEW", + "status": "RESOLVED" + } + } + }, + "cloud": { + "account": { + "id": "111111111111" + }, + "provider": "aws", + "region": "ap-south-1", + "service": { + "name": "ec2" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "configuration" + ], + "created": "2024-09-11T08:00:08.685Z", + "id": "arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.53/finding/f21e28e2-1077-4062-ac39-624b2776eb23", + "kind": "state", + "original": "{\"AwsAccountId\":\"111111111111\",\"CompanyName\":\"AWS\",\"Compliance\":{\"AssociatedStandards\":[{\"StandardsId\":\"standards/cis-aws-foundations-benchmark/v/3.0.0\"}],\"RelatedRequirements\":[\"CIS AWS Foundations Benchmark v3.0.0/5.2\"],\"SecurityControlId\":\"EC2.53\",\"Status\":\"PASSED\"},\"CreatedAt\":\"2024-09-10T11:03:33.389Z\",\"Description\":\"This control checks whether an Amazon EC2 security group allows ingress from 0.0.0.0/0 to remote server administration ports (ports 22 and 3389). The control fails if the security group allows ingress from 0.0.0.0/0 to port 22 or 3389.\",\"FindingProviderFields\":{\"Severity\":{\"Label\":\"INFORMATIONAL\",\"Normalized\":0,\"Original\":\"INFORMATIONAL\"},\"Types\":[\"Software and Configuration Checks/Industry and Regulatory Standards\"]},\"FirstObservedAt\":\"2024-09-10T11:03:33.389Z\",\"GeneratorId\":\"security-control/EC2.53\",\"Id\":\"arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.53/finding/f21e28e2-1077-4062-ac39-624b2776eb23\",\"LastObservedAt\":\"2024-09-11T08:00:06.960Z\",\"ProcessedAt\":\"2024-09-11T08:00:08.685Z\",\"ProductArn\":\"arn:aws:securityhub:ap-south-1::product/aws/securityhub\",\"ProductFields\":{\"RelatedAWSResources:0/name\":\"securityhub-vpc-sg-port-restriction-check-8bef9db4\",\"RelatedAWSResources:0/type\":\"AWS::Config::ConfigRule\",\"Resources:0/Id\":\"arn:aws:ec2:ap-south-1:111111111111:security-group/sg-0dbc8c6200a0a9c51\",\"aws/securityhub/CompanyName\":\"AWS\",\"aws/securityhub/FindingId\":\"arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.53/finding/f21e28e2-1077-4062-ac39-624b2776eb23\",\"aws/securityhub/ProductName\":\"Security Hub\"},\"ProductName\":\"Security Hub\",\"RecordState\":\"ACTIVE\",\"Region\":\"ap-south-1\",\"Remediation\":{\"Recommendation\":{\"Text\":\"For information on how to correct this issue, consult the AWS Security Hub controls documentation.\",\"Url\":\"https://docs.aws.amazon.com/console/securityhub/EC2.53/remediation\"}},\"Resources\":[{\"Details\":{\"AwsEc2SecurityGroup\":{\"GroupId\":\"sg-0dbc8c6200a0a9c51\",\"GroupName\":\"elastic-agent-security-group-e4f7caa0-5f61-11ef-bb07-02fe87118279\",\"IpPermissionsEgress\":[{\"IpProtocol\":\"-1\",\"IpRanges\":[{\"CidrIp\":\"0.0.0.0/0\"}]}],\"OwnerId\":\"111111111111\",\"VpcId\":\"vpc-39017251\"}},\"Id\":\"arn:aws:ec2:ap-south-1:111111111111:security-group/sg-0dbc9c6210a0a9c51\",\"Partition\":\"aws\",\"Region\":\"ap-south-1\",\"Tags\":{\"aws:cloudformation:logical-id\":\"ElasticAgentSecurityGroup\",\"aws:cloudformation:stack-id\":\"arn:aws:cloudformation:ap-south-1:111111111111:stack/Elastic-Cloud-Security-Posture-Management/e5f7caa0-6f60-11ef-bb07-02fe87118279\",\"aws:cloudformation:stack-name\":\"Elastic-Cloud-Security-Posture-Management\"},\"Type\":\"AwsEc2SecurityGroup\"}],\"SchemaVersion\":\"2018-10-08\",\"Severity\":{\"Label\":\"INFORMATIONAL\",\"Normalized\":0,\"Original\":\"INFORMATIONAL\"},\"Title\":\"EC2 security groups should not allow ingress from 0.0.0.0/0 to remote server administration ports\",\"Types\":[\"Software and Configuration Checks/Industry and Regulatory Standards\"],\"UpdatedAt\":\"2024-09-11T07:59:56.364Z\",\"Workflow\":{\"Status\":\"RESOLVED\"},\"WorkflowState\":\"NEW\"}", + "outcome": "success", + "severity": 0, + "type": [ + "info" + ] + }, + "observer": { + "vendor": "AWS Security Hub" + }, + "organization": { + "name": "AWS" + }, + "resource": { + "id": "arn:aws:ec2:ap-south-1:111111111111:security-group/sg-0dbc9c6210a0a9c51", + "name": "security-group/sg-0dbc9c6210a0a9c51", + "type": "AwsEc2SecurityGroup" + }, + "result": { + "evaluation": "passed" + }, + "rule": { + "description": "This control checks whether an Amazon EC2 security group allows ingress from 0.0.0.0/0 to remote server administration ports (ports 22 and 3389). The control fails if the security group allows ingress from 0.0.0.0/0 to port 22 or 3389.", + "id": "security-control/EC2.53", + "name": "EC2 security groups should not allow ingress from 0.0.0.0/0 to remote server administration ports", + "reference": "https://docs.aws.amazon.com/console/securityhub/EC2.53/remediation", + "remediation": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.\r\nhttps://docs.aws.amazon.com/console/securityhub/EC2.53/remediation", + "ruleset": [ + "CIS AWS Foundations Benchmark v3.0.0/5.2" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] + }, + { + "@timestamp": "2024-09-10T16:51:26.034Z", + "aws": { + "securityhub_findings_full_posture": { + "aws_account_id": "111111111111", + "company": { + "name": "AWS" + }, + "compliance": { + "related_requirements": [ + "NIST.800-53.r5 CA-9(1)", + "NIST.800-53.r5 CM-3(6)", + "NIST.800-53.r5 SC-13", + "NIST.800-53.r5 SC-28", + "NIST.800-53.r5 SC-28(1)", + "NIST.800-53.r5 SC-7(10)", + "NIST.800-53.r5 SI-7(6)" + ], + "security_control_id": "EC2.3", + "status": "FAILED" + }, + "created_at": "2024-09-10T16:51:26.034Z", + "description": "This AWS control checks whether the EBS volumes that are in an attached state are encrypted.", + "first_observed_at": "2024-09-10T16:50:59.623Z", + "generator": { + "id": "security-control/EC2.3" + }, + "id": "arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.3/finding/972eddbf-43ae-4886-9416-ac9ddc2cecc0", + "last_observed_at": "2024-09-10T16:50:59.623Z", + "processed_at": "2024-09-10T16:51:39.864Z", + "product": { + "arn": "arn:aws:securityhub:ap-south-1::product/aws/securityhub", + "fields": { + "RelatedAWSResources:0/name": "securityhub-encrypted-volumes-4e81c587", + "RelatedAWSResources:0/type": "AWS::Config::ConfigRule", + "Resources:0/Id": "arn:aws:ec2:ap-south-1:111111111111:volume/vol-03822fa7de881616e", + "aws/securityhub/CompanyName": "AWS", + "aws/securityhub/FindingId": "arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.3/finding/972eddbf-43ae-4886-9416-ac9ddc2cecc0", + "aws/securityhub/ProductName": "Security Hub" + }, + "name": "Security Hub" + }, + "provider_fields": { + "severity": { + "label": "MEDIUM", + "normalized": "40", + "original": "MEDIUM" + }, + "types": [ + "Software and Configuration Checks/Industry and Regulatory Standards" + ] + }, + "record_state": "ACTIVE", + "region": "ap-south-1", + "remediation": { + "recommendation": { + "text": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.", + "url": "https://docs.aws.amazon.com/console/securityhub/EC2.3/remediation" + } + }, + "resources": [ + { + "Details": { + "AwsEc2Volume": { + "Attachments": [ + { + "AttachTime": "2024-09-10T10:39:36.000Z", + "DeleteOnTermination": true, + "InstanceId": "i-0f1ede89308a584d8", + "Status": "attached" + } + ], + "CreateTime": "2024-09-10T10:39:36.313Z", + "Encrypted": false, + "Size": 32, + "SnapshotId": "snap-07cb2350b59fa5cce", + "Status": "in-use" + } + }, + "Id": "arn:aws:ec2:ap-south-1:111111111111:volume/vol-03821fa7de881617e", + "Partition": "aws", + "Region": "ap-south-1", + "Type": "AwsEc2Volume" + } + ], + "schema": { + "version": "2018-10-08" + }, + "severity": { + "label": "MEDIUM", + "normalized": "40", + "original": "MEDIUM" + }, + "title": "Attached EBS volumes should be encrypted at-rest", + "types": [ + "Software and Configuration Checks/Industry and Regulatory Standards" + ], + "updated_at": "2024-09-10T16:51:26.034Z", + "workflow": { + "state": "NEW", + "status": "NEW" + } + } + }, + "cloud": { + "account": { + "id": "111111111111" + }, + "provider": "aws", + "region": "ap-south-1", + "service": { + "name": "ec2" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "configuration" + ], + "created": "2024-09-10T16:51:39.864Z", + "id": "arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.3/finding/972eddbf-43ae-4886-9416-ac9ddc2cecc0", + "kind": "state", + "original": "{\"AwsAccountId\":\"111111111111\",\"CompanyName\":\"AWS\",\"Compliance\":{\"AssociatedStandards\":[{\"StandardsId\":\"standards/aws-foundational-security-best-practices/v/1.0.0\"},{\"StandardsId\":\"standards/nist-800-53/v/5.0.0\"}],\"RelatedRequirements\":[\"NIST.800-53.r5 CA-9(1)\",\"NIST.800-53.r5 CM-3(6)\",\"NIST.800-53.r5 SC-13\",\"NIST.800-53.r5 SC-28\",\"NIST.800-53.r5 SC-28(1)\",\"NIST.800-53.r5 SC-7(10)\",\"NIST.800-53.r5 SI-7(6)\"],\"SecurityControlId\":\"EC2.3\",\"Status\":\"FAILED\"},\"CreatedAt\":\"2024-09-10T16:51:26.034Z\",\"Description\":\"This AWS control checks whether the EBS volumes that are in an attached state are encrypted.\",\"FindingProviderFields\":{\"Severity\":{\"Label\":\"MEDIUM\",\"Normalized\":40,\"Original\":\"MEDIUM\"},\"Types\":[\"Software and Configuration Checks/Industry and Regulatory Standards\"]},\"FirstObservedAt\":\"2024-09-10T16:50:59.623Z\",\"GeneratorId\":\"security-control/EC2.3\",\"Id\":\"arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.3/finding/972eddbf-43ae-4886-9416-ac9ddc2cecc0\",\"LastObservedAt\":\"2024-09-10T16:50:59.623Z\",\"ProcessedAt\":\"2024-09-10T16:51:39.864Z\",\"ProductArn\":\"arn:aws:securityhub:ap-south-1::product/aws/securityhub\",\"ProductFields\":{\"RelatedAWSResources:0/name\":\"securityhub-encrypted-volumes-4e81c587\",\"RelatedAWSResources:0/type\":\"AWS::Config::ConfigRule\",\"Resources:0/Id\":\"arn:aws:ec2:ap-south-1:111111111111:volume/vol-03822fa7de881616e\",\"aws/securityhub/CompanyName\":\"AWS\",\"aws/securityhub/FindingId\":\"arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.3/finding/972eddbf-43ae-4886-9416-ac9ddc2cecc0\",\"aws/securityhub/ProductName\":\"Security Hub\"},\"ProductName\":\"Security Hub\",\"RecordState\":\"ACTIVE\",\"Region\":\"ap-south-1\",\"Remediation\":{\"Recommendation\":{\"Text\":\"For information on how to correct this issue, consult the AWS Security Hub controls documentation.\",\"Url\":\"https://docs.aws.amazon.com/console/securityhub/EC2.3/remediation\"}},\"Resources\":[{\"Details\":{\"AwsEc2Volume\":{\"Attachments\":[{\"AttachTime\":\"2024-09-10T10:39:36.000Z\",\"DeleteOnTermination\":true,\"InstanceId\":\"i-0f1ede89308a584d8\",\"Status\":\"attached\"}],\"CreateTime\":\"2024-09-10T10:39:36.313Z\",\"Encrypted\":false,\"Size\":32,\"SnapshotId\":\"snap-07cb2350b59fa5cce\",\"Status\":\"in-use\"}},\"Id\":\"arn:aws:ec2:ap-south-1:111111111111:volume/vol-03821fa7de881617e\",\"Partition\":\"aws\",\"Region\":\"ap-south-1\",\"Type\":\"AwsEc2Volume\"}],\"SchemaVersion\":\"2018-10-08\",\"Severity\":{\"Label\":\"MEDIUM\",\"Normalized\":40,\"Original\":\"MEDIUM\"},\"Title\":\"Attached EBS volumes should be encrypted at-rest\",\"Types\":[\"Software and Configuration Checks/Industry and Regulatory Standards\"],\"UpdatedAt\":\"2024-09-10T16:51:26.034Z\",\"Workflow\":{\"Status\":\"NEW\"},\"WorkflowState\":\"NEW\"}", + "outcome": "failure", + "severity": 40, + "type": [ + "info" + ] + }, + "observer": { + "vendor": "AWS Security Hub" + }, + "organization": { + "name": "AWS" + }, + "resource": { + "id": "arn:aws:ec2:ap-south-1:111111111111:volume/vol-03821fa7de881617e", + "name": "volume/vol-03821fa7de881617e", + "type": "AwsEc2Volume" + }, + "result": { + "evaluation": "failed" + }, + "rule": { + "description": "This AWS control checks whether the EBS volumes that are in an attached state are encrypted.", + "id": "security-control/EC2.3", + "name": "Attached EBS volumes should be encrypted at-rest", + "reference": "https://docs.aws.amazon.com/console/securityhub/EC2.3/remediation", + "remediation": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.\r\nhttps://docs.aws.amazon.com/console/securityhub/EC2.3/remediation", + "ruleset": [ + "NIST.800-53.r5 CA-9(1)", + "NIST.800-53.r5 CM-3(6)", + "NIST.800-53.r5 SC-13", + "NIST.800-53.r5 SC-28", + "NIST.800-53.r5 SC-28(1)", + "NIST.800-53.r5 SC-7(10)", + "NIST.800-53.r5 SI-7(6)" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] + }, + { + "@timestamp": "2024-09-15T16:48:45.279Z", + "aws": { + "securityhub_findings_full_posture": { + "aws_account_id": "111111111111", + "company": { + "name": "AWS" + }, + "compliance": { + "related_requirements": [ + "CIS AWS Foundations Benchmark v1.2.0/1.16" + ], + "security_control_id": "IAM.2", + "status": "FAILED" + }, + "created_at": "2024-09-10T12:40:36.785Z", + "description": "This AWS control checks that none of your IAM users have policies attached. Instead, IAM users must inherit permissions from IAM groups or roles.", + "first_observed_at": "2024-09-10T12:40:36.785Z", + "generator": { + "id": "security-control/SSM.1" + }, + "id": "arn:aws:iam::111111111111:user/developers/devuser@dev.dev", + "last_observed_at": "2024-09-15T16:48:57.829Z", + "processed_at": "2024-09-15T16:48:59.493Z", + "product": { + "arn": "arn:aws:securityhub:ap-south-1::product/aws/securityhub", + "fields": { + "RelatedAWSResources:0/name": "securityhub-iam-user-no-policies-check-832bb806", + "RelatedAWSResources:0/type": "AWS::Config::ConfigRule", + "Resources:0/Id": "arn:aws:iam::111111111111:user/developers/devuser@dev.dev", + "aws/securityhub/CompanyName": "AWS", + "aws/securityhub/FindingId": "arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/SSM.1/finding/12b0c84a-bba5-4fb4-bb36-3b0e62b1945c", + "aws/securityhub/ProductName": "Security Hub" + }, + "name": "Security Hub" + }, + "provider_fields": { + "severity": { + "label": "LOW", + "normalized": "1", + "original": "LOW" + }, + "types": [ + "Software and Configuration Checks/Industry and Regulatory Standards" + ] + }, + "record_state": "ACTIVE", + "region": "ap-south-1", + "remediation": { + "recommendation": { + "text": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.", + "url": "https://docs.aws.amazon.com/console/securityhub/IAM.2/remediation" + } + }, + "resources": [ + { + "Details": { + "AwsIamUser": { + "AttachedManagedPolicies": [ + { + "PolicyArn": "arn:aws:iam::aws:policy/AWSSecurityHubFullAccess", + "PolicyName": "AWSSecurityHubFullAccess" + } + ], + "CreateDate": "2023-01-10T01:07:37.000Z", + "GroupList": [ + "DevUsers" + ], + "Path": "/developers/", + "UserId": "DevUserId", + "UserName": "Dev UserName" + } + }, + "Id": "arn:aws:iam::111111111111:user/developers/devuser@dev.dev", + "Partition": "aws", + "Region": "ap-south-1", + "Type": "AwsIamUser" + } + ], + "schema": { + "version": "2018-10-08" + }, + "severity": { + "label": "LOW", + "normalized": "1", + "original": "LOW" + }, + "title": "IAM users should not have IAM policies attached", + "types": [ + "Software and Configuration Checks/Industry and Regulatory Standards" + ], + "updated_at": "2024-09-15T16:48:45.279Z", + "workflow": { + "state": "NEW", + "status": "NEW" + } + } + }, + "cloud": { + "account": { + "id": "111111111111" + }, + "provider": "aws", + "region": "ap-south-1", + "service": { + "name": "iam" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "configuration" + ], + "created": "2024-09-15T16:48:59.493Z", + "id": "arn:aws:iam::111111111111:user/developers/devuser@dev.dev", + "kind": "state", + "original": "{\"AwsAccountId\":\"111111111111\",\"CompanyName\":\"AWS\",\"Compliance\":{\"AssociatedStandards\":[{\"StandardsId\":\"standards/aws-foundational-security-best-practices/v/1.0.0\"},{\"StandardsId\":\"standards/nist-800-53/v/5.0.0\"},{\"StandardsId\":\"standards/pci-dss/v/3.2.1\"}],\"RelatedRequirements\":[\"CIS AWS Foundations Benchmark v1.2.0/1.16\"],\"SecurityControlId\":\"IAM.2\",\"Status\":\"FAILED\"},\"CreatedAt\":\"2024-09-10T12:40:36.785Z\",\"Description\":\"This AWS control checks that none of your IAM users have policies attached. Instead, IAM users must inherit permissions from IAM groups or roles.\",\"FindingProviderFields\":{\"Severity\":{\"Label\":\"LOW\",\"Normalized\":1,\"Original\":\"LOW\"},\"Types\":[\"Software and Configuration Checks/Industry and Regulatory Standards\"]},\"FirstObservedAt\":\"2024-09-10T12:40:36.785Z\",\"GeneratorId\":\"security-control/SSM.1\",\"Id\":\"arn:aws:iam::111111111111:user/developers/devuser@dev.dev\",\"LastObservedAt\":\"2024-09-15T16:48:57.829Z\",\"ProcessedAt\":\"2024-09-15T16:48:59.493Z\",\"ProductArn\":\"arn:aws:securityhub:ap-south-1::product/aws/securityhub\",\"ProductFields\":{\"RelatedAWSResources:0/name\":\"securityhub-iam-user-no-policies-check-832bb806\",\"RelatedAWSResources:0/type\":\"AWS::Config::ConfigRule\",\"Resources:0/Id\":\"arn:aws:iam::111111111111:user/developers/devuser@dev.dev\",\"aws/securityhub/CompanyName\":\"AWS\",\"aws/securityhub/FindingId\":\"arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/SSM.1/finding/12b0c84a-bba5-4fb4-bb36-3b0e62b1945c\",\"aws/securityhub/ProductName\":\"Security Hub\"},\"ProductName\":\"Security Hub\",\"RecordState\":\"ACTIVE\",\"Region\":\"ap-south-1\",\"Remediation\":{\"Recommendation\":{\"Text\":\"For information on how to correct this issue, consult the AWS Security Hub controls documentation.\",\"Url\":\"https://docs.aws.amazon.com/console/securityhub/IAM.2/remediation\"}},\"Resources\":[{\"Partition\":\"aws\",\"Type\":\"AwsIamUser\",\"Details\":{\"AwsIamUser\":{\"Path\":\"/developers/\",\"AttachedManagedPolicies\":[{\"PolicyArn\":\"arn:aws:iam::aws:policy/AWSSecurityHubFullAccess\",\"PolicyName\":\"AWSSecurityHubFullAccess\"}],\"UserName\":\"Dev UserName\",\"GroupList\":[\"DevUsers\"],\"UserId\":\"DevUserId\",\"CreateDate\":\"2023-01-10T01:07:37.000Z\"}},\"Region\":\"ap-south-1\",\"Id\":\"arn:aws:iam::111111111111:user/developers/devuser@dev.dev\"}],\"SchemaVersion\":\"2018-10-08\",\"Severity\":{\"Label\":\"LOW\",\"Normalized\":1,\"Original\":\"LOW\"},\"Title\":\"IAM users should not have IAM policies attached\",\"Types\":[\"Software and Configuration Checks/Industry and Regulatory Standards\"],\"UpdatedAt\":\"2024-09-15T16:48:45.279Z\",\"Workflow\":{\"Status\":\"NEW\"},\"WorkflowState\":\"NEW\"}", + "outcome": "failure", + "severity": 1, + "type": [ + "info" + ] + }, + "observer": { + "vendor": "AWS Security Hub" + }, + "organization": { + "name": "AWS" + }, + "resource": { + "id": "arn:aws:iam::111111111111:user/developers/devuser@dev.dev", + "name": "user/developers/devuser@dev.dev", + "type": "AwsIamUser" + }, + "result": { + "evaluation": "failed" + }, + "rule": { + "description": "This AWS control checks that none of your IAM users have policies attached. Instead, IAM users must inherit permissions from IAM groups or roles.", + "id": "security-control/SSM.1", + "name": "IAM users should not have IAM policies attached", + "reference": "https://docs.aws.amazon.com/console/securityhub/IAM.2/remediation", + "remediation": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.\r\nhttps://docs.aws.amazon.com/console/securityhub/IAM.2/remediation", + "ruleset": [ + "CIS AWS Foundations Benchmark v1.2.0/1.16" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "user": { + "id": "DevUserId", + "name": "Dev UserName" + } + }, + { + "@timestamp": "2024-09-15T16:48:45.279Z", + "aws": { + "securityhub_findings_full_posture": { + "aws_account_id": "111111111111", + "company": { + "name": "AWS" + }, + "compliance": { + "security_control_id": "EKS.1", + "status": "FAILED" + }, + "created_at": "2024-09-11T12:40:36.785Z", + "description": "This control checks whether an Amazon EKS cluster endpoint is publicly accessible. The control fails if an EKS cluster has an endpoint that is publicly accessible.", + "first_observed_at": "2024-09-11T12:40:36.785Z", + "generator": { + "id": "security-control/EKS.1" + }, + "id": "arn:aws:eks:ap-south-1:111111111111:cluster/democluster", + "last_observed_at": "2024-09-15T16:48:57.829Z", + "processed_at": "2024-09-15T16:48:59.493Z", + "product": { + "arn": "arn:aws:securityhub:ap-south-1::product/aws/securityhub", + "fields": { + "RelatedAWSResources:0/name": "securityhub-eks-endpoint-no-public-access-2dc35c63", + "RelatedAWSResources:0/type": "AWS::Config::ConfigRule", + "Resources:0/Id": "arn:aws:eks:ap-south-1:111111111111:cluster/democluster", + "aws/securityhub/CompanyName": "AWS", + "aws/securityhub/FindingId": "arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/SSM.1/finding/12b0c84a-bba5-4fb4-bb36-3b0e62b1945c", + "aws/securityhub/ProductName": "Security Hub", + "aws/securityhub/annotation": "Cluster Endpoint of democluster is Publicly accessible" + }, + "name": "Security Hub" + }, + "provider_fields": { + "severity": { + "label": "HIGH", + "normalized": "70", + "original": "HIGH" + }, + "types": [ + "Software and Configuration Checks/Industry and Regulatory Standards" + ] + }, + "record_state": "ACTIVE", + "region": "ap-south-1", + "remediation": { + "recommendation": { + "text": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.", + "url": "https://docs.aws.amazon.com/console/securityhub/EKS.1/remediation" + } + }, + "resources": [ + { + "Details": { + "AwsEksCluster": { + "Arn": "arn:aws:eks:ap-south-1:111111111111:cluster/democluster", + "Name": "democluster", + "ResourcesVpcConfig": { + "EndpointPublicAccess": true, + "SecurityGroupIds": [ + "sg-111" + ], + "SubnetIds": [ + "subnet-aaa", + "subnet-bbb" + ] + }, + "RoleArn": "arn:aws:iam::111111111111:role/EKSClusterRole", + "Version": "1.27" + } + }, + "Id": "arn:aws:eks:ap-south-1:111111111111:cluster/democluster", + "Partition": "aws", + "Region": "ap-south-1", + "Tags": { + "environment": "dev", + "managed_by": "terraform", + "project": "demo", + "team": "dev" + }, + "Type": "AwsEksCluster" + } + ], + "schema": { + "version": "2018-10-08" + }, + "severity": { + "label": "HIGH", + "normalized": "70", + "original": "HIGH" + }, + "title": "EKS cluster endpoints should not be publicly accessible", + "types": [ + "Software and Configuration Checks/Industry and Regulatory Standards" + ], + "updated_at": "2024-09-15T16:48:45.279Z", + "workflow": { + "state": "NEW", + "status": "NEW" + } + } + }, + "cloud": { + "account": { + "id": "111111111111" + }, + "provider": "aws", + "region": "ap-south-1", + "service": { + "name": "eks" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "configuration" + ], + "created": "2024-09-15T16:48:59.493Z", + "id": "arn:aws:eks:ap-south-1:111111111111:cluster/democluster", + "kind": "state", + "original": "{\"AwsAccountId\":\"111111111111\",\"CompanyName\":\"AWS\",\"Compliance\":{\"SecurityControlId\":\"EKS.1\",\"Status\":\"FAILED\"},\"CreatedAt\":\"2024-09-11T12:40:36.785Z\",\"Description\":\"This control checks whether an Amazon EKS cluster endpoint is publicly accessible. The control fails if an EKS cluster has an endpoint that is publicly accessible.\",\"FindingProviderFields\":{\"Severity\":{\"Label\":\"HIGH\",\"Normalized\":70,\"Original\":\"HIGH\"},\"Types\":[\"Software and Configuration Checks/Industry and Regulatory Standards\"]},\"FirstObservedAt\":\"2024-09-11T12:40:36.785Z\",\"GeneratorId\":\"security-control/EKS.1\",\"Id\":\"arn:aws:eks:ap-south-1:111111111111:cluster/democluster\",\"LastObservedAt\":\"2024-09-15T16:48:57.829Z\",\"ProcessedAt\":\"2024-09-15T16:48:59.493Z\",\"ProductArn\":\"arn:aws:securityhub:ap-south-1::product/aws/securityhub\",\"ProductFields\":{\"RelatedAWSResources:0/name\":\"securityhub-eks-endpoint-no-public-access-2dc35c63\",\"RelatedAWSResources:0/type\":\"AWS::Config::ConfigRule\",\"Resources:0/Id\":\"arn:aws:eks:ap-south-1:111111111111:cluster/democluster\",\"aws/securityhub/CompanyName\":\"AWS\",\"aws/securityhub/FindingId\":\"arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/SSM.1/finding/12b0c84a-bba5-4fb4-bb36-3b0e62b1945c\",\"aws/securityhub/ProductName\":\"Security Hub\",\"aws/securityhub/annotation\":\"Cluster Endpoint of democluster is Publicly accessible\"},\"ProductName\":\"Security Hub\",\"RecordState\":\"ACTIVE\",\"Region\":\"ap-south-1\",\"Remediation\":{\"Recommendation\":{\"Text\":\"For information on how to correct this issue, consult the AWS Security Hub controls documentation.\",\"Url\":\"https://docs.aws.amazon.com/console/securityhub/EKS.1/remediation\"}},\"Resources\":[{\"Partition\":\"aws\",\"Type\":\"AwsEksCluster\",\"Details\":{\"AwsEksCluster\":{\"Version\":\"1.27\",\"Arn\":\"arn:aws:eks:ap-south-1:111111111111:cluster/democluster\",\"ResourcesVpcConfig\":{\"EndpointPublicAccess\":true,\"SecurityGroupIds\":[\"sg-111\"],\"SubnetIds\":[\"subnet-aaa\",\"subnet-bbb\"]},\"RoleArn\":\"arn:aws:iam::111111111111:role/EKSClusterRole\",\"Name\":\"democluster\"}},\"Region\":\"ap-south-1\",\"Id\":\"arn:aws:eks:ap-south-1:111111111111:cluster/democluster\",\"Tags\":{\"environment\":\"dev\",\"managed_by\":\"terraform\",\"project\":\"demo\",\"team\":\"dev\"}}],\"SchemaVersion\":\"2018-10-08\",\"Severity\":{\"Label\":\"HIGH\",\"Normalized\":70,\"Original\":\"HIGH\"},\"Title\":\"EKS cluster endpoints should not be publicly accessible\",\"Types\":[\"Software and Configuration Checks/Industry and Regulatory Standards\"],\"UpdatedAt\":\"2024-09-15T16:48:45.279Z\",\"Workflow\":{\"Status\":\"NEW\"},\"WorkflowState\":\"NEW\"}", + "outcome": "failure", + "severity": 70, + "type": [ + "info" + ] + }, + "observer": { + "vendor": "AWS Security Hub" + }, + "orchestrator": { + "cluster": { + "id": "arn:aws:eks:ap-south-1:111111111111:cluster/democluster", + "name": "democluster", + "version": "1.27" + }, + "resource": { + "id": "arn:aws:eks:ap-south-1:111111111111:cluster/democluster", + "name": "democluster", + "type": "AwsEksCluster" + }, + "type": "kubernetes" + }, + "organization": { + "name": "AWS" + }, + "resource": { + "id": "arn:aws:eks:ap-south-1:111111111111:cluster/democluster", + "name": "democluster", + "type": "AwsEksCluster" + }, + "result": { + "evaluation": "failed" + }, + "rule": { + "description": "This control checks whether an Amazon EKS cluster endpoint is publicly accessible. The control fails if an EKS cluster has an endpoint that is publicly accessible.", + "id": "security-control/EKS.1", + "name": "EKS cluster endpoints should not be publicly accessible", + "reference": "https://docs.aws.amazon.com/console/securityhub/EKS.1/remediation", + "remediation": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.\r\nhttps://docs.aws.amazon.com/console/securityhub/EKS.1/remediation" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] + }, + { + "@timestamp": "2024-09-11T07:53:19.500Z", + "aws": { + "securityhub_findings_full_posture": { + "aws_account_id": "111111111111", + "company": { + "name": "AWS" + }, + "compliance": { + "related_requirements": [ + "CIS AWS Foundations Benchmark v3.0.0/1.22" + ], + "security_control_id": "IAM.27", + "status": "PASSED", + "status_reasons": [ + { + "description": "AWS Config evaluated your resources against the rule. The rule did not apply to the AWS resources in its scope, the specified resources were deleted, or the evaluation results were deleted.", + "reason_code": "CONFIG_EVALUATIONS_EMPTY" + } + ] + }, + "created_at": "2024-08-14T12:11:57.803Z", + "description": "This control checks whether an IAM identity (user, role, or group) has the AWS managed policy AWSCloudShellFullAccess attached. The control fails if an IAM identity has the AWSCloudShellFullAccess policy attached.", + "first_observed_at": "2024-08-14T12:11:57.803Z", + "generator": { + "id": "security-control/IAM.27" + }, + "id": "arn:aws:securityhub:ap-south-1:111111111111:security-control/IAM.27/finding/9ec777ec-6a92-416f-a27c-fa22b5827b6f", + "last_observed_at": "2024-09-11T07:53:19.500Z", + "processed_at": "2024-09-11T07:53:27.460Z", + "product": { + "arn": "arn:aws:securityhub:ap-south-1::product/aws/securityhub", + "fields": { + "RelatedAWSResources:0/name": "securityhub-iam-policy-blacklisted-check-0ab52b49", + "RelatedAWSResources:0/type": "AWS::Config::ConfigRule", + "Resources:0/Id": "arn:aws:iam::111111111111:root", + "aws/securityhub/CompanyName": "AWS", + "aws/securityhub/FindingId": "arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/IAM.27/finding/9ec777ec-6a92-416f-a27c-fa22b5827b6f", + "aws/securityhub/ProductName": "Security Hub", + "aws/securityhub/annotation": "AWS Config evaluated your resources against the rule. The rule did not apply to the AWS resources in its scope, the specified resources were deleted, or the evaluation results were deleted." + }, + "name": "Security Hub" + }, + "provider_fields": { + "severity": { + "label": "INFORMATIONAL", + "normalized": "0", + "original": "INFORMATIONAL" + }, + "types": [ + "Software and Configuration Checks/Industry and Regulatory Standards" + ] + }, + "record_state": "ACTIVE", + "region": "ap-south-1", + "remediation": { + "recommendation": { + "text": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.", + "url": "https://docs.aws.amazon.com/console/securityhub/IAM.27/remediation" + } + }, + "resources": [ + { + "Id": "AWS::::Account:111111111111", + "Partition": "aws", + "Region": "ap-south-1", + "Type": "AwsAccount" + } + ], + "schema": { + "version": "2018-10-08" + }, + "severity": { + "label": "INFORMATIONAL", + "normalized": "0", + "original": "INFORMATIONAL" + }, + "title": "IAM identities should not have the AWSCloudShellFullAccess policy attached", + "types": [ + "Software and Configuration Checks/Industry and Regulatory Standards" + ], + "updated_at": "2024-09-11T07:53:19.500Z", + "workflow": { + "state": "NEW", + "status": "RESOLVED" + } + } + }, + "cloud": { + "account": { + "id": "111111111111" + }, + "provider": "aws", + "region": "ap-south-1" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "configuration" + ], + "created": "2024-09-11T07:53:27.460Z", + "id": "arn:aws:securityhub:ap-south-1:111111111111:security-control/IAM.27/finding/9ec777ec-6a92-416f-a27c-fa22b5827b6f", + "kind": "state", + "original": "{\"AwsAccountId\":\"111111111111\",\"CompanyName\":\"AWS\",\"Compliance\":{\"AssociatedStandards\":[{\"StandardsId\":\"standards/cis-aws-foundations-benchmark/v/3.0.0\"}],\"RelatedRequirements\":[\"CIS AWS Foundations Benchmark v3.0.0/1.22\"],\"SecurityControlId\":\"IAM.27\",\"Status\":\"PASSED\",\"StatusReasons\":[{\"Description\":\"AWS Config evaluated your resources against the rule. The rule did not apply to the AWS resources in its scope, the specified resources were deleted, or the evaluation results were deleted.\",\"ReasonCode\":\"CONFIG_EVALUATIONS_EMPTY\"}]},\"CreatedAt\":\"2024-08-14T12:11:57.803Z\",\"Description\":\"This control checks whether an IAM identity (user, role, or group) has the AWS managed policy AWSCloudShellFullAccess attached. The control fails if an IAM identity has the AWSCloudShellFullAccess policy attached.\",\"FindingProviderFields\":{\"Severity\":{\"Label\":\"INFORMATIONAL\",\"Normalized\":0,\"Original\":\"INFORMATIONAL\"},\"Types\":[\"Software and Configuration Checks/Industry and Regulatory Standards\"]},\"FirstObservedAt\":\"2024-08-14T12:11:57.803Z\",\"GeneratorId\":\"security-control/IAM.27\",\"Id\":\"arn:aws:securityhub:ap-south-1:111111111111:security-control/IAM.27/finding/9ec777ec-6a92-416f-a27c-fa22b5827b6f\",\"LastObservedAt\":\"2024-09-11T07:53:19.500Z\",\"ProcessedAt\":\"2024-09-11T07:53:27.460Z\",\"ProductArn\":\"arn:aws:securityhub:ap-south-1::product/aws/securityhub\",\"ProductFields\":{\"RelatedAWSResources:0/name\":\"securityhub-iam-policy-blacklisted-check-0ab52b49\",\"RelatedAWSResources:0/type\":\"AWS::Config::ConfigRule\",\"Resources:0/Id\":\"arn:aws:iam::111111111111:root\",\"aws/securityhub/CompanyName\":\"AWS\",\"aws/securityhub/FindingId\":\"arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/IAM.27/finding/9ec777ec-6a92-416f-a27c-fa22b5827b6f\",\"aws/securityhub/ProductName\":\"Security Hub\",\"aws/securityhub/annotation\":\"AWS Config evaluated your resources against the rule. The rule did not apply to the AWS resources in its scope, the specified resources were deleted, or the evaluation results were deleted.\"},\"ProductName\":\"Security Hub\",\"RecordState\":\"ACTIVE\",\"Region\":\"ap-south-1\",\"Remediation\":{\"Recommendation\":{\"Text\":\"For information on how to correct this issue, consult the AWS Security Hub controls documentation.\",\"Url\":\"https://docs.aws.amazon.com/console/securityhub/IAM.27/remediation\"}},\"Resources\":[{\"Id\":\"AWS::::Account:111111111111\",\"Partition\":\"aws\",\"Region\":\"ap-south-1\",\"Type\":\"AwsAccount\"}],\"SchemaVersion\":\"2018-10-08\",\"Severity\":{\"Label\":\"INFORMATIONAL\",\"Normalized\":0,\"Original\":\"INFORMATIONAL\"},\"Title\":\"IAM identities should not have the AWSCloudShellFullAccess policy attached\",\"Types\":[\"Software and Configuration Checks/Industry and Regulatory Standards\"],\"UpdatedAt\":\"2024-09-11T07:53:19.500Z\",\"Workflow\":{\"Status\":\"RESOLVED\"},\"WorkflowState\":\"NEW\"}", + "outcome": "success", + "severity": 0, + "type": [ + "info" + ] + }, + "observer": { + "vendor": "AWS Security Hub" + }, + "organization": { + "name": "AWS" + }, + "resource": { + "id": "AWS::::Account:111111111111", + "name": "111111111111", + "type": "AwsAccount" + }, + "result": { + "evaluation": "passed" + }, + "rule": { + "description": "This control checks whether an IAM identity (user, role, or group) has the AWS managed policy AWSCloudShellFullAccess attached. The control fails if an IAM identity has the AWSCloudShellFullAccess policy attached.", + "id": "security-control/IAM.27", + "name": "IAM identities should not have the AWSCloudShellFullAccess policy attached", + "reference": "https://docs.aws.amazon.com/console/securityhub/IAM.27/remediation", + "remediation": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.\r\nhttps://docs.aws.amazon.com/console/securityhub/IAM.27/remediation", + "ruleset": [ + "CIS AWS Foundations Benchmark v3.0.0/1.22" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] + }, + { + "@timestamp": "2024-09-13T22:50:15.737Z", + "aws": { + "securityhub_findings_full_posture": { + "aws_account_id": "111111111111", + "company": { + "name": "AWS" + }, + "compliance": { + "security_control_id": "EC2.44", + "status": "FAILED" + }, + "created_at": "2024-08-14T10:14:50.020Z", + "description": "This control checks whether an Amazon EC2 subnet has tags with the specific keys defined in the parameter requiredTagKeys. The control fails if the subnet doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter requiredTagKeys. If the parameter requiredTagKeys isn't provided, the control only checks for the existence of a tag key and fails if the subnet isn't tagged with any key. System tags, which are automatically applied and begin with aws:, are ignored.", + "first_observed_at": "2024-08-14T10:14:50.020Z", + "generator": { + "id": "security-control/EC2.44" + }, + "id": "arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.44/finding/0397ae8e-d2b2-4a75-964f-fde027670405", + "last_observed_at": "2024-09-13T22:50:24.617Z", + "processed_at": "2024-09-13T22:50:27.295Z", + "product": { + "arn": "arn:aws:securityhub:ap-south-1::product/aws/securityhub", + "fields": { + "RelatedAWSResources:0/name": "securityhub-tagged-ec2-subnet-4c30afd3", + "RelatedAWSResources:0/type": "AWS::Config::ConfigRule", + "Resources:0/Id": "arn:aws:ec2:ap-south-1:111111111111:subnet/subnet-c28c74b9", + "aws/securityhub/CompanyName": "AWS", + "aws/securityhub/FindingId": "arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.44/finding/0397ae8e-d2b2-4a75-964f-fde027670405", + "aws/securityhub/ProductName": "Security Hub", + "aws/securityhub/annotation": "No tags are present." + }, + "name": "Security Hub" + }, + "provider_fields": { + "severity": { + "label": "LOW", + "normalized": "1", + "original": "LOW" + }, + "types": [ + "Software and Configuration Checks/Industry and Regulatory Standards" + ] + }, + "record_state": "ACTIVE", + "region": "ap-south-1", + "remediation": { + "recommendation": { + "text": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.", + "url": "https://docs.aws.amazon.com/console/securityhub/EC2.44/remediation" + } + }, + "resources": [ + { + "Details": { + "AwsEc2Subnet": { + "AssignIpv6AddressOnCreation": false, + "AvailabilityZone": "ap-south-1c", + "AvailabilityZoneId": "aps1-az2", + "AvailableIpAddressCount": 4091, + "CidrBlock": "171.32.32.0/20", + "DefaultForAz": true, + "MapPublicIpOnLaunch": true, + "OwnerId": "111111111111", + "State": "available", + "SubnetArn": "arn:aws:ec2:ap-south-1:111111111111:subnet/subnet-c19c74b9", + "SubnetId": "subnet-c19c74b9", + "VpcId": "vpc-39017152" + } + }, + "Id": "arn:aws:ec2:ap-south-1:111111111111:subnet/subnet-c28c74b9", + "Partition": "aws", + "Region": "ap-south-1", + "Type": "AwsEc2Subnet" + } + ], + "schema": { + "version": "2018-10-08" + }, + "severity": { + "label": "LOW", + "normalized": "1", + "original": "LOW" + }, + "title": "EC2 subnets should be tagged", + "types": [ + "Software and Configuration Checks/Industry and Regulatory Standards" + ], + "updated_at": "2024-09-13T22:50:15.737Z", + "workflow": { + "state": "NEW", + "status": "NEW" + } + } + }, + "cloud": { + "account": { + "id": "111111111111" + }, + "availability_zone": "ap-south-1c", + "provider": "aws", + "region": "ap-south-1", + "service": { + "name": "ec2" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "configuration" + ], + "created": "2024-09-13T22:50:27.295Z", + "id": "arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.44/finding/0397ae8e-d2b2-4a75-964f-fde027670405", + "kind": "state", + "original": "{\"AwsAccountId\":\"111111111111\",\"CompanyName\":\"AWS\",\"Compliance\":{\"AssociatedStandards\":[{\"StandardsId\":\"standards/aws-resource-tagging-standard/v/1.0.0\"}],\"SecurityControlId\":\"EC2.44\",\"SecurityControlParameters\":[{\"Name\":\"requiredTagKeys\",\"Value\":[]}],\"Status\":\"FAILED\"},\"CreatedAt\":\"2024-08-14T10:14:50.020Z\",\"Description\":\"This control checks whether an Amazon EC2 subnet has tags with the specific keys defined in the parameter requiredTagKeys. The control fails if the subnet doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter requiredTagKeys. If the parameter requiredTagKeys isn't provided, the control only checks for the existence of a tag key and fails if the subnet isn't tagged with any key. System tags, which are automatically applied and begin with aws:, are ignored.\",\"FindingProviderFields\":{\"Severity\":{\"Label\":\"LOW\",\"Normalized\":1,\"Original\":\"LOW\"},\"Types\":[\"Software and Configuration Checks/Industry and Regulatory Standards\"]},\"FirstObservedAt\":\"2024-08-14T10:14:50.020Z\",\"GeneratorId\":\"security-control/EC2.44\",\"Id\":\"arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.44/finding/0397ae8e-d2b2-4a75-964f-fde027670405\",\"LastObservedAt\":\"2024-09-13T22:50:24.617Z\",\"ProcessedAt\":\"2024-09-13T22:50:27.295Z\",\"ProductArn\":\"arn:aws:securityhub:ap-south-1::product/aws/securityhub\",\"ProductFields\":{\"RelatedAWSResources:0/name\":\"securityhub-tagged-ec2-subnet-4c30afd3\",\"RelatedAWSResources:0/type\":\"AWS::Config::ConfigRule\",\"Resources:0/Id\":\"arn:aws:ec2:ap-south-1:111111111111:subnet/subnet-c28c74b9\",\"aws/securityhub/CompanyName\":\"AWS\",\"aws/securityhub/FindingId\":\"arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.44/finding/0397ae8e-d2b2-4a75-964f-fde027670405\",\"aws/securityhub/ProductName\":\"Security Hub\",\"aws/securityhub/annotation\":\"No tags are present.\"},\"ProductName\":\"Security Hub\",\"RecordState\":\"ACTIVE\",\"Region\":\"ap-south-1\",\"Remediation\":{\"Recommendation\":{\"Text\":\"For information on how to correct this issue, consult the AWS Security Hub controls documentation.\",\"Url\":\"https://docs.aws.amazon.com/console/securityhub/EC2.44/remediation\"}},\"Resources\":[{\"Details\":{\"AwsEc2Subnet\":{\"AssignIpv6AddressOnCreation\":false,\"AvailabilityZone\":\"ap-south-1c\",\"AvailabilityZoneId\":\"aps1-az2\",\"AvailableIpAddressCount\":4091,\"CidrBlock\":\"171.32.32.0/20\",\"DefaultForAz\":true,\"MapPublicIpOnLaunch\":true,\"OwnerId\":\"111111111111\",\"State\":\"available\",\"SubnetArn\":\"arn:aws:ec2:ap-south-1:111111111111:subnet/subnet-c19c74b9\",\"SubnetId\":\"subnet-c19c74b9\",\"VpcId\":\"vpc-39017152\"}},\"Id\":\"arn:aws:ec2:ap-south-1:111111111111:subnet/subnet-c28c74b9\",\"Partition\":\"aws\",\"Region\":\"ap-south-1\",\"Type\":\"AwsEc2Subnet\"}],\"SchemaVersion\":\"2018-10-08\",\"Severity\":{\"Label\":\"LOW\",\"Normalized\":1,\"Original\":\"LOW\"},\"Title\":\"EC2 subnets should be tagged\",\"Types\":[\"Software and Configuration Checks/Industry and Regulatory Standards\"],\"UpdatedAt\":\"2024-09-13T22:50:15.737Z\",\"Workflow\":{\"Status\":\"NEW\"},\"WorkflowState\":\"NEW\"}", + "outcome": "failure", + "severity": 1, + "type": [ + "info" + ] + }, + "observer": { + "vendor": "AWS Security Hub" + }, + "organization": { + "name": "AWS" + }, + "resource": { + "id": "arn:aws:ec2:ap-south-1:111111111111:subnet/subnet-c28c74b9", + "name": "subnet/subnet-c28c74b9", + "type": "AwsEc2Subnet" + }, + "result": { + "evaluation": "failed" + }, + "rule": { + "description": "This control checks whether an Amazon EC2 subnet has tags with the specific keys defined in the parameter requiredTagKeys. The control fails if the subnet doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter requiredTagKeys. If the parameter requiredTagKeys isn't provided, the control only checks for the existence of a tag key and fails if the subnet isn't tagged with any key. System tags, which are automatically applied and begin with aws:, are ignored.", + "id": "security-control/EC2.44", + "name": "EC2 subnets should be tagged", + "reference": "https://docs.aws.amazon.com/console/securityhub/EC2.44/remediation", + "remediation": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.\r\nhttps://docs.aws.amazon.com/console/securityhub/EC2.44/remediation" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] + }, + { + "@timestamp": "2024-09-13T22:50:15.737Z", + "aws": { + "securityhub_findings_full_posture": { + "aws_account_id": "111111111111", + "company": { + "name": "AWS" + }, + "compliance": { + "security_control_id": "ELB.6", + "status": "FAILED" + }, + "created_at": "2024-08-14T10:14:50.020Z", + "description": "This control checks whether Application, Gateway, and Network Load Balancers have deletion protection enabled. The control fails if deletion protection is disabled.", + "first_observed_at": "2024-08-14T10:14:50.020Z", + "generator": { + "id": "security-control/EC2.44" + }, + "id": "arn:aws:elasticloadbalancing:ap-south-1:111111111111:loadbalancer/net/a799f20cd3754462297d4874c25e67ae/894921ab8833ff1e", + "last_observed_at": "2024-09-13T22:50:24.617Z", + "processed_at": "2024-09-13T22:50:27.295Z", + "product": { + "arn": "arn:aws:securityhub:ap-south-1::product/aws/securityhub", + "fields": { + "RelatedAWSResources:0/name": "securityhub-tagged-ec2-subnet-4c30afd3", + "RelatedAWSResources:0/type": "AWS::Config::ConfigRule", + "Resources:0/Id": "arn:aws:elasticloadbalancing:ap-south-1:111111111111:loadbalancer/net/a799f20cd3754462297d4874c25e67ae/894921ab8833ff1e", + "aws/securityhub/CompanyName": "AWS", + "aws/securityhub/FindingId": "arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/ELB.6/finding/9e7771db-5b77-48df-a103-1370cf6d401a", + "aws/securityhub/ProductName": "Security Hub", + "aws/securityhub/annotation": "No tags are present." + }, + "name": "Security Hub" + }, + "provider_fields": { + "severity": { + "label": "MEDIUM", + "normalized": "40", + "original": "MEDIUM" + }, + "types": [ + "Software and Configuration Checks/Industry and Regulatory Standards" + ] + }, + "record_state": "ACTIVE", + "region": "ap-south-1", + "remediation": { + "recommendation": { + "text": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.", + "url": "https://docs.aws.amazon.com/console/securityhub/ELB.6/remediation" + } + }, + "resources": [ + { + "Details": { + "AwsElbv2LoadBalancer": { + "AvailabilityZones": [ + { + "SubnetId": "subnet-aaa", + "ZoneName": "ap-south-1b" + }, + { + "SubnetId": "subnet-bbb", + "ZoneName": "ap-south-1a" + } + ], + "CanonicalHostedZoneId": "ZLPOA36VPKAMP", + "CreatedTime": "2024-04-17T21:35:20.303Z", + "DNSName": "a799f20cd3754462297d4874c25e67ae-894921ab8833ff1e.elb.ap-south-1.amazonaws.com", + "IpAddressType": "ipv4", + "Scheme": "internet-facing", + "State": { + "Code": "active" + }, + "Type": "network", + "VpcId": "vpc-132ddf1f407252a0a" + } + }, + "Id": "arn:aws:elasticloadbalancing:ap-south-1:111111111111:loadbalancer/net/a799f20cd3754462297d4874c25e67ae/894921ab8833ff1e", + "Partition": "aws", + "Region": "ap-south-1", + "Tags": { + "kubernetes.io/cluster/demo": "owned", + "kubernetes.io/service-name": "default/traefik" + }, + "Type": "AwsElbv2LoadBalancer" + } + ], + "schema": { + "version": "2018-10-08" + }, + "severity": { + "label": "LOW", + "normalized": "1", + "original": "LOW" + }, + "title": "EC2 subnets should be tagged", + "types": [ + "Software and Configuration Checks/Industry and Regulatory Standards" + ], + "updated_at": "2024-09-13T22:50:15.737Z", + "workflow": { + "state": "NEW", + "status": "NEW" + } + } + }, + "cloud": { + "account": { + "id": "111111111111" + }, + "availability_zone": "ap-south-1a", + "provider": "aws", + "region": "ap-south-1", + "service": { + "name": "elasticloadbalancing" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "configuration" + ], + "created": "2024-09-13T22:50:27.295Z", + "id": "arn:aws:elasticloadbalancing:ap-south-1:111111111111:loadbalancer/net/a799f20cd3754462297d4874c25e67ae/894921ab8833ff1e", + "kind": "state", + "original": "{\"AwsAccountId\":\"111111111111\",\"CompanyName\":\"AWS\",\"Compliance\":{\"SecurityControlId\":\"ELB.6\",\"Status\":\"FAILED\"},\"CreatedAt\":\"2024-08-14T10:14:50.020Z\",\"Description\":\"This control checks whether Application, Gateway, and Network Load Balancers have deletion protection enabled. The control fails if deletion protection is disabled.\",\"FindingProviderFields\":{\"Severity\":{\"Label\":\"MEDIUM\",\"Normalized\":40,\"Original\":\"MEDIUM\"},\"Types\":[\"Software and Configuration Checks/Industry and Regulatory Standards\"]},\"FirstObservedAt\":\"2024-08-14T10:14:50.020Z\",\"GeneratorId\":\"security-control/EC2.44\",\"Id\":\"arn:aws:elasticloadbalancing:ap-south-1:111111111111:loadbalancer/net/a799f20cd3754462297d4874c25e67ae/894921ab8833ff1e\",\"LastObservedAt\":\"2024-09-13T22:50:24.617Z\",\"ProcessedAt\":\"2024-09-13T22:50:27.295Z\",\"ProductArn\":\"arn:aws:securityhub:ap-south-1::product/aws/securityhub\",\"ProductFields\":{\"RelatedAWSResources:0/name\":\"securityhub-tagged-ec2-subnet-4c30afd3\",\"RelatedAWSResources:0/type\":\"AWS::Config::ConfigRule\",\"Resources:0/Id\":\"arn:aws:elasticloadbalancing:ap-south-1:111111111111:loadbalancer/net/a799f20cd3754462297d4874c25e67ae/894921ab8833ff1e\",\"aws/securityhub/CompanyName\":\"AWS\",\"aws/securityhub/FindingId\":\"arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/ELB.6/finding/9e7771db-5b77-48df-a103-1370cf6d401a\",\"aws/securityhub/ProductName\":\"Security Hub\",\"aws/securityhub/annotation\":\"No tags are present.\"},\"ProductName\":\"Security Hub\",\"RecordState\":\"ACTIVE\",\"Region\":\"ap-south-1\",\"Remediation\":{\"Recommendation\":{\"Text\":\"For information on how to correct this issue, consult the AWS Security Hub controls documentation.\",\"Url\":\"https://docs.aws.amazon.com/console/securityhub/ELB.6/remediation\"}},\"Resources\":[{\"Partition\":\"aws\",\"Type\":\"AwsElbv2LoadBalancer\",\"Details\":{\"AwsElbv2LoadBalancer\":{\"IpAddressType\":\"ipv4\",\"Type\":\"network\",\"CreatedTime\":\"2024-04-17T21:35:20.303Z\",\"Scheme\":\"internet-facing\",\"VpcId\":\"vpc-132ddf1f407252a0a\",\"CanonicalHostedZoneId\":\"ZLPOA36VPKAMP\",\"AvailabilityZones\":[{\"ZoneName\":\"ap-south-1b\",\"SubnetId\":\"subnet-aaa\"},{\"ZoneName\":\"ap-south-1a\",\"SubnetId\":\"subnet-bbb\"}],\"State\":{\"Code\":\"active\"},\"DNSName\":\"a799f20cd3754462297d4874c25e67ae-894921ab8833ff1e.elb.ap-south-1.amazonaws.com\"}},\"Region\":\"ap-south-1\",\"Id\":\"arn:aws:elasticloadbalancing:ap-south-1:111111111111:loadbalancer/net/a799f20cd3754462297d4874c25e67ae/894921ab8833ff1e\",\"Tags\":{\"kubernetes.io/service-name\":\"default/traefik\",\"kubernetes.io/cluster/demo\":\"owned\"}}],\"SchemaVersion\":\"2018-10-08\",\"Severity\":{\"Label\":\"LOW\",\"Normalized\":1,\"Original\":\"LOW\"},\"Title\":\"EC2 subnets should be tagged\",\"Types\":[\"Software and Configuration Checks/Industry and Regulatory Standards\"],\"UpdatedAt\":\"2024-09-13T22:50:15.737Z\",\"Workflow\":{\"Status\":\"NEW\"},\"WorkflowState\":\"NEW\"}", + "outcome": "failure", + "severity": 1, + "type": [ + "info" + ] + }, + "observer": { + "vendor": "AWS Security Hub" + }, + "organization": { + "name": "AWS" + }, + "resource": { + "id": "arn:aws:elasticloadbalancing:ap-south-1:111111111111:loadbalancer/net/a799f20cd3754462297d4874c25e67ae/894921ab8833ff1e", + "name": "loadbalancer/net/a799f20cd3754462297d4874c25e67ae/894921ab8833ff1e", + "type": "AwsElbv2LoadBalancer" + }, + "result": { + "evaluation": "failed" + }, + "rule": { + "description": "This control checks whether Application, Gateway, and Network Load Balancers have deletion protection enabled. The control fails if deletion protection is disabled.", + "id": "security-control/EC2.44", + "name": "EC2 subnets should be tagged", + "reference": "https://docs.aws.amazon.com/console/securityhub/ELB.6/remediation", + "remediation": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.\r\nhttps://docs.aws.amazon.com/console/securityhub/ELB.6/remediation" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] + }, + { + "@timestamp": "2024-09-13T22:50:15.737Z", + "aws": { + "securityhub_findings_full_posture": { + "aws_account_id": "111111111111", + "company": { + "name": "AWS" + }, + "compliance": { + "security_control_id": "ELB.6", + "status": "FAILED" + }, + "created_at": "2024-08-14T10:14:50.020Z", + "description": "This control checks whether Application, Gateway, and Network Load Balancers have deletion protection enabled. The control fails if deletion protection is disabled.", + "first_observed_at": "2024-08-14T10:14:50.020Z", + "generator": { + "id": "security-control/EC2.44" + }, + "id": "arn:aws:elasticloadbalancing:ap-south-1:111111111111:loadbalancer/net/a799f20cd3754462297d4874c25e67ae/894921ab8833ff1e", + "last_observed_at": "2024-09-13T22:50:24.617Z", + "processed_at": "2024-09-13T22:50:27.295Z", + "product": { + "arn": "arn:aws:securityhub:ap-south-1::product/aws/securityhub", + "fields": { + "RelatedAWSResources:0/name": "securityhub-tagged-ec2-subnet-4c30afd3", + "RelatedAWSResources:0/type": "AWS::Config::ConfigRule", + "Resources:0/Id": "arn:aws:elasticloadbalancing:ap-south-1:111111111111:loadbalancer/net/a799f20cd3754462297d4874c25e67ae/894921ab8833ff1e", + "aws/securityhub/CompanyName": "AWS", + "aws/securityhub/FindingId": "arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/ELB.6/finding/9e7771db-5b77-48df-a103-1370cf6d401a", + "aws/securityhub/ProductName": "Security Hub", + "aws/securityhub/annotation": "No tags are present." + }, + "name": "Security Hub" + }, + "provider_fields": { + "severity": { + "label": "MEDIUM", + "normalized": "40", + "original": "MEDIUM" + }, + "types": [ + "Software and Configuration Checks/Industry and Regulatory Standards" + ] + }, + "record_state": "ACTIVE", + "region": "ap-south-1", + "remediation": { + "recommendation": { + "text": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.", + "url": "https://docs.aws.amazon.com/console/securityhub/ELB.6/remediation" + } + }, + "resources": [ + { + "Details": { + "AwsElbv2LoadBalancer": { + "AvailabilityZones": [ + { + "SubnetId": "subnet-aaa", + "ZoneName": "ap-south-1b" + }, + { + "SubnetId": "subnet-bbb", + "ZoneName": "ap-south-1a" + } + ], + "CanonicalHostedZoneId": "ZLPOA36VPKAMP", + "CreatedTime": "2024-04-17T21:35:20.303Z", + "DNSName": "a799f20cd3754462297d4874c25e67ae-894921ab8833ff1e.elb.ap-south-1.amazonaws.com", + "IpAddressType": "ipv4", + "Scheme": "internet-facing", + "State": { + "Code": "active" + }, + "Type": "network", + "VpcId": "vpc-132ddf1f407252a0a" + } + }, + "Id": "arn:aws:elasticloadbalancing:ap-south-1:111111111111:loadbalancer/net/a799f20cd3754462297d4874c25e67ae/894921ab8833ff1e", + "Partition": "aws", + "Region": "ap-south-1", + "Tags": { + "kubernetes.io/cluster/demo": "owned", + "kubernetes.io/service-name": "default/traefik" + }, + "Type": "AwsElbv2LoadBalancer" + }, + { + "Details": { + "AwsElbv2LoadBalancer": { + "AvailabilityZones": [ + { + "SubnetId": "subnet-aaa", + "ZoneName": "ap-south-1b" + }, + { + "SubnetId": "subnet-bbb", + "ZoneName": "ap-south-1a" + } + ], + "CanonicalHostedZoneId": "ZLPOA36VPKAMP", + "CreatedTime": "2024-04-18T21:35:20.303Z", + "DNSName": "a888f20cd3754462297d4874c25e67ae-994921ab8833ff1e.elb.ap-south-1.amazonaws.com", + "IpAddressType": "ipv4", + "Scheme": "internet-facing", + "State": { + "Code": "active" + }, + "Type": "network", + "VpcId": "vpc-132ddf1f407252a0a" + } + }, + "Id": "arn:aws:elasticloadbalancing:ap-south-1:111111111111:loadbalancer/net/a888f20cd3754462297d4874c25e67ae/994921ab8833ff1e", + "Partition": "aws", + "Region": "ap-south-1", + "Tags": { + "kubernetes.io/cluster/demo": "owned" + }, + "Type": "AwsElbv2LoadBalancer" + } + ], + "schema": { + "version": "2018-10-08" + }, + "severity": { + "label": "LOW", + "normalized": "1", + "original": "LOW" + }, + "title": "EC2 subnets should be tagged", + "types": [ + "Software and Configuration Checks/Industry and Regulatory Standards" + ], + "updated_at": "2024-09-13T22:50:15.737Z", + "workflow": { + "state": "NEW", + "status": "NEW" + } + } + }, + "cloud": { + "account": { + "id": "111111111111" + }, + "availability_zone": [ + "ap-south-1b", + "ap-south-1a", + "ap-south-1b", + "ap-south-1a" + ], + "provider": "aws", + "region": "ap-south-1", + "service": { + "name": [ + "elasticloadbalancing", + "elasticloadbalancing" + ] + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "configuration" + ], + "created": "2024-09-13T22:50:27.295Z", + "id": "arn:aws:elasticloadbalancing:ap-south-1:111111111111:loadbalancer/net/a799f20cd3754462297d4874c25e67ae/894921ab8833ff1e", + "kind": "state", + "original": "{\"AwsAccountId\":\"111111111111\",\"CompanyName\":\"AWS\",\"Compliance\":{\"SecurityControlId\":\"ELB.6\",\"Status\":\"FAILED\"},\"CreatedAt\":\"2024-08-14T10:14:50.020Z\",\"Description\":\"This control checks whether Application, Gateway, and Network Load Balancers have deletion protection enabled. The control fails if deletion protection is disabled.\",\"FindingProviderFields\":{\"Severity\":{\"Label\":\"MEDIUM\",\"Normalized\":40,\"Original\":\"MEDIUM\"},\"Types\":[\"Software and Configuration Checks/Industry and Regulatory Standards\"]},\"FirstObservedAt\":\"2024-08-14T10:14:50.020Z\",\"GeneratorId\":\"security-control/EC2.44\",\"Id\":\"arn:aws:elasticloadbalancing:ap-south-1:111111111111:loadbalancer/net/a799f20cd3754462297d4874c25e67ae/894921ab8833ff1e\",\"LastObservedAt\":\"2024-09-13T22:50:24.617Z\",\"ProcessedAt\":\"2024-09-13T22:50:27.295Z\",\"ProductArn\":\"arn:aws:securityhub:ap-south-1::product/aws/securityhub\",\"ProductFields\":{\"RelatedAWSResources:0/name\":\"securityhub-tagged-ec2-subnet-4c30afd3\",\"RelatedAWSResources:0/type\":\"AWS::Config::ConfigRule\",\"Resources:0/Id\":\"arn:aws:elasticloadbalancing:ap-south-1:111111111111:loadbalancer/net/a799f20cd3754462297d4874c25e67ae/894921ab8833ff1e\",\"aws/securityhub/CompanyName\":\"AWS\",\"aws/securityhub/FindingId\":\"arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/ELB.6/finding/9e7771db-5b77-48df-a103-1370cf6d401a\",\"aws/securityhub/ProductName\":\"Security Hub\",\"aws/securityhub/annotation\":\"No tags are present.\"},\"ProductName\":\"Security Hub\",\"RecordState\":\"ACTIVE\",\"Region\":\"ap-south-1\",\"Remediation\":{\"Recommendation\":{\"Text\":\"For information on how to correct this issue, consult the AWS Security Hub controls documentation.\",\"Url\":\"https://docs.aws.amazon.com/console/securityhub/ELB.6/remediation\"}},\"Resources\":[{\"Partition\":\"aws\",\"Type\":\"AwsElbv2LoadBalancer\",\"Details\":{\"AwsElbv2LoadBalancer\":{\"IpAddressType\":\"ipv4\",\"Type\":\"network\",\"CreatedTime\":\"2024-04-17T21:35:20.303Z\",\"Scheme\":\"internet-facing\",\"VpcId\":\"vpc-132ddf1f407252a0a\",\"CanonicalHostedZoneId\":\"ZLPOA36VPKAMP\",\"AvailabilityZones\":[{\"ZoneName\":\"ap-south-1b\",\"SubnetId\":\"subnet-aaa\"},{\"ZoneName\":\"ap-south-1a\",\"SubnetId\":\"subnet-bbb\"}],\"State\":{\"Code\":\"active\"},\"DNSName\":\"a799f20cd3754462297d4874c25e67ae-894921ab8833ff1e.elb.ap-south-1.amazonaws.com\"}},\"Region\":\"ap-south-1\",\"Id\":\"arn:aws:elasticloadbalancing:ap-south-1:111111111111:loadbalancer/net/a799f20cd3754462297d4874c25e67ae/894921ab8833ff1e\",\"Tags\":{\"kubernetes.io/service-name\":\"default/traefik\",\"kubernetes.io/cluster/demo\":\"owned\"}},{\"Partition\":\"aws\",\"Type\":\"AwsElbv2LoadBalancer\",\"Details\":{\"AwsElbv2LoadBalancer\":{\"IpAddressType\":\"ipv4\",\"Type\":\"network\",\"CreatedTime\":\"2024-04-18T21:35:20.303Z\",\"Scheme\":\"internet-facing\",\"VpcId\":\"vpc-132ddf1f407252a0a\",\"CanonicalHostedZoneId\":\"ZLPOA36VPKAMP\",\"AvailabilityZones\":[{\"ZoneName\":\"ap-south-1b\",\"SubnetId\":\"subnet-aaa\"},{\"ZoneName\":\"ap-south-1a\",\"SubnetId\":\"subnet-bbb\"}],\"State\":{\"Code\":\"active\"},\"DNSName\":\"a888f20cd3754462297d4874c25e67ae-994921ab8833ff1e.elb.ap-south-1.amazonaws.com\"}},\"Region\":\"ap-south-1\",\"Id\":\"arn:aws:elasticloadbalancing:ap-south-1:111111111111:loadbalancer/net/a888f20cd3754462297d4874c25e67ae/994921ab8833ff1e\",\"Tags\":{\"kubernetes.io/cluster/demo\":\"owned\"}}],\"SchemaVersion\":\"2018-10-08\",\"Severity\":{\"Label\":\"LOW\",\"Normalized\":1,\"Original\":\"LOW\"},\"Title\":\"EC2 subnets should be tagged\",\"Types\":[\"Software and Configuration Checks/Industry and Regulatory Standards\"],\"UpdatedAt\":\"2024-09-13T22:50:15.737Z\",\"Workflow\":{\"Status\":\"NEW\"},\"WorkflowState\":\"NEW\"}", + "outcome": "failure", + "severity": 1, + "type": [ + "info" + ] + }, + "observer": { + "vendor": "AWS Security Hub" + }, + "organization": { + "name": "AWS" + }, + "resource": { + "id": [ + "arn:aws:elasticloadbalancing:ap-south-1:111111111111:loadbalancer/net/a799f20cd3754462297d4874c25e67ae/894921ab8833ff1e", + "arn:aws:elasticloadbalancing:ap-south-1:111111111111:loadbalancer/net/a888f20cd3754462297d4874c25e67ae/994921ab8833ff1e" + ], + "name": [ + "loadbalancer/net/a799f20cd3754462297d4874c25e67ae/894921ab8833ff1e", + "loadbalancer/net/a888f20cd3754462297d4874c25e67ae/994921ab8833ff1e" + ], + "type": [ + "AwsElbv2LoadBalancer", + "AwsElbv2LoadBalancer" + ] + }, + "result": { + "evaluation": "failed" + }, + "rule": { + "description": "This control checks whether Application, Gateway, and Network Load Balancers have deletion protection enabled. The control fails if deletion protection is disabled.", + "id": "security-control/EC2.44", + "name": "EC2 subnets should be tagged", + "reference": "https://docs.aws.amazon.com/console/securityhub/ELB.6/remediation", + "remediation": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.\r\nhttps://docs.aws.amazon.com/console/securityhub/ELB.6/remediation" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] + }, + { + "@timestamp": "2024-09-21T07:59:56.087Z", + "aws": { + "securityhub_findings_full_posture": { + "aws_account_id": "111111111111", + "company": { + "name": "AWS" + }, + "compliance": { + "related_requirements": [ + "CIS AWS Foundations Benchmark v3.0.0/5.6", + "NIST.800-53.r5 AC-3", + "NIST.800-53.r5 AC-3(15)", + "NIST.800-53.r5 AC-3(7)", + "NIST.800-53.r5 AC-6" + ], + "security_control_id": "EC2.8", + "status": "PASSED" + }, + "created_at": "2024-09-20T10:40:32.189Z", + "description": "This control checks whether your Amazon Elastic Compute Cloud (Amazon EC2) instance metadata version is configured with Instance Metadata Service Version 2 (IMDSv2). The control passes if HttpTokens is set to required for IMDSv2. The control fails if HttpTokens is set to optional.", + "first_observed_at": "2024-09-20T10:40:32.189Z", + "generator": { + "id": "security-control/EC2.8" + }, + "id": "arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.8/finding/8925ae3b-1f70-4c74-8337-baee8fcad8fe", + "last_observed_at": "2024-09-21T08:00:01.828Z", + "processed_at": "2024-09-21T08:00:03.516Z", + "product": { + "arn": "arn:aws:securityhub:ap-south-1::product/aws/securityhub", + "fields": { + "RelatedAWSResources:0/name": "securityhub-ec2-imdsv2-check-29027890", + "RelatedAWSResources:0/type": "AWS::Config::ConfigRule", + "Resources:0/Id": "arn:aws:ec2:ap-south-1:111111111111:instance/i-0f2ede89308a594d8", + "aws/securityhub/CompanyName": "AWS", + "aws/securityhub/FindingId": "arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.8/finding/8925ae3b-1f70-4c74-8337-baee8fcad8fe", + "aws/securityhub/ProductName": "Security Hub" + }, + "name": "Security Hub" + }, + "provider_fields": { + "severity": { + "label": "INFORMATIONAL", + "normalized": "0", + "original": "INFORMATIONAL" + }, + "types": [ + "Software and Configuration Checks/Industry and Regulatory Standards" + ] + }, + "record_state": "ACTIVE", + "region": "ap-south-1", + "remediation": { + "recommendation": { + "text": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.", + "url": "https://docs.aws.amazon.com/console/securityhub/EC2.8/remediation" + } + }, + "resources": [ + { + "Details": { + "AwsEc2Instance": { + "IamInstanceProfileArn": "arn:aws:iam::111111111111:instance-profile/elastic-agent-instance-profile-e4f7caa0-6f61-11ef-bb07-02fe87118279", + "ImageId": "ami-04dffe071c46cddd4", + "IpV4Addresses": [ + "89.160.20.156", + "89.160.20.157" + ], + "IpV6Addresses": [ + "2a02:cf40::" + ], + "LaunchedAt": "2024-09-20T10:39:35.000Z", + "MetadataOptions": { + "HttpEndpoint": "enabled", + "HttpProtocolIpv6": "disabled", + "HttpPutResponseHopLimit": 2, + "HttpTokens": "required", + "InstanceMetadataTags": "disabled" + }, + "Monitoring": { + "State": "disabled" + }, + "NetworkInterfaces": [ + { + "NetworkInterfaceId": "eni-0de300eee88c5c7fd" + } + ], + "SubnetId": "subnet-5d15a111", + "VirtualizationType": "hvm", + "VpcId": "vpc-39017251" + } + }, + "Id": "arn:aws:ec2:ap-south-1:111111111111:instance/i-0f2ede89308a594d8", + "Partition": "aws", + "Region": "ap-south-1", + "Tags": { + "Name": "elastic-agent-instance-e5f7caa0-6f60-11ef-bb07-02fe87118279", + "Task": "Cloud Security Posture Management Scanner", + "aws:cloudformation:logical-id": "ElasticAgentEc2Instance", + "aws:cloudformation:stack-id": "arn:aws:cloudformation:ap-south-1:111111111111:stack/Elastic-Cloud-Security-Posture-Management/e5f7caa0-6f60-11ef-bb07-02fe87118279", + "aws:cloudformation:stack-name": "Elastic-Cloud-Security-Posture-Management" + }, + "Type": "AwsEc2Instance" + } + ], + "schema": { + "version": "2018-10-08" + }, + "severity": { + "label": "INFORMATIONAL", + "normalized": "0", + "original": "INFORMATIONAL" + }, + "title": "EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)", + "types": [ + "Software and Configuration Checks/Industry and Regulatory Standards" + ], + "updated_at": "2024-09-21T07:59:56.087Z", + "workflow": { + "state": "NEW", + "status": "RESOLVED" + } + } + }, + "cloud": { + "account": { + "id": "111111111111" + }, + "instance": { + "id": "arn:aws:ec2:ap-south-1:111111111111:instance/i-0f2ede89308a594d8", + "name": "instance/i-0f2ede89308a594d8" + }, + "provider": "aws", + "region": "ap-south-1", + "service": { + "name": "ec2" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "configuration" + ], + "created": "2024-09-21T08:00:03.516Z", + "id": "arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.8/finding/8925ae3b-1f70-4c74-8337-baee8fcad8fe", + "kind": "state", + "original": "{\"AwsAccountId\":\"111111111111\",\"CompanyName\":\"AWS\",\"Compliance\":{\"AssociatedStandards\":[{\"StandardsId\":\"standards/aws-foundational-security-best-practices/v/1.0.0\"},{\"StandardsId\":\"standards/cis-aws-foundations-benchmark/v/3.0.0\"},{\"StandardsId\":\"standards/nist-800-53/v/5.0.0\"}],\"RelatedRequirements\":[\"CIS AWS Foundations Benchmark v3.0.0/5.6\",\"NIST.800-53.r5 AC-3\",\"NIST.800-53.r5 AC-3(15)\",\"NIST.800-53.r5 AC-3(7)\",\"NIST.800-53.r5 AC-6\"],\"SecurityControlId\":\"EC2.8\",\"Status\":\"PASSED\"},\"CreatedAt\":\"2024-09-20T10:40:32.189Z\",\"Description\":\"This control checks whether your Amazon Elastic Compute Cloud (Amazon EC2) instance metadata version is configured with Instance Metadata Service Version 2 (IMDSv2). The control passes if HttpTokens is set to required for IMDSv2. The control fails if HttpTokens is set to optional.\",\"FindingProviderFields\":{\"Severity\":{\"Label\":\"INFORMATIONAL\",\"Normalized\":0,\"Original\":\"INFORMATIONAL\"},\"Types\":[\"Software and Configuration Checks/Industry and Regulatory Standards\"]},\"FirstObservedAt\":\"2024-09-20T10:40:32.189Z\",\"GeneratorId\":\"security-control/EC2.8\",\"Id\":\"arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.8/finding/8925ae3b-1f70-4c74-8337-baee8fcad8fe\",\"LastObservedAt\":\"2024-09-21T08:00:01.828Z\",\"ProcessedAt\":\"2024-09-21T08:00:03.516Z\",\"ProductArn\":\"arn:aws:securityhub:ap-south-1::product/aws/securityhub\",\"ProductFields\":{\"RelatedAWSResources:0/name\":\"securityhub-ec2-imdsv2-check-29027890\",\"RelatedAWSResources:0/type\":\"AWS::Config::ConfigRule\",\"Resources:0/Id\":\"arn:aws:ec2:ap-south-1:111111111111:instance/i-0f2ede89308a594d8\",\"aws/securityhub/CompanyName\":\"AWS\",\"aws/securityhub/FindingId\":\"arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.8/finding/8925ae3b-1f70-4c74-8337-baee8fcad8fe\",\"aws/securityhub/ProductName\":\"Security Hub\"},\"ProductName\":\"Security Hub\",\"RecordState\":\"ACTIVE\",\"Region\":\"ap-south-1\",\"Remediation\":{\"Recommendation\":{\"Text\":\"For information on how to correct this issue, consult the AWS Security Hub controls documentation.\",\"Url\":\"https://docs.aws.amazon.com/console/securityhub/EC2.8/remediation\"}},\"Resources\":[{\"Details\":{\"AwsEc2Instance\":{\"IamInstanceProfileArn\":\"arn:aws:iam::111111111111:instance-profile/elastic-agent-instance-profile-e4f7caa0-6f61-11ef-bb07-02fe87118279\",\"ImageId\":\"ami-04dffe071c46cddd4\",\"IpV4Addresses\":[\"89.160.20.156\",\"89.160.20.157\"],\"IpV6Addresses\":[\"2a02:cf40::\"],\"LaunchedAt\":\"2024-09-20T10:39:35.000Z\",\"MetadataOptions\":{\"HttpEndpoint\":\"enabled\",\"HttpProtocolIpv6\":\"disabled\",\"HttpPutResponseHopLimit\":2,\"HttpTokens\":\"required\",\"InstanceMetadataTags\":\"disabled\"},\"Monitoring\":{\"State\":\"disabled\"},\"NetworkInterfaces\":[{\"NetworkInterfaceId\":\"eni-0de300eee88c5c7fd\"}],\"SubnetId\":\"subnet-5d15a111\",\"VirtualizationType\":\"hvm\",\"VpcId\":\"vpc-39017251\"}},\"Id\":\"arn:aws:ec2:ap-south-1:111111111111:instance/i-0f2ede89308a594d8\",\"Partition\":\"aws\",\"Region\":\"ap-south-1\",\"Tags\":{\"Name\":\"elastic-agent-instance-e5f7caa0-6f60-11ef-bb07-02fe87118279\",\"Task\":\"Cloud Security Posture Management Scanner\",\"aws:cloudformation:logical-id\":\"ElasticAgentEc2Instance\",\"aws:cloudformation:stack-id\":\"arn:aws:cloudformation:ap-south-1:111111111111:stack/Elastic-Cloud-Security-Posture-Management/e5f7caa0-6f60-11ef-bb07-02fe87118279\",\"aws:cloudformation:stack-name\":\"Elastic-Cloud-Security-Posture-Management\"},\"Type\":\"AwsEc2Instance\"}],\"SchemaVersion\":\"2018-10-08\",\"Severity\":{\"Label\":\"INFORMATIONAL\",\"Normalized\":0,\"Original\":\"INFORMATIONAL\"},\"Title\":\"EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)\",\"Types\":[\"Software and Configuration Checks/Industry and Regulatory Standards\"],\"UpdatedAt\":\"2024-09-21T07:59:56.087Z\",\"Workflow\":{\"Status\":\"RESOLVED\"},\"WorkflowState\":\"NEW\"}", + "outcome": "success", + "severity": 0, + "type": [ + "info" + ] + }, + "host": { + "id": "arn:aws:ec2:ap-south-1:111111111111:instance/i-0f2ede89308a594d8", + "ip": [ + "89.160.20.156", + "89.160.20.157", + "2a02:cf40::" + ] + }, + "observer": { + "vendor": "AWS Security Hub" + }, + "organization": { + "name": "AWS" + }, + "resource": { + "id": "arn:aws:ec2:ap-south-1:111111111111:instance/i-0f2ede89308a594d8", + "name": "instance/i-0f2ede89308a594d8", + "type": "AwsEc2Instance" + }, + "result": { + "evaluation": "passed" + }, + "rule": { + "description": "This control checks whether your Amazon Elastic Compute Cloud (Amazon EC2) instance metadata version is configured with Instance Metadata Service Version 2 (IMDSv2). The control passes if HttpTokens is set to required for IMDSv2. The control fails if HttpTokens is set to optional.", + "id": "security-control/EC2.8", + "name": "EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)", + "reference": "https://docs.aws.amazon.com/console/securityhub/EC2.8/remediation", + "remediation": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.\r\nhttps://docs.aws.amazon.com/console/securityhub/EC2.8/remediation", + "ruleset": [ + "CIS AWS Foundations Benchmark v3.0.0/5.6", + "NIST.800-53.r5 AC-3", + "NIST.800-53.r5 AC-3(15)", + "NIST.800-53.r5 AC-3(7)", + "NIST.800-53.r5 AC-6" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] + } + ] +} \ No newline at end of file diff --git a/packages/aws/data_stream/securityhub_findings_full_posture/_dev/test/system/test-default-config.yml b/packages/aws/data_stream/securityhub_findings_full_posture/_dev/test/system/test-default-config.yml new file mode 100644 index 00000000000..5abc693c705 --- /dev/null +++ b/packages/aws/data_stream/securityhub_findings_full_posture/_dev/test/system/test-default-config.yml @@ -0,0 +1,37 @@ +input: httpjson +skip: + reason: "Support backward compatibility of Current AWS package." + link: https://github.com/elastic/integrations/issues/3695 +service: securityhub_full_posture +vars: + secret_access_key: xxxx + access_key_id: xxxx +data_stream: + vars: + aws_region: xxxx + tld: amazonaws.cn + preserve_original_event: true + enable_request_tracer: true + ssl: | + certificate_authorities: + - | + -----BEGIN CERTIFICATE----- + MIIDUjCCAjoCCQDQ1VVKJuqgWjANBgkqhkiG9w0BAQsFADBrMQswCQYDVQQGEwJY + WDEVMBMGA1UEBwwMRGVmYXVsdCBDaXR5MRwwGgYDVQQKDBNEZWZhdWx0IENvbXBh + bnkgTHRkMScwJQYDVQQDDB5zZWN1cml0eWh1Yi54eHh4LmFtYXpvbmF3cy5jb20w + HhcNMjIwNzA2MDg1MTUwWhcNMjMwNzA2MDg1MTUwWjBrMQswCQYDVQQGEwJYWDEV + MBMGA1UEBwwMRGVmYXVsdCBDaXR5MRwwGgYDVQQKDBNEZWZhdWx0IENvbXBhbnkg + THRkMScwJQYDVQQDDB5zZWN1cml0eWh1Yi54eHh4LmFtYXpvbmF3cy5jb20wggEi + MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDhyLkZGxIdXMUb8UuD16U67hGi + /W7SvhtHLkQGbHTWAD7+AAg5ybbBFa2LTf3G5lprgJ/nUAl5N2i7CnSOlRxm6yKU + VeyXPzQ8327sb7Y1pm07hU2Y+unKXcCjQi4lgF9GUXgRFYGxzIiwbG52XgZNJ4Cq + TWXAlRi8J4nJbSPty3R6wt2+bxIGf9/v6VoBpj0Ltal7aM9/YTGYkc+PprcoK6+x + o5IzXha4iedNLjVRl7MLkP57BmDTTJpdO8OraddWjm1/I3kG5Lyu19A9URMg47vW + L7IOtOZzfDNyCYbFwqNMHk62AVpTOYqL/icNlX+EpUxX4kyVhd4W0Y9xBs5HAgMB + AAEwDQYJKoZIhvcNAQELBQADggEBAFA+VI+UgD2ldDLkfoCG+BNtasm9dyJvuer+ + 9+R8IyMDL0O8ppLSpKny7MbTLFKymIkTFJzCKf3+q5cL/y4W5YRPsm3tYD8wzBfN + o+sG2e1UlmMtv0vU4dsmoeHqYFyuxuDlgtH0FynCYgh+Xo6s6zPpNi48QsLebIf9 + Bp0lgklIyHpVhMTwUua5P0t00ecKvkCNf51x/apqyRYBdoAvrwQ9IRVPmvu/iQCR + 3AMQH0dhaDjS3aVzKyRrhu+jjEAFRV5yVr64LTkQAWzMb6yz1KaQa0OjXNV1wX4F + /k5zhqX0C0HAvDkSKXqwtUXl8jKyvP3Ogwddzg17932lVJe/3jc= + -----END CERTIFICATE----- diff --git a/packages/aws/data_stream/securityhub_findings_full_posture/agent/stream/httpjson.yml.hbs b/packages/aws/data_stream/securityhub_findings_full_posture/agent/stream/httpjson.yml.hbs new file mode 100644 index 00000000000..60d32dd44b5 --- /dev/null +++ b/packages/aws/data_stream/securityhub_findings_full_posture/agent/stream/httpjson.yml.hbs @@ -0,0 +1,67 @@ +config_version: 2 +interval: 24h +{{#if enable_request_tracer}} +request.tracer.filename: "../../logs/httpjson/http-request-trace-*.ndjson" +request.tracer.maxbackups: 5 +{{/if}} +request.timeout: 2m +request.method: POST + +{{#if proxy_url}} +request.proxy_url: {{proxy_url}} +{{/if}} +{{#if ssl}} +request.ssl: {{ssl}} +{{/if}} + +request.url: https://securityhub.{{aws_region}}.{{tld}}/findings +request.transforms: + - set: + target: header.X-Amz-Date + value: '[[formatDate (now) "20060102T150405Z"]]' + - set: + target: body.MaxResults + value: 100 + value_type: int + - set: + target: body.Filters.RecordState + value: '[{"Comparison":"NOT_EQUALS","Value":"ARCHIVED"}]' + value_type: json + - set: + target: body.Filters.WorkflowStatus + value: '[{"Comparison":"NOT_EQUALS","Value":"SUPPRESSED"}]' + value_type: json + - set: + target: header.Authorization + value: '[[$now := (now)]][[(sprintf "AWS4-HMAC-SHA256 Credential={{access_key_id}}/%s/{{aws_region}}/securityhub/aws4_request, SignedHeaders=host;x-amz-date, Signature=%s" (formatDate ($now) "20060102") (hmac "sha256" (hexDecode (hmac "sha256" (hexDecode (hmac "sha256" (hexDecode (hmac "sha256" (hexDecode (hmac "sha256" "AWS4{{secret_access_key}}" (formatDate ($now) "20060102"))) "{{aws_region}}")) "securityhub")) "aws4_request")) "AWS4-HMAC-SHA256\n" (formatDate ($now) "20060102T150405Z") "\n" (sprintf "%s/%s\n" (formatDate ($now) "20060102") "{{aws_region}}/securityhub/aws4_request") (hash "sha256" "POST\n" "/findings\n" "\n" "host:securityhub.{{aws_region}}.{{tld}}\n" (sprintf "x-amz-date:%s\n\n" (formatDate ($now) "20060102T150405Z")) "host;x-amz-date\n" (hash "sha256" (sprintf `%s` .body)))))]]' +{{!-- https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-auth-using-authorization-header.html --}} +response.pagination: + - set: + target: body.NextToken + value: '[[if (eq (len .last_response.body.Findings) 100)]][[.last_response.body.NextToken]][[end]]' + fail_on_template_error: true + - delete: + target: header.Authorization + - set: + target: header.Authorization + value: '[[$now := (now)]][[(sprintf "AWS4-HMAC-SHA256 Credential={{access_key_id}}/%s/{{aws_region}}/securityhub/aws4_request, SignedHeaders=host;x-amz-date, Signature=%s" (formatDate ($now) "20060102") (hmac "sha256" (hexDecode (hmac "sha256" (hexDecode (hmac "sha256" (hexDecode (hmac "sha256" (hexDecode (hmac "sha256" "AWS4{{secret_access_key}}" (formatDate ($now) "20060102"))) "{{aws_region}}")) "securityhub")) "aws4_request")) "AWS4-HMAC-SHA256\n" (formatDate ($now) "20060102T150405Z") "\n" (sprintf "%s/%s\n" (formatDate ($now) "20060102") "{{aws_region}}/securityhub/aws4_request") (hash "sha256" "POST\n" "/findings\n" "\n" "host:securityhub.{{aws_region}}.{{tld}}\n" (sprintf "x-amz-date:%s\n\n" (formatDate ($now) "20060102T150405Z")) "host;x-amz-date\n" (hash "sha256" (sprintf `%s` .body)))))]]' +response.split: + target: body.Findings + ignore_empty_value: true +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#if preserve_duplicate_custom_fields}} + - preserve_duplicate_custom_fields +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/aws/data_stream/securityhub_findings_full_posture/elasticsearch/ingest_pipeline/default.yml b/packages/aws/data_stream/securityhub_findings_full_posture/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 00000000000..b61ff4847c2 --- /dev/null +++ b/packages/aws/data_stream/securityhub_findings_full_posture/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,2657 @@ +--- +description: Pipeline for processing AWS Security Hub Findings Full Posture logs. +processors: + - set: + field: ecs.version + value: '8.11.0' + - set: + field: event.kind + value: state + - append: + field: event.type + value: info + tag: set_event_tiype + allow_duplicates: false + - append: + field: event.category + value: configuration + tag: append_event_category + allow_duplicates: false + - rename: + field: message + target_field: event.original + ignore_missing: true + if: 'ctx.event?.original == null' + - remove: + field: message + ignore_missing: true + if: 'ctx.event?.original != null' + description: 'The `message` field is no longer required if the document has an `event.original` field.' + - json: + field: event.original + target_field: json + ignore_failure: true + - fingerprint: + fields: + - json.UpdatedAt + - json.Id + - json.CreatedAt + target_field: _id + ignore_missing: true + - set: + field: observer.vendor + value: AWS Security Hub + tag: set_observer_vendor + - set: + field: cloud.provider + value: aws + tag: set_cloud_provider + - rename: + field: json.Action.ActionType + target_field: aws.securityhub_findings_full_posture.action.type + ignore_missing: true + - set: + field: event.action + copy_from: aws.securityhub_findings_full_posture.action.type + ignore_failure: true + - lowercase: + field: event.action + ignore_missing: true + - rename: + field: json.Action.AwsApiCallAction.AffectedResources + target_field: aws.securityhub_findings_full_posture.action.aws_api_call.affected_resources + ignore_missing: true + - rename: + field: json.Action.AwsApiCallAction.Api + target_field: aws.securityhub_findings_full_posture.action.aws_api_call.api + ignore_missing: true + - rename: + field: json.Action.AwsApiCallAction.CallerType + target_field: aws.securityhub_findings_full_posture.action.aws_api_call.caller.type + ignore_missing: true + - rename: + field: json.Action.AwsApiCallAction.DomainDetails.Domain + target_field: aws.securityhub_findings_full_posture.action.aws_api_call.domain_details.domain + ignore_missing: true + - date: + field: json.Action.AwsApiCallAction.FirstSeen + if: ctx.json?.Action?.AwsApiCallAction?.FirstSeen != null && ctx.json?.Action?.AwsApiCallAction?.FirstSeen != '' + target_field: aws.securityhub_findings_full_posture.action.aws_api_call.first_seen + formats: + - ISO8601 + - yyyy-MM-dd'T'HH:mm:ss.SSS'Z' + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - date: + field: json.Action.AwsApiCallAction.LastSeen + if: ctx.json?.Action?.AwsApiCallAction?.LastSeen != null && ctx.json?.Action?.AwsApiCallAction?.LastSeen != '' + target_field: aws.securityhub_findings_full_posture.action.aws_api_call.last_seen + formats: + - ISO8601 + - yyyy-MM-dd'T'HH:mm:ss.SSS'Z' + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - rename: + field: json.Action.AwsApiCallAction.RemoteIpDetails.City.CityName + target_field: aws.securityhub_findings_full_posture.action.aws_api_call.remote_ip.city.name + ignore_missing: true + - rename: + field: json.Action.AwsApiCallAction.RemoteIpDetails.Country.CountryCode + target_field: aws.securityhub_findings_full_posture.action.aws_api_call.remote_ip.country.code + ignore_missing: true + - rename: + field: json.Action.AwsApiCallAction.RemoteIpDetails.Country.CountryName + target_field: aws.securityhub_findings_full_posture.action.aws_api_call.remote_ip.country.name + ignore_missing: true + - convert: + field: json.Action.AwsApiCallAction.RemoteIpDetails.GeoLocation.Lat + target_field: aws.securityhub_findings_full_posture.action.aws_api_call.remote_ip.geolocation.latitude + if: ctx.json?.Action?.AwsApiCallAction?.RemoteIpDetails?.GeoLocation?.Lat != '' + type: double + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - convert: + field: json.Action.AwsApiCallAction.RemoteIpDetails.GeoLocation.Lon + target_field: aws.securityhub_findings_full_posture.action.aws_api_call.remote_ip.geolocation.longitude + if: ctx.json?.Action?.AwsApiCallAction?.RemoteIpDetails?.GeoLocation?.Lon != '' + type: double + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - convert: + field: json.Action.AwsApiCallAction.RemoteIpDetails.IpAddressV4 + target_field: aws.securityhub_findings_full_posture.action.aws_api_call.remote_ip.ip.address_v4 + if: ctx.json?.Action?.AwsApiCallAction?.RemoteIpDetails?.IpAddressV4 != '' + type: ip + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - convert: + field: json.Action.AwsApiCallAction.RemoteIpDetails.Organization.Asn + target_field: aws.securityhub_findings_full_posture.action.aws_api_call.remote_ip.organization.asn + if: ctx.json?.Action?.AwsApiCallAction?.RemoteIpDetails?.Organization?.Asn != '' + type: string + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - rename: + field: json.Action.AwsApiCallAction.RemoteIpDetails.Organization.AsnOrg + target_field: aws.securityhub_findings_full_posture.action.aws_api_call.remote_ip.organization.asn_organization + ignore_missing: true + - rename: + field: json.Action.AwsApiCallAction.RemoteIpDetails.Organization.Isp + target_field: aws.securityhub_findings_full_posture.action.aws_api_call.remote_ip.organization.internet_service_provider + ignore_missing: true + - rename: + field: json.Action.AwsApiCallAction.RemoteIpDetails.Organization.Org + target_field: aws.securityhub_findings_full_posture.action.aws_api_call.remote_ip.organization.internet_provider + ignore_missing: true + - rename: + field: json.Action.AwsApiCallAction.ServiceName + target_field: aws.securityhub_findings_full_posture.action.aws_api_call.service.name + ignore_missing: true + - convert: + field: json.Action.DnsRequestAction.Blocked + target_field: aws.securityhub_findings_full_posture.action.dns_request.blocked + if: ctx.json?.Action?.DnsRequestAction?.Blocked != '' + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - rename: + field: json.Action.DnsRequestAction.Domain + target_field: aws.securityhub_findings_full_posture.action.dns_request.domain + ignore_missing: true + - rename: + field: json.Action.DnsRequestAction.Protocol + target_field: aws.securityhub_findings_full_posture.action.dns_request.protocol + ignore_missing: true + - convert: + field: json.Action.NetworkConnectionAction.Blocked + target_field: aws.securityhub_findings_full_posture.action.network_connection.blocked + if: ctx.json?.Action?.NetworkConnectionAction?.Blocked != '' + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - rename: + field: json.Action.NetworkConnectionAction.ConnectionDirection + target_field: aws.securityhub_findings_full_posture.action.network_connection.direction + ignore_missing: true + - convert: + field: json.Action.NetworkConnectionAction.LocalPortDetails.Port + target_field: aws.securityhub_findings_full_posture.action.network_connection.local.port.number + if: ctx.json?.Action?.NetworkConnectionAction?.LocalPortDetails?.Port != '' + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - rename: + field: json.Action.NetworkConnectionAction.LocalPortDetails.PortName + target_field: aws.securityhub_findings_full_posture.action.network_connection.local.port.name + ignore_missing: true + - rename: + field: json.Action.NetworkConnectionAction.Protocol + target_field: aws.securityhub_findings_full_posture.action.network_connection.protocol + ignore_missing: true + - rename: + field: json.Action.NetworkConnectionAction.RemoteIpDetails.City.CityName + target_field: aws.securityhub_findings_full_posture.action.network_connection.remote_ip.city.name + ignore_missing: true + - rename: + field: json.Action.NetworkConnectionAction.RemoteIpDetails.Country.CountryCode + target_field: aws.securityhub_findings_full_posture.action.network_connection.remote_ip.country.code + ignore_missing: true + - rename: + field: json.Action.NetworkConnectionAction.RemoteIpDetails.Country.CountryName + target_field: aws.securityhub_findings_full_posture.action.network_connection.remote_ip.country.name + ignore_missing: true + - convert: + field: json.Action.NetworkConnectionAction.RemoteIpDetails.GeoLocation.Lat + target_field: aws.securityhub_findings_full_posture.action.network_connection.remote_ip.geolocation.latitude + if: ctx.json?.Action?.NetworkConnectionAction?.RemoteIpDetails?.GeoLocation?.Lat != '' + type: double + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - convert: + field: json.Action.NetworkConnectionAction.RemoteIpDetails.GeoLocation.Lon + target_field: aws.securityhub_findings_full_posture.action.network_connection.remote_ip.geolocation.longitude + if: ctx.json?.Action?.NetworkConnectionAction?.RemoteIpDetails?.GeoLocation?.Lon != '' + type: double + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - convert: + field: json.Action.NetworkConnectionAction.RemoteIpDetails.IpAddressV4 + target_field: aws.securityhub_findings_full_posture.action.network_connection.remote_ip.ip.address_v4 + if: ctx.json?.Action?.NetworkConnectionAction?.RemoteIpDetails?.IpAddressV4 != '' + type: ip + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - convert: + field: json.Action.NetworkConnectionAction.RemoteIpDetails.Organization.Asn + target_field: aws.securityhub_findings_full_posture.action.network_connection.remote_ip.organization.asn + if: ctx.json?.Action?.NetworkConnectionAction?.RemoteIpDetails?.Organization?.Asn != '' + type: string + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - rename: + field: json.Action.NetworkConnectionAction.RemoteIpDetails.Organization.AsnOrg + target_field: aws.securityhub_findings_full_posture.action.network_connection.remote_ip.organization.asn_organization + ignore_missing: true + - rename: + field: json.Action.NetworkConnectionAction.RemoteIpDetails.Organization.Isp + target_field: aws.securityhub_findings_full_posture.action.network_connection.remote_ip.organization.internet_service_provider + ignore_missing: true + - rename: + field: json.Action.NetworkConnectionAction.RemoteIpDetails.Organization.Org + target_field: aws.securityhub_findings_full_posture.action.network_connection.remote_ip.organization.internet_provider + ignore_missing: true + - convert: + field: json.Action.NetworkConnectionAction.RemotePortDetails.Port + target_field: aws.securityhub_findings_full_posture.action.network_connection.remote.port.number + if: ctx.json?.Action?.NetworkConnectionAction?.RemotePortDetails?.Port != '' + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - rename: + field: json.Action.NetworkConnectionAction.RemotePortDetails.PortName + target_field: aws.securityhub_findings_full_posture.action.network_connection.remote.port.name + ignore_missing: true + - convert: + field: json.Action.PortProbeAction.Blocked + target_field: aws.securityhub_findings_full_posture.action.port_probe.blocked + if: ctx.json?.Action?.PortProbeAction?.Blocked != '' + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - foreach: + field: json.Action.PortProbeAction.PortProbeDetails + processor: + convert: + field: _ingest._value.LocalIpDetails.IpAddressV4 + target_field: _ingest._value.local.ip.address_v4 + type: ip + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + ignore_failure: true + if: ctx.json?.Action?.PortProbeAction?.PortProbeDetails != null && ctx.json?.Action?.PortProbeAction?.PortProbeDetails instanceof List + - foreach: + field: json.Action.PortProbeAction.PortProbeDetails + processor: + convert: + field: _ingest._value.LocalPortDetails.Port + target_field: _ingest._value.local.port.number + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + ignore_failure: true + if: ctx.json?.Action?.PortProbeAction?.PortProbeDetails != null && ctx.json?.Action?.PortProbeAction?.PortProbeDetails instanceof List + - foreach: + field: json.Action.PortProbeAction.PortProbeDetails + processor: + rename: + field: _ingest._value.LocalPortDetails.PortName + target_field: _ingest._value.local.port.name + ignore_missing: true + ignore_failure: true + if: ctx.json?.Action?.PortProbeAction?.PortProbeDetails != null && ctx.json?.Action?.PortProbeAction?.PortProbeDetails instanceof List + - foreach: + field: json.Action.PortProbeAction.PortProbeDetails + processor: + rename: + field: _ingest._value.RemoteIpDetails.City.CityName + target_field: _ingest._value.remote_ip.city.name + ignore_missing: true + ignore_failure: true + if: ctx.json?.Action?.PortProbeAction?.PortProbeDetails != null && ctx.json?.Action?.PortProbeAction?.PortProbeDetails instanceof List + - foreach: + field: json.Action.PortProbeAction.PortProbeDetails + processor: + rename: + field: _ingest._value.RemoteIpDetails.Country.CountryCode + target_field: _ingest._value.remote_ip.country.code + ignore_missing: true + ignore_failure: true + if: ctx.json?.Action?.PortProbeAction?.PortProbeDetails != null && ctx.json?.Action?.PortProbeAction?.PortProbeDetails instanceof List + - foreach: + field: json.Action.PortProbeAction.PortProbeDetails + processor: + rename: + field: _ingest._value.RemoteIpDetails.Country.CountryName + target_field: _ingest._value.remote_ip.country.name + ignore_missing: true + ignore_failure: true + if: ctx.json?.Action?.PortProbeAction?.PortProbeDetails != null && ctx.json?.Action?.PortProbeAction?.PortProbeDetails instanceof List + - foreach: + field: json.Action.PortProbeAction.PortProbeDetails + processor: + convert: + field: _ingest._value.RemoteIpDetails.GeoLocation.Lat + target_field: _ingest._value.remote_ip.geolocation.latitude + type: double + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + ignore_failure: true + if: ctx.json?.Action?.PortProbeAction?.PortProbeDetails != null && ctx.json?.Action?.PortProbeAction?.PortProbeDetails instanceof List + - foreach: + field: json.Action.PortProbeAction.PortProbeDetails + processor: + convert: + field: _ingest._value.RemoteIpDetails.GeoLocation.Lon + target_field: _ingest._value.remote_ip.geolocation.longitude + type: double + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + ignore_failure: true + if: ctx.json?.Action?.PortProbeAction?.PortProbeDetails != null && ctx.json?.Action?.PortProbeAction?.PortProbeDetails instanceof List + - foreach: + field: json.Action.PortProbeAction.PortProbeDetails + processor: + convert: + field: _ingest._value.RemoteIpDetails.IpAddressV4 + target_field: _ingest._value.remote_ip.ip.address_v4 + type: ip + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + ignore_failure: true + if: ctx.json?.Action?.PortProbeAction?.PortProbeDetails != null && ctx.json?.Action?.PortProbeAction?.PortProbeDetails instanceof List + - foreach: + field: json.Action.PortProbeAction.PortProbeDetails + processor: + convert: + field: _ingest._value.RemoteIpDetails.Organization.Asn + target_field: _ingest._value.remote_ip.organization.asn + type: string + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + ignore_failure: true + if: ctx.json?.Action?.PortProbeAction?.PortProbeDetails != null && ctx.json?.Action?.PortProbeAction?.PortProbeDetails instanceof List + - foreach: + field: json.Action.PortProbeAction.PortProbeDetails + processor: + rename: + field: _ingest._value.RemoteIpDetails.Organization.AsnOrg + target_field: _ingest._value.remote_ip.organization.asn_organization + ignore_missing: true + ignore_failure: true + if: ctx.json?.Action?.PortProbeAction?.PortProbeDetails != null && ctx.json?.Action?.PortProbeAction?.PortProbeDetails instanceof List + - foreach: + field: json.Action.PortProbeAction.PortProbeDetails + processor: + rename: + field: _ingest._value.RemoteIpDetails.Organization.Isp + target_field: _ingest._value.remote_ip.organization.internet_service_provider + ignore_missing: true + ignore_failure: true + if: ctx.json?.Action?.PortProbeAction?.PortProbeDetails != null && ctx.json?.Action?.PortProbeAction?.PortProbeDetails instanceof List + - foreach: + field: json.Action.PortProbeAction.PortProbeDetails + processor: + rename: + field: _ingest._value.RemoteIpDetails.Organization.Org + target_field: _ingest._value.remote_ip.organization.internet_provider + ignore_missing: true + ignore_failure: true + if: ctx.json?.Action?.PortProbeAction?.PortProbeDetails != null && ctx.json?.Action?.PortProbeAction?.PortProbeDetails instanceof List + - foreach: + field: json.Action.PortProbeAction.PortProbeDetails + processor: + remove: + field: + - _ingest._value.LocalIpDetails + - _ingest._value.LocalPortDetails + - _ingest._value.RemoteIpDetails + ignore_missing: true + ignore_failure: true + if: ctx.json?.Action?.PortProbeAction?.PortProbeDetails != null && ctx.json?.Action?.PortProbeAction?.PortProbeDetails instanceof List + - rename: + field: json.Action.PortProbeAction.PortProbeDetails + target_field: aws.securityhub_findings_full_posture.action.port_probe.details + ignore_missing: true + - rename: + field: json.AwsAccountId + target_field: aws.securityhub_findings_full_posture.aws_account_id + ignore_missing: true + - set: + field: cloud.account.id + copy_from: aws.securityhub_findings_full_posture.aws_account_id + ignore_failure: true + - rename: + field: json.CompanyName + target_field: aws.securityhub_findings_full_posture.company.name + ignore_missing: true + - set: + field: organization.name + copy_from: aws.securityhub_findings_full_posture.company.name + ignore_failure: true + - rename: + field: json.Compliance.RelatedRequirements + target_field: aws.securityhub_findings_full_posture.compliance.related_requirements + ignore_missing: true + - foreach: + field: aws.securityhub_findings_full_posture.compliance.related_requirements + if: ctx.aws?.securityhub_findings_full_posture?.compliance?.related_requirements instanceof List + tag: foreach_compliance_related_requirements + processor: + append: + field: rule.ruleset + value: '{{{_ingest._value}}}' + tag: append_related_requirements_rule_ruleset + allow_duplicates: false + - rename: + field: json.Compliance.Status + target_field: aws.securityhub_findings_full_posture.compliance.status + ignore_missing: true + - set: + field: result.evaluation + tag: set_result_evaluation_passed + value: passed + if: ctx.aws?.securityhub_findings_full_posture?.compliance?.status == 'PASSED' + ignore_empty_value: true + - set: + field: result.evaluation + tag: set_result_evaluation_failed + value: failed + if: ctx.aws?.securityhub_findings_full_posture?.compliance?.status == 'FAILED' + ignore_empty_value: true + - set: + field: result.evaluation + tag: set_result_evaluation_unknown + value: unknown + if: ctx.result?.evaluation == null + ignore_empty_value: true + - set: + field: event.outcome + tag: set_event_outcome_success + value: success + if: ctx.aws?.securityhub_findings_full_posture?.compliance?.status == 'PASSED' + ignore_empty_value: true + - set: + field: event.outcome + tag: set_event_outcome_failure + value: failure + if: ctx.aws?.securityhub_findings_full_posture?.compliance?.status == 'FAILED' + ignore_empty_value: true + - set: + field: event.outcome + tag: set_event_outcome_unknown + value: unknown + if: ctx.event?.outcome == null + - foreach: + field: json.Compliance.StatusReasons + processor: + rename: + field: _ingest._value.Description + target_field: _ingest._value.description + ignore_missing: true + ignore_failure: true + if: ctx.json?.Compliance?.StatusReasons != null && ctx.json?.Compliance?.StatusReasons instanceof List + - foreach: + field: json.Compliance.StatusReasons + processor: + rename: + field: _ingest._value.ReasonCode + target_field: _ingest._value.reason_code + ignore_missing: true + ignore_failure: true + if: ctx.json?.Compliance?.StatusReasons != null && ctx.json?.Compliance?.StatusReasons instanceof List + - rename: + field: json.Compliance.StatusReasons + target_field: aws.securityhub_findings_full_posture.compliance.status_reasons + ignore_missing: true + - convert: + field: json.Confidence + target_field: aws.securityhub_findings_full_posture.confidence + if: ctx.json?.Confidence != '' + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - date: + field: json.CreatedAt + if: ctx.json?.CreatedAt != null && ctx.json?.CreatedAt != '' + target_field: aws.securityhub_findings_full_posture.created_at + formats: + - ISO8601 + - yyyy-MM-dd'T'HH:mm:ss.SSS'Z' + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - date: + field: json.UpdatedAt + if: ctx.json?.UpdatedAt != null && ctx.json.UpdatedAt != '' + target_field: aws.securityhub_findings_full_posture.updated_at + tag: date_updated_at + formats: + - ISO8601 + - yyyy-MM-dd'T'HH:mm:ss.SSS'Z' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: '@timestamp' + value: "{{{_ingest.timestamp}}}" + tag: set_timestamp + - convert: + field: json.Criticality + target_field: aws.securityhub_findings_full_posture.criticality + if: ctx.json?.Criticality != '' + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - rename: + field: json.Description + target_field: aws.securityhub_findings_full_posture.description + ignore_missing: true + - set: + field: rule.description + tag: set_rule_description + copy_from: aws.securityhub_findings_full_posture.description + ignore_empty_value: true + - convert: + field: json.FindingProviderFields.Confidence + target_field: aws.securityhub_findings_full_posture.provider_fields.confidence + if: ctx.json?.FindingProviderFields?.Confidence != '' + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - convert: + field: json.FindingProviderFields.Criticality + target_field: aws.securityhub_findings_full_posture.provider_fields.criticality + if: ctx.json?.FindingProviderFields?.Criticality != '' + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - foreach: + field: json.FindingProviderFields.RelatedFindings + processor: + rename: + field: _ingest._value.Id + target_field: _ingest._value.id + ignore_missing: true + ignore_failure: true + if: ctx.json?.FindingProviderFields?.RelatedFindings != null && ctx.json?.FindingProviderFields?.RelatedFindings instanceof List + - foreach: + field: json.FindingProviderFields.RelatedFindings + processor: + rename: + field: _ingest._value.ProductArn + target_field: _ingest._value.product.arn + ignore_missing: true + ignore_failure: true + if: ctx.json?.FindingProviderFields?.RelatedFindings != null && ctx.json?.FindingProviderFields?.RelatedFindings instanceof List + - rename: + field: json.FindingProviderFields.RelatedFindings + target_field: aws.securityhub_findings_full_posture.provider_fields.related_findings + ignore_missing: true + - rename: + field: json.FindingProviderFields.Severity.Label + target_field: aws.securityhub_findings_full_posture.provider_fields.severity.label + ignore_missing: true + - rename: + field: json.FindingProviderFields.Severity.Original + target_field: aws.securityhub_findings_full_posture.provider_fields.severity.original + ignore_missing: true + - convert: + field: json.FindingProviderFields.Severity.Normalized + target_field: aws.securityhub_findings_full_posture.provider_fields.severity.normalized + if: ctx.json?.FindingProviderFields?.Severity?.Normalized != '' + type: string + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - convert: + field: json.FindingProviderFields.Severity.Product + target_field: aws.securityhub_findings_full_posture.provider_fields.severity.product + if: ctx.json?.FindingProviderFields?.Severity?.Product != '' + type: string + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - rename: + field: json.FindingProviderFields.Types + target_field: aws.securityhub_findings_full_posture.provider_fields.types + ignore_missing: true + - date: + field: json.FirstObservedAt + if: ctx.json?.FirstObservedAt != null && ctx.json?.FirstObservedAt != '' + target_field: aws.securityhub_findings_full_posture.first_observed_at + formats: + - ISO8601 + - yyyy-MM-dd'T'HH:mm:ss.SSS'Z' + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - rename: + field: json.GeneratorId + target_field: aws.securityhub_findings_full_posture.generator.id + ignore_missing: true + - set: + field: rule.id + tag: set_rule_id_from_generator_id + copy_from: aws.securityhub_findings_full_posture.generator.id + ignore_empty_value: true + - rename: + field: json.Compliance.SecurityControlId + target_field: aws.securityhub_findings_full_posture.compliance.security_control_id + ignore_missing: true + - set: + field: rule.id + tag: set_rule_id_from_security_control_id + copy_from: aws.securityhub_findings_full_posture.compliance.security_control_id + if: ctx.rule?.id == null + ignore_empty_value: true + - rename: + field: json.Id + target_field: aws.securityhub_findings_full_posture.id + ignore_missing: true + - set: + field: event.id + copy_from: aws.securityhub_findings_full_posture.id + ignore_failure: true + - date: + field: json.LastObservedAt + if: ctx.json?.LastObservedAt != null && ctx.json?.LastObservedAt != '' + target_field: aws.securityhub_findings_full_posture.last_observed_at + formats: + - ISO8601 + - yyyy-MM-dd'T'HH:mm:ss.SSS'Z' + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - date: + field: json.ProcessedAt + if: ctx.json?.ProcessedAt != null && ctx.json.ProcessedAt != '' + target_field: aws.securityhub_findings_full_posture.processed_at + tag: date_processed_at + formats: + - ISO8601 + - yyyy-MM-dd'T'HH:mm:ss.SSS'Z' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: event.created + tag: set_event_created + copy_from: aws.securityhub_findings_full_posture.processed_at + ignore_empty_value: true + - foreach: + field: json.Malware + processor: + rename: + field: _ingest._value.Name + target_field: _ingest._value.name + ignore_missing: true + ignore_failure: true + if: ctx.json?.Malware != null && ctx.json?.Malware instanceof List + - foreach: + field: json.Malware + processor: + rename: + field: _ingest._value.Path + target_field: _ingest._value.path + ignore_missing: true + ignore_failure: true + if: ctx.json?.Malware != null && ctx.json?.Malware instanceof List + - foreach: + field: json.Malware + processor: + rename: + field: _ingest._value.State + target_field: _ingest._value.state + ignore_missing: true + ignore_failure: true + if: ctx.json?.Malware != null && ctx.json?.Malware instanceof List + - foreach: + field: json.Malware + processor: + rename: + field: _ingest._value.Type + target_field: _ingest._value.type + ignore_missing: true + ignore_failure: true + if: ctx.json?.Malware != null && ctx.json?.Malware instanceof List + - rename: + field: json.Malware + target_field: aws.securityhub_findings_full_posture.malware + ignore_missing: true + - rename: + field: json.Network.DestinationDomain + target_field: aws.securityhub_findings_full_posture.network.destination.domain + ignore_missing: true + - set: + field: destination.domain + copy_from: aws.securityhub_findings_full_posture.network.destination.domain + ignore_failure: true + - convert: + field: json.Network.DestinationIpV4 + target_field: aws.securityhub_findings_full_posture.network.destination.ip.v4 + if: ctx.json?.Network?.DestinationIpV4 != '' + type: ip + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - append: + field: destination.ip + value: '{{{aws.securityhub_findings_full_posture.network.destination.ip.v4}}}' + if: ctx.aws?.securityhub_findings_full_posture?.network?.destination?.ip?.v4 != null + allow_duplicates: false + ignore_failure: true + - convert: + field: json.Network.DestinationIpV6 + target_field: aws.securityhub_findings_full_posture.network.destination.ip.v6 + if: ctx.json?.Network?.DestinationIpV6 != '' + type: ip + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - append: + field: destination.ip + value: '{{{aws.securityhub_findings_full_posture.network.destination.ip.v6}}}' + if: ctx.aws?.securityhub_findings_full_posture?.network?.destination?.ip?.v6 != null + allow_duplicates: false + ignore_failure: true + - convert: + field: json.Network.DestinationPort + target_field: aws.securityhub_findings_full_posture.network.destination.port + if: ctx.json?.Network?.DestinationPort != '' + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - set: + field: destination.port + copy_from: aws.securityhub_findings_full_posture.network.destination.port + ignore_failure: true + - rename: + field: json.Network.Direction + target_field: aws.securityhub_findings_full_posture.network.direction + ignore_missing: true + - set: + field: network.direction + value: inbound + if: "ctx.aws?.securityhub_findings_full_posture?.network?.direction == 'IN'" + - set: + field: network.direction + value: outbound + if: "ctx.aws?.securityhub_findings_full_posture?.network?.direction == 'OUT'" + - convert: + field: json.Network.OpenPortRange.Begin + target_field: aws.securityhub_findings_full_posture.network.open_port_range.begin + if: ctx.json?.Network?.OpenPortRange?.Begin != '' + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - convert: + field: json.Network.OpenPortRange.End + target_field: aws.securityhub_findings_full_posture.network.open_port_range.end + if: ctx.json?.Network?.OpenPortRange?.End != '' + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - rename: + field: json.Network.Protocol + target_field: aws.securityhub_findings_full_posture.network.protocol + ignore_missing: true + - set: + field: network.protocol + copy_from: aws.securityhub_findings_full_posture.network.protocol + ignore_failure: true + - lowercase: + field: network.protocol + ignore_missing: true + - rename: + field: json.Network.SourceDomain + target_field: aws.securityhub_findings_full_posture.network.source.domain + ignore_missing: true + - set: + field: source.domain + copy_from: aws.securityhub_findings_full_posture.network.source.domain + ignore_failure: true + - convert: + field: json.Network.SourceIpV4 + target_field: aws.securityhub_findings_full_posture.network.source.ip.v4 + if: ctx.json?.Network?.SourceIpV4 != '' + type: ip + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - append: + field: source.ip + value: '{{{aws.securityhub_findings_full_posture.network.source.ip.v4}}}' + if: ctx.aws?.securityhub_findings_full_posture?.network?.source?.ip?.v4 != null + allow_duplicates: false + ignore_failure: true + - convert: + field: json.Network.SourceIpV6 + target_field: aws.securityhub_findings_full_posture.network.source.ip.v6 + if: ctx.json?.Network?.SourceIpV6 != '' + type: ip + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - append: + field: source.ip + value: '{{{aws.securityhub_findings_full_posture.network.source.ip.v6}}}' + if: ctx.aws?.securityhub_findings_full_posture?.network?.source?.ip?.v6 != null + allow_duplicates: false + ignore_failure: true + - rename: + field: json.Network.SourceMac + target_field: aws.securityhub_findings_full_posture.network.source.mac + ignore_missing: true + - gsub: + field: aws.securityhub_findings_full_posture.network.source.mac + pattern: '[-:.]' + replacement: '-' + ignore_missing: true + - uppercase: + field: aws.securityhub_findings_full_posture.network.source.mac + ignore_missing: true + - set: + field: source.mac + copy_from: aws.securityhub_findings_full_posture.network.source.mac + ignore_failure: true + - convert: + field: json.Network.SourcePort + target_field: aws.securityhub_findings_full_posture.network.source.port + if: ctx.json?.Network?.SourcePort != '' + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - set: + field: source.port + copy_from: aws.securityhub_findings_full_posture.network.source.port + ignore_failure: true + - foreach: + field: json.NetworkPath + processor: + rename: + field: _ingest._value.ComponentId + target_field: _ingest._value.component.id + ignore_missing: true + ignore_failure: true + if: ctx.json?.NetworkPath != null && ctx.json?.NetworkPath instanceof List + - foreach: + field: json.NetworkPath + processor: + rename: + field: _ingest._value.ComponentType + target_field: _ingest._value.component.type + ignore_missing: true + ignore_failure: true + if: ctx.json?.NetworkPath != null && ctx.json?.NetworkPath instanceof List + - foreach: + field: json.NetworkPath + processor: + rename: + field: _ingest._value.Egress.Destination.Address + target_field: _ingest._value.egress.destination.address + ignore_missing: true + ignore_failure: true + if: ctx.json?.NetworkPath != null && ctx.json?.NetworkPath instanceof List + - foreach: + field: json.NetworkPath + processor: + foreach: + field: _ingest._value.Egress.Destination.PortRanges + processor: + convert: + field: _ingest._value.Begin + target_field: _ingest._value.begin + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + ignore_failure: true + ignore_missing: true + ignore_failure: true + if: ctx.json?.NetworkPath != null && ctx.json?.NetworkPath instanceof List + - foreach: + field: json.NetworkPath + processor: + foreach: + field: _ingest._value.Egress.Destination.PortRanges + processor: + convert: + field: _ingest._value.End + target_field: _ingest._value.end + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + ignore_failure: true + ignore_missing: true + ignore_failure: true + if: ctx.json?.NetworkPath != null && ctx.json?.NetworkPath instanceof List + - foreach: + field: json.NetworkPath + processor: + foreach: + field: _ingest._value.Egress.Destination.PortRanges + processor: + remove: + field: + - _ingest._value.Begin + - _ingest._value.End + ignore_missing: true + ignore_failure: true + ignore_missing: true + ignore_failure: true + if: ctx.json?.NetworkPath != null && ctx.json?.NetworkPath instanceof List + - foreach: + field: json.NetworkPath + processor: + rename: + field: _ingest._value.Egress.Destination.PortRanges + target_field: _ingest._value.egress.destination.port_ranges + ignore_missing: true + ignore_failure: true + if: ctx.json?.NetworkPath != null && ctx.json?.NetworkPath instanceof List + - foreach: + field: json.NetworkPath + processor: + rename: + field: _ingest._value.Egress.Protocol + target_field: _ingest._value.egress.protocol + ignore_missing: true + ignore_failure: true + if: ctx.json?.NetworkPath != null && ctx.json?.NetworkPath instanceof List + - foreach: + field: json.NetworkPath + processor: + rename: + field: _ingest._value.Egress.Source.Address + target_field: _ingest._value.egress.source.address + ignore_missing: true + ignore_failure: true + if: ctx.json?.NetworkPath != null && ctx.json?.NetworkPath instanceof List + - foreach: + field: json.NetworkPath + processor: + foreach: + field: _ingest._value.Egress.Source.PortRanges + processor: + convert: + field: _ingest._value.Begin + target_field: _ingest._value.begin + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + ignore_failure: true + ignore_missing: true + ignore_failure: true + if: ctx.json?.NetworkPath != null && ctx.json?.NetworkPath instanceof List + - foreach: + field: json.NetworkPath + processor: + foreach: + field: _ingest._value.Egress.Source.PortRanges + processor: + convert: + field: _ingest._value.End + target_field: _ingest._value.end + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + ignore_failure: true + ignore_missing: true + ignore_failure: true + if: ctx.json?.NetworkPath != null && ctx.json?.NetworkPath instanceof List + - foreach: + field: json.NetworkPath + processor: + foreach: + field: _ingest._value.Egress.Source.PortRanges + processor: + remove: + field: + - _ingest._value.Begin + - _ingest._value.End + ignore_missing: true + ignore_failure: true + ignore_missing: true + ignore_failure: true + if: ctx.json?.NetworkPath != null && ctx.json?.NetworkPath instanceof List + - foreach: + field: json.NetworkPath + processor: + rename: + field: _ingest._value.Egress.Source.PortRanges + target_field: _ingest._value.egress.source.port_ranges + ignore_missing: true + ignore_failure: true + if: ctx.json?.NetworkPath != null && ctx.json?.NetworkPath instanceof List + - foreach: + field: json.NetworkPath + processor: + rename: + field: _ingest._value.Ingress.Destination.Address + target_field: _ingest._value.ingress.destination.address + ignore_missing: true + ignore_failure: true + if: ctx.json?.NetworkPath != null && ctx.json?.NetworkPath instanceof List + - foreach: + field: json.NetworkPath + processor: + foreach: + field: _ingest._value.Ingress.Destination.PortRanges + processor: + convert: + field: _ingest._value.Begin + target_field: _ingest._value.begin + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + ignore_failure: true + ignore_missing: true + ignore_failure: true + if: ctx.json?.NetworkPath != null && ctx.json?.NetworkPath instanceof List + - foreach: + field: json.NetworkPath + processor: + foreach: + field: _ingest._value.Ingress.Destination.PortRanges + processor: + convert: + field: _ingest._value.End + target_field: _ingest._value.end + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + ignore_failure: true + ignore_missing: true + ignore_failure: true + if: ctx.json?.NetworkPath != null && ctx.json?.NetworkPath instanceof List + - foreach: + field: json.NetworkPath + processor: + foreach: + field: _ingest._value.Ingress.Destination.PortRanges + processor: + remove: + field: + - _ingest._value.Begin + - _ingest._value.End + ignore_missing: true + ignore_failure: true + ignore_missing: true + ignore_failure: true + if: ctx.json?.NetworkPath != null && ctx.json?.NetworkPath instanceof List + - foreach: + field: json.NetworkPath + processor: + rename: + field: _ingest._value.Ingress.Destination.PortRanges + target_field: _ingest._value.ingress.destination.port_ranges + ignore_missing: true + ignore_failure: true + if: ctx.json?.NetworkPath != null && ctx.json?.NetworkPath instanceof List + - foreach: + field: json.NetworkPath + processor: + rename: + field: _ingest._value.Ingress.Protocol + target_field: _ingest._value.ingress.protocol + ignore_missing: true + ignore_failure: true + if: ctx.json?.NetworkPath != null && ctx.json?.NetworkPath instanceof List + - foreach: + field: json.NetworkPath + processor: + rename: + field: _ingest._value.Ingress.Source.Address + target_field: _ingest._value.ingress.source.address + ignore_missing: true + ignore_failure: true + if: ctx.json?.NetworkPath != null && ctx.json?.NetworkPath instanceof List + - foreach: + field: json.NetworkPath + processor: + foreach: + field: _ingest._value.Ingress.Source.PortRanges + processor: + convert: + field: _ingest._value.Begin + target_field: _ingest._value.begin + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + ignore_failure: true + ignore_failure: true + ignore_missing: true + ignore_failure: true + if: ctx.json?.NetworkPath != null && ctx.json?.NetworkPath instanceof List + - foreach: + field: json.NetworkPath + processor: + foreach: + field: _ingest._value.Ingress.Source.PortRanges + processor: + convert: + field: _ingest._value.End + target_field: _ingest._value.end + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + ignore_failure: true + ignore_missing: true + ignore_failure: true + if: ctx.json?.NetworkPath != null && ctx.json?.NetworkPath instanceof List + - foreach: + field: json.NetworkPath + processor: + foreach: + field: _ingest._value.Ingress.Source.PortRanges + processor: + remove: + field: + - _ingest._value.Begin + - _ingest._value.End + ignore_missing: true + ignore_failure: true + ignore_missing: true + ignore_failure: true + if: ctx.json?.NetworkPath != null && ctx.json?.NetworkPath instanceof List + - foreach: + field: json.NetworkPath + processor: + rename: + field: _ingest._value.Ingress.Source.PortRanges + target_field: _ingest._value.ingress.source.port_ranges + ignore_missing: true + ignore_failure: true + if: ctx.json?.NetworkPath != null && ctx.json?.NetworkPath instanceof List + - rename: + field: json.NetworkPath + target_field: aws.securityhub_findings_full_posture.network_path + ignore_missing: true + - rename: + field: json.Note.Text + target_field: aws.securityhub_findings_full_posture.note.text + ignore_missing: true + - date: + field: json.Note.UpdatedAt + if: ctx.json?.Note?.UpdatedAt != null && ctx.json?.Note?.UpdatedAt != '' + target_field: aws.securityhub_findings_full_posture.note.updated_at + formats: + - ISO8601 + - yyyy-MM-dd'T'HH:mm:ss.SSS'Z' + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - rename: + field: json.Note.UpdatedBy + target_field: aws.securityhub_findings_full_posture.note.updated_by + ignore_missing: true + - convert: + field: json.PatchSummary.FailedCount + target_field: aws.securityhub_findings_full_posture.patch_summary.failed.count + if: ctx.json?.PatchSummary?.FailedCount != '' + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - rename: + field: json.PatchSummary.Id + target_field: aws.securityhub_findings_full_posture.patch_summary.id + ignore_missing: true + - convert: + field: json.PatchSummary.InstalledCount + target_field: aws.securityhub_findings_full_posture.patch_summary.installed.count + if: ctx.json?.PatchSummary?.InstalledCount != '' + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - convert: + field: json.PatchSummary.InstalledOtherCount + target_field: aws.securityhub_findings_full_posture.patch_summary.installed.other.count + if: ctx.json?.PatchSummary?.InstalledOtherCount != '' + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - convert: + field: json.PatchSummary.InstalledPendingReboot + target_field: aws.securityhub_findings_full_posture.patch_summary.installed.pending_reboot + if: ctx.json?.PatchSummary?.InstalledPendingReboot != '' + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - convert: + field: json.PatchSummary.InstalledRejectedCount + target_field: aws.securityhub_findings_full_posture.patch_summary.installed.rejected.count + if: ctx.json?.PatchSummary?.InstalledRejectedCount != '' + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - convert: + field: json.PatchSummary.MissingCount + target_field: aws.securityhub_findings_full_posture.patch_summary.missing.count + if: ctx.json?.PatchSummary?.MissingCount != '' + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - rename: + field: json.PatchSummary.Operation + target_field: aws.securityhub_findings_full_posture.patch_summary.operation.type + ignore_missing: true + - date: + field: json.PatchSummary.OperationEndTime + if: ctx.json?.PatchSummary?.OperationEndTime != null && ctx.json?.PatchSummary?.OperationEndTime != '' + target_field: aws.securityhub_findings_full_posture.patch_summary.operation.end_time + formats: + - ISO8601 + - yyyy-MM-dd'T'HH:mm:ss.SSS'Z' + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - date: + field: json.PatchSummary.OperationStartTime + if: ctx.json?.PatchSummary?.OperationStartTime != null && ctx.json?.PatchSummary?.OperationStartTime != '' + target_field: aws.securityhub_findings_full_posture.patch_summary.operation.start_time + formats: + - ISO8601 + - yyyy-MM-dd'T'HH:mm:ss.SSS'Z' + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - rename: + field: json.PatchSummary.RebootOption + target_field: aws.securityhub_findings_full_posture.patch_summary.reboot_option + ignore_missing: true + - date: + field: json.Process.LaunchedAt + if: ctx.json?.Process?.LaunchedAt != null && ctx.json?.Process?.LaunchedAt != '' + target_field: aws.securityhub_findings_full_posture.process.launched_at + formats: + - ISO8601 + - yyyy-MM-dd'T'HH:mm:ss.SSS'Z' + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - set: + field: process.start + copy_from: aws.securityhub_findings_full_posture.process.launched_at + ignore_failure: true + - rename: + field: json.Process.Name + target_field: aws.securityhub_findings_full_posture.process.name + ignore_missing: true + - set: + field: process.name + copy_from: aws.securityhub_findings_full_posture.process.name + ignore_failure: true + - convert: + field: json.Process.ParentPid + target_field: aws.securityhub_findings_full_posture.process.parent.pid + if: ctx.json?.Process?.ParentPid != '' + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - set: + field: process.parent.pid + copy_from: aws.securityhub_findings_full_posture.process.parent.pid + ignore_failure: true + - rename: + field: json.Process.Path + target_field: aws.securityhub_findings_full_posture.process.path + ignore_missing: true + - set: + field: process.executable + copy_from: aws.securityhub_findings_full_posture.process.path + ignore_failure: true + - convert: + field: json.Process.Pid + target_field: aws.securityhub_findings_full_posture.process.pid + if: ctx.json?.Process?.Pid != '' + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - set: + field: process.pid + copy_from: aws.securityhub_findings_full_posture.process.pid + ignore_failure: true + - date: + field: json.Process.TerminatedAt + if: ctx.json?.Process?.TerminatedAt != null && ctx.json?.Process?.TerminatedAt != '' + target_field: aws.securityhub_findings_full_posture.process.terminated_at + formats: + - ISO8601 + - yyyy-MM-dd'T'HH:mm:ss.SSS'Z' + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - set: + field: process.end + copy_from: aws.securityhub_findings_full_posture.process.terminated_at + ignore_failure: true + - rename: + field: json.ProductArn + target_field: aws.securityhub_findings_full_posture.product.arn + ignore_missing: true + - rename: + field: json.ProductFields + target_field: aws.securityhub_findings_full_posture.product.fields + ignore_missing: true + - rename: + field: json.ProductName + target_field: aws.securityhub_findings_full_posture.product.name + ignore_missing: true + - rename: + field: json.RecordState + target_field: aws.securityhub_findings_full_posture.record_state + ignore_missing: true + - rename: + field: json.Region + target_field: aws.securityhub_findings_full_posture.region + ignore_missing: true + - set: + field: cloud.region + tag: set_cloud_region + copy_from: aws.securityhub_findings_full_posture.region + ignore_empty_value: true + - foreach: + field: json.RelatedFindings + processor: + rename: + field: _ingest._value.Id + target_field: _ingest._value.id + ignore_missing: true + ignore_failure: true + if: ctx.json?.RelatedFindings != null && ctx.json?.RelatedFindings instanceof List + - foreach: + field: json.RelatedFindings + processor: + rename: + field: _ingest._value.ProductArn + target_field: _ingest._value.product.arn + ignore_missing: true + ignore_failure: true + if: ctx.json?.RelatedFindings != null && ctx.json?.RelatedFindings instanceof List + - rename: + field: json.RelatedFindings + target_field: aws.securityhub_findings_full_posture.related_findings + ignore_missing: true + - rename: + field: json.Remediation.Recommendation.Text + target_field: aws.securityhub_findings_full_posture.remediation.recommendation.text + ignore_missing: true + - rename: + field: json.Remediation.Recommendation.Url + target_field: aws.securityhub_findings_full_posture.remediation.recommendation.url + ignore_missing: true + - set: + field: rule.reference + tag: set_rule_reference + copy_from: aws.securityhub_findings_full_posture.remediation.recommendation.url + ignore_empty_value: true + - set: + field: rule.remediation + tag: set_rule_remediation + value: "{{{aws.securityhub_findings_full_posture.remediation.recommendation.text}}}\r\n{{{aws.securityhub_findings_full_posture.remediation.recommendation.url}}}" + if: ctx.aws?.securityhub_findings_full_posture?.remediation?.recommendation?.url != null && ctx.aws.securityhub_findings_full_posture.remediation.recommendation.text != null + ignore_empty_value: true + - rename: + field: json.Resources + target_field: aws.securityhub_findings_full_posture.resources + ignore_missing: true + - script: + description: Extract fields from aws.securityhub_findings_full_posture.resources with single resource. + tag: script_extract_fields_from_single_resource + lang: painless + if: ctx.aws?.securityhub_findings_full_posture?.resources instanceof List && ctx.aws.securityhub_findings_full_posture.resources.size() > 0 + source: |- + // Arrays won't work in general in current UI of Cloud Security Posture workflow. In AWS SecurityHub, a finding may contain multiple resources, but rarely. + // When a finding has single-resource, we extract fields as single-value so that the Findings UI behaves as expected for almost all cases. + // But in the rare multi-resource case, we extract fields into an array to not miss any affected resources for a finding. + // This trade-off is okay as not many findings will be affected. When our UI natively supports multi-resources, the single-value resource extraction must be removed. + + def resources = ctx.aws.securityhub_findings_full_posture.resources; + + // Define fields to be extracted. + if (ctx.resource == null) { + ctx.resource = new HashMap(); + } + if (ctx.user == null) { + ctx.user = new HashMap(); + } + if (ctx.host == null) { + ctx.host = new HashMap(); + } + if (ctx.host.ip == null) { + ctx.host.ip = new ArrayList(); + } + if (ctx.orchestrator == null) { + ctx.orchestrator = new HashMap(); + } + if (ctx.orchestrator.cluster == null) { + ctx.orchestrator.cluster = new HashMap(); + } + if (ctx.orchestrator.resource == null) { + ctx.orchestrator.resource = new HashMap(); + } + if (ctx.cloud == null) { + ctx.cloud = new HashMap(); + } + if (ctx.cloud.instance == null) { + ctx.cloud.instance = new HashMap(); + } + if (ctx.cloud.service == null) { + ctx.cloud.service = new HashMap(); + } + + // This extraction logic is only for single resource case. Multiple resources are extracted inside script - script_extract_fields_from_multiple_resources. + if (resources.size() == 1){ + def res = resources[0]; + + // Extract resource field + ctx.resource.type = res.Type; + ctx.resource.id = res.Id; + def res_name; + String[] tokenList = res.Id.splitOnToken(":"); + if (res.Details != null && res.Details[res.Type]?.Name != null) { + res_name = res.Details[res.Type].Name; + } else { + res_name = tokenList[tokenList.length - 1]; + } + ctx.resource.name = res_name; + + // Extract ECS fields from res.Details + if (res.Details != null) { + // Extract ECS user field from res.Details + if (res.Type == 'AwsIamUser' && res.Details.AwsIamUser?.UserName != null) { + ctx.user.name = res.Details.AwsIamUser.UserName; + } + if (res.Type == 'AwsIamAccessKey' && res.Details.AwsIamAccessKey?.UserName != null) { + ctx.user.name = res.Details.AwsIamAccessKey.UserName; + } + if (res.Type == 'AwsS3Bucket' && res.Details.AwsS3Bucket?.OwnerName != null) { + ctx.user.name = res.Details.AwsS3Bucket.OwnerName; + } + if (res.Type == 'AwsIamUser' && res.Details.AwsIamUser?.UserId != null) { + ctx.user.id = res.Details.AwsIamUser.UserId; + } + if (res.Type == 'AwsS3Bucket' && res.Details.AwsS3Bucket?.OwnerId != null) { + ctx.user.id = res.Details.AwsS3Bucket.OwnerId; + } + + // Extract ECS host field from res.Details + if (res.Type == 'AwsEcsContainer' && res.Details.AwsEcsContainer?.Name != null) { + ctx.host.name = res.Details.AwsEcsContainer.Name; + } + if (res.Type == 'AwsEc2Instance' && (res.Details.AwsEc2Instance?.IpV4Addresses != null || res.Details.AwsEc2Instance?.IpV6Addresses != null)) { + for (def ipv4 : res.Details.AwsEc2Instance.IpV4Addresses) { + if (ipv4 instanceof String) { + ctx.host.ip.add(ipv4); + } + } + for (def ipv6 : res.Details.AwsEc2Instance.IpV6Addresses) { + if (ipv6 instanceof String) { + ctx.host.ip.add(ipv6); + } + } + } + + // Extract ECS orchestrator field from res.Details + if (['AwsEcsCluster', 'AwsEcsTask'].contains(res.Type) && res.Details.AwsEcsCluster?.ClusterArn != null) { + ctx.orchestrator.cluster.id = res.Details.AwsEcsCluster.ClusterArn; + } + if (res.Type == 'AwsEksCluster' && res.Details.AwsEksCluster?.Arn != null) { + ctx.orchestrator.cluster.id = res.Details.AwsEksCluster.Arn; + } + if (res.Type == 'AwsEcsCluster' && res.Details.AwsEcsCluster?.ClusterName != null) { + ctx.orchestrator.cluster.name = res.Details.AwsEcsCluster.ClusterName; + } + if (res.Type == 'AwsEksCluster' && res.Details.AwsEksCluster?.Name != null) { + ctx.orchestrator.cluster.name = res.Details.AwsEksCluster.Name; + } + if (res.Type == 'AwsEksCluster' && res.Details.AwsEksCluster?.Version != null) { + ctx.orchestrator.cluster.version = res.Details.AwsEksCluster.Version; + } + if (res.Type == 'AwsEksCluster' && res.Details.AwsEksCluster?.Endpoint != null) { + ctx.orchestrator.cluster.url = res.Details.AwsEksCluster.Endpoint; + } + + // Extract ECS cloud field from res.Details + if (['AwsEc2Subnet', 'AwsRedshiftCluster', 'AwsDmsReplicationInstance'].contains(res.Type) && res.Details[res.Type]?.AvailabilityZone != null) { + ctx.cloud.availability_zone = res.Details[res.Type].AvailabilityZone; + } + if ((['AwsEc2VpcEndpointService', 'AwsElbLoadBalancer', 'AwsRdsDbCluster'].contains(res.Type)) && res.Details[res.Type]?.AvailabilityZones != null) { + for (def az: res.Details[res.Type].AvailabilityZones){ + ctx.cloud.availability_zone = az; + } + } + if (res.Type == 'AwsAutoScalingAutoScalingGroup' && res.Details.AwsAutoScalingAutoScalingGroup?.AvailabilityZones != null) { + for (def az: res.Details.AwsAutoScalingAutoScalingGroup.AvailabilityZones){ + ctx.cloud.availability_zone = az.Value; + } + } + if (res.Type == 'AwsEc2LaunchTemplate' && res.Details.AwsEc2LaunchTemplate?.LaunchTemplateData?.Placement?.AvailabilityZone != null) { + ctx.cloud.availability_zone = res.Details.AwsEc2LaunchTemplate.LaunchTemplateData.Placement.AvailabilityZone; + } + if (res.Type == 'AwsElbv2LoadBalancer' && res.Details.AwsElbv2LoadBalancer?.AvailabilityZones != null) { + for (def az: res.Details.AwsElbv2LoadBalancer.AvailabilityZones){ + ctx.cloud.availability_zone = az.ZoneName; + } + } + } + + // Extract ECS host field not in res.Details + if (res.Type == 'AwsEc2Instance' && res.Id != null) { + ctx.host.id = res.Id; + } + + // Extract ECS orchestrator field not in res.Details + if (res.Type.startsWith('AwsEks') || res.Type.startsWith('AwsEcs')) { + ctx.orchestrator.resource.id = res.Id; + ctx.orchestrator.resource.name = res_name; + ctx.orchestrator.resource.type = res.Type; + if (res.Type.startsWith('AwsEks')) { + ctx.orchestrator.type = 'kubernetes'; + } else { + ctx.orchestrator.type = 'ecs'; + } + } + + // Extract ECS cloud field not in res.Details + if (res.Type == 'AwsEc2Instance') { + ctx.cloud.instance.id = res.Id; + ctx.cloud.instance.name = res_name; + } + if (tokenList.length > 2) { + ctx.cloud.service.name = tokenList[2]; + } + } + - script: + description: Extract fields from aws.securityhub_findings_full_posture.resources. + tag: script_extract_fields_from_multiple_resources + lang: painless + if: ctx.aws?.securityhub_findings_full_posture?.resources instanceof List && ctx.aws.securityhub_findings_full_posture.resources.size() > 1 + source: |- + def resources = ctx.aws.securityhub_findings_full_posture.resources; + + // Define fields to be extracted. + if (ctx.resource.type == null) { + ctx.resource.type = new ArrayList(); + } + if (ctx.resource.id == null) { + ctx.resource.id = new ArrayList(); + } + if (ctx.resource.name == null) { + ctx.resource.name = new ArrayList(); + } + + if (ctx.user.name == null) { + ctx.user.name = new ArrayList(); + } + if (ctx.user.id == null) { + ctx.user.id = new ArrayList(); + } + + if (ctx.host.id == null) { + ctx.host.id = new ArrayList(); + } + if (ctx.host.ip == null) { + ctx.host.ip = new ArrayList(); + } + if (ctx.host.name == null) { + ctx.host.name = new ArrayList(); + } + + if (ctx.orchestrator.type == null) { + ctx.orchestrator.type = new ArrayList(); + } + if (ctx.orchestrator.cluster.id == null) { + ctx.orchestrator.cluster.id = new ArrayList(); + } + if (ctx.orchestrator.cluster.name == null) { + ctx.orchestrator.cluster.name = new ArrayList(); + } + if (ctx.orchestrator.cluster.version == null) { + ctx.orchestrator.cluster.version = new ArrayList(); + } + if (ctx.orchestrator.resource.id == null) { + ctx.orchestrator.resource.id = new ArrayList(); + } + if (ctx.orchestrator.resource.name == null) { + ctx.orchestrator.resource.name = new ArrayList(); + } + if (ctx.orchestrator.resource.type == null) { + ctx.orchestrator.resource.type = new ArrayList(); + } + + if (ctx.cloud.instance.id == null) { + ctx.cloud.instance.id = new ArrayList(); + } + if (ctx.cloud.instance.name == null) { + ctx.cloud.instance.name = new ArrayList(); + } + if (ctx.cloud.service.name == null) { + ctx.cloud.service.name = new ArrayList(); + } + if (ctx.cloud.availability_zone == null) { + ctx.cloud.availability_zone = new ArrayList(); + } + + for (res in resources) { + // Extract resource field + ctx.resource.type.add(res.Type); + ctx.resource.id.add(res.Id); + def res_name; + String[] tokenList = res.Id.splitOnToken(":"); + if (res.Details != null && res.Details[res.Type]?.Name != null) { + res_name = res.Details[res.Type].Name; + } else { + res_name = tokenList[tokenList.length - 1]; + } + ctx.resource.name.add(res_name); + + // Extract ECS fields from res.Details + if (res.Details != null) { + // Extract ECS user field from res.Details + if (res.Type == 'AwsIamUser' && res.Details.AwsIamUser?.UserName != null) { + ctx.user.name.add(res.Details.AwsIamUser.UserName); + } + if (res.Type == 'AwsIamAccessKey' && res.Details.AwsIamAccessKey?.UserName != null) { + ctx.user.name.add(res.Details.AwsIamAccessKey.UserName); + } + if (res.Type == 'AwsS3Bucket' && res.Details.AwsS3Bucket?.OwnerName != null) { + ctx.user.name.add(res.Details.AwsS3Bucket.OwnerName); + } + if (res.Type == 'AwsIamUser' && res.Details.AwsIamUser?.UserId != null) { + ctx.user.id.add(res.Details.AwsIamUser.UserId); + } + if (res.Type == 'AwsS3Bucket' && res.Details.AwsS3Bucket?.OwnerId != null) { + ctx.user.id.add(res.Details.AwsS3Bucket.OwnerId); + } + + // Extract ECS host field from res.Details + if (res.Type == 'AwsEcsContainer' && res.Details.AwsEcsContainer?.Name != null) { + ctx.host.name.add(res.Details.AwsEcsContainer.Name); + } + if (res.Type == 'AwsEc2Instance' && (res.Details.AwsEc2Instance?.IpV4Addresses != null || res.Details.AwsEc2Instance?.IpV6Addresses != null)) { + for (def ipv4 : res.Details.AwsEc2Instance.IpV4Addresses) { + if (ipv4 instanceof String) { + ctx.host.ip.add(ipv4); + } + } + for (def ipv6 : res.Details.AwsEc2Instance.IpV6Addresses) { + if (ipv6 instanceof String) { + ctx.host.ip.add(ipv6); + } + } + } + + // Extract ECS orchestrator field from res.Details + if (['AwsEcsCluster', 'AwsEcsTask'].contains(res.Type) && res.Details.AwsEcsCluster?.ClusterArn != null) { + ctx.orchestrator.cluster.id.add(res.Details.AwsEcsCluster.ClusterArn); + } + if (res.Type == 'AwsEksCluster' && res.Details.AwsEksCluster?.Arn != null) { + ctx.orchestrator.cluster.id.add(res.Details.AwsEksCluster.Arn); + } + if (res.Type == 'AwsEcsCluster' && res.Details.AwsEcsCluster?.ClusterName != null) { + ctx.orchestrator.cluster.name.add(res.Details.AwsEcsCluster.ClusterName); + } + if (res.Type == 'AwsEksCluster' && res.Details.AwsEksCluster?.Name != null) { + ctx.orchestrator.cluster.name.add(res.Details.AwsEksCluster.Name); + } + if (res.Type == 'AwsEksCluster' && res.Details.AwsEksCluster?.Version != null) { + ctx.orchestrator.cluster.version.add(res.Details.AwsEksCluster.Version); + } + if (res.Type == 'AwsEksCluster' && res.Details.AwsEksCluster?.Endpoint != null) { + ctx.orchestrator.cluster.url.add(res.Details.AwsEksCluster.Endpoint); + } + + // Extract ECS cloud field from res.Details + if (['AwsEc2Subnet', 'AwsRedshiftCluster', 'AwsDmsReplicationInstance'].contains(res.Type) && res.Details[res.Type]?.AvailabilityZone != null) { + ctx.cloud.availability_zone.add(res.Details[res.Type].AvailabilityZone); + } + if ((['AwsEc2VpcEndpointService', 'AwsElbLoadBalancer', 'AwsRdsDbCluster'].contains(res.Type)) && res.Details[res.Type]?.AvailabilityZones != null) { + for (def az: res.Details[res.Type].AvailabilityZones){ + ctx.cloud.availability_zone.add(az); + } + } + if (res.Type == 'AwsAutoScalingAutoScalingGroup' && res.Details.AwsAutoScalingAutoScalingGroup?.AvailabilityZones != null) { + for (def az: res.Details.AwsAutoScalingAutoScalingGroup.AvailabilityZones){ + ctx.cloud.availability_zone.add(az.Value); + } + } + if (res.Type == 'AwsEc2LaunchTemplate' && res.Details.AwsEc2LaunchTemplate?.LaunchTemplateData?.Placement?.AvailabilityZone != null) { + ctx.cloud.availability_zone.add(res.Details.AwsEc2LaunchTemplate.LaunchTemplateData.Placement.AvailabilityZone); + } + if (res.Type == 'AwsElbv2LoadBalancer' && res.Details.AwsElbv2LoadBalancer?.AvailabilityZones != null) { + for (def az: res.Details.AwsElbv2LoadBalancer.AvailabilityZones){ + ctx.cloud.availability_zone.add(az.ZoneName); + } + } + } + + // Extract ECS host field not in res.Details + if (res.Type == 'AwsEc2Instance' && res.Id != null) { + ctx.host.id.add(res.Id); + } + + // Extract ECS orchestrator field not in res.Details + if (res.Type.startsWith('AwsEks') || res.Type.startsWith('AwsEcs')) { + ctx.orchestrator.resource.id.add(res.Id); + ctx.orchestrator.resource.name.add(res_name); + ctx.orchestrator.resource.type.add(res.Type); + if (res.Type.startsWith('AwsEks')) { + ctx.orchestrator.type.add('kubernetes'); + } else { + ctx.orchestrator.type.add('ecs'); + } + } + + // Extract ECS cloud field not in res.Details + if (res.Type == 'AwsEc2Instance') { + ctx.cloud.instance.id.add(res.Id); + ctx.cloud.instance.name.add(res_name); + } + if (tokenList.length > 2) { + ctx.cloud.service.name.add(tokenList[2]); + } + } + - convert: + field: json.Sample + target_field: aws.securityhub_findings_full_posture.sample + if: ctx.json?.Sample != '' + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - rename: + field: json.SchemaVersion + target_field: aws.securityhub_findings_full_posture.schema.version + ignore_missing: true + - rename: + field: json.Severity.Label + target_field: aws.securityhub_findings_full_posture.severity.label + ignore_missing: true + - convert: + field: json.Severity.Normalized + target_field: aws.securityhub_findings_full_posture.severity.normalized + if: ctx.json?.Severity?.Normalized != '' + type: string + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - convert: + field: aws.securityhub_findings_full_posture.severity.normalized + tag: convert_severity_normalized + target_field: event.severity + if: ctx.aws?.securityhub_findings_full_posture?.severity?.normalized != null + type: long + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.Severity.Original + target_field: aws.securityhub_findings_full_posture.severity.original + ignore_missing: true + - convert: + field: json.Severity.Product + target_field: aws.securityhub_findings_full_posture.severity.product + if: ctx.json?.Severity?.Product != '' + type: string + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - rename: + field: json.SourceUrl + target_field: aws.securityhub_findings_full_posture.source_url + ignore_missing: true + - uri_parts: + field: aws.securityhub_findings_full_posture.source_url + if: ctx.aws?.securityhub_findings_full_posture?.source_url != '' && ctx.aws?.securityhub_findings_full_posture?.source_url != null + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - set: + field: url.full + value: '{{{url.original}}}' + ignore_failure: true + - foreach: + field: json.ThreatIntelIndicators + processor: + rename: + field: _ingest._value.Category + target_field: _ingest._value.category + ignore_missing: true + ignore_failure: true + if: ctx.json?.ThreatIntelIndicators != null && ctx.json?.ThreatIntelIndicators instanceof List + - foreach: + field: json.ThreatIntelIndicators + processor: + date: + field: _ingest._value.LastObservedAt + target_field: _ingest._value.last_observed_at + formats: + - ISO8601 + - yyyy-MM-dd'T'HH:mm:ss.SSS'Z' + ignore_failure: true + ignore_failure: true + if: ctx.json?.ThreatIntelIndicators != null && ctx.json?.ThreatIntelIndicators instanceof List + - foreach: + field: json.ThreatIntelIndicators + processor: + remove: + field: + - _ingest._value.LastObservedAt + ignore_missing: true + ignore_failure: true + if: ctx.json?.ThreatIntelIndicators != null && ctx.json?.ThreatIntelIndicators instanceof List + - foreach: + field: json.ThreatIntelIndicators + processor: + rename: + field: _ingest._value.Source + target_field: _ingest._value.source + ignore_missing: true + ignore_failure: true + if: ctx.json?.ThreatIntelIndicators != null && ctx.json?.ThreatIntelIndicators instanceof List + - foreach: + field: json.ThreatIntelIndicators + processor: + rename: + field: _ingest._value.SourceUrl + target_field: _ingest._value.source_url + ignore_missing: true + ignore_failure: true + if: ctx.json?.ThreatIntelIndicators != null && ctx.json?.ThreatIntelIndicators instanceof List + - foreach: + field: json.ThreatIntelIndicators + processor: + rename: + field: _ingest._value.Value + target_field: _ingest._value.value + ignore_missing: true + ignore_failure: true + if: ctx.json?.ThreatIntelIndicators != null && ctx.json?.ThreatIntelIndicators instanceof List + - foreach: + field: json.ThreatIntelIndicators + processor: + rename: + field: _ingest._value.Type + target_field: _ingest._value.type + ignore_missing: true + ignore_failure: true + if: ctx.json?.ThreatIntelIndicators != null && ctx.json?.ThreatIntelIndicators instanceof List + - foreach: + field: json.ThreatIntelIndicators + processor: + set: + field: threat.indicator.last_seen + copy_from: _ingest._value.last_observed_at + ignore_failure: true + ignore_failure: true + if: ctx.json?.ThreatIntelIndicators != null && ctx.json?.ThreatIntelIndicators instanceof List + - script: + description: Map box field ThreatIntelIndicator to ECS field threat.indicator.type + lang: painless + params: + "DOMAIN": domain-name + "EMAIL_ADDRESS": email-addr + "HASH_MD5": file + "HASH_SHA1": file + "HASH_SHA256": file + "HASH_SHA512": file + "IPV4_ADDRESS": ipv4-addr + "IPV6_ADDRESS": ipv6-addr + "MUTEX": mutex + "PROCESS": process + "URL": url + source: |- + for (ti in ctx.json.ThreatIntelIndicators) { + def type = ti.type; + if (params.containsKey(type)) { + def mapped_type = params.get(type); + ctx.threat.indicator.type = mapped_type; + + if (mapped_type == 'file') { + def hash_name = type.splitOnToken("_")[1].toLowerCase(); + def hash_value = ti.value; + + Map hash = new HashMap(); + hash.put(hash_name,hash_value); + Map file = new HashMap(); + file.put("hash",hash); + Map indicator = new HashMap(); + indicator.indicator = new HashMap(); + indicator.indicator.put("file", file); + + if (ctx.threat.enrichments == null) { + ctx.threat.enrichments = new ArrayList(); + } + + ctx.threat.enrichments.add(indicator); + } + } + } + if: ctx.json?.ThreatIntelIndicators != null && ctx.json?.ThreatIntelIndicators instanceof List + - rename: + field: json.ThreatIntelIndicators + target_field: aws.securityhub_findings_full_posture.threat_intel_indicators + ignore_missing: true + - rename: + field: json.Title + target_field: aws.securityhub_findings_full_posture.title + ignore_missing: true + - set: + field: rule.name + tag: set_rule_name + copy_from: aws.securityhub_findings_full_posture.title + ignore_empty_value: true + - rename: + field: json.Types + target_field: aws.securityhub_findings_full_posture.types + ignore_missing: true + - rename: + field: json.UserDefinedFields + target_field: aws.securityhub_findings_full_posture.user_defined_fields + ignore_missing: true + - rename: + field: json.VerificationState + target_field: aws.securityhub_findings_full_posture.verification_state + ignore_missing: true + - foreach: + field: json.Vulnerabilities + processor: + foreach: + field: _ingest._value.Cvss + processor: + foreach: + field: _ingest._value.Adjustments + processor: + rename: + field: _ingest._value.Metric + target_field: _ingest._value.metric + ignore_missing: true + ignore_failure: true + ignore_missing: true + ignore_failure: true + ignore_missing: true + ignore_failure: true + if: ctx.json?.Vulnerabilities != null && ctx.json?.Vulnerabilities instanceof List + - foreach: + field: json.Vulnerabilities + processor: + foreach: + field: _ingest._value.Cvss + processor: + foreach: + field: _ingest._value.Adjustments + processor: + rename: + field: _ingest._value.Reason + target_field: _ingest._value.reason + ignore_missing: true + ignore_failure: true + ignore_missing: true + ignore_failure: true + ignore_missing: true + ignore_failure: true + if: ctx.json?.Vulnerabilities != null && ctx.json?.Vulnerabilities instanceof List + - foreach: + field: json.Vulnerabilities + processor: + foreach: + field: _ingest._value.Cvss + processor: + rename: + field: _ingest._value.Adjustments + target_field: _ingest._value.adjustments + ignore_missing: true + ignore_failure: true + ignore_missing: true + ignore_failure: true + if: ctx.json?.Vulnerabilities != null && ctx.json?.Vulnerabilities instanceof List + - foreach: + field: json.Vulnerabilities + processor: + foreach: + field: _ingest._value.Cvss + processor: + convert: + field: _ingest._value.BaseScore + target_field: _ingest._value.base_score + type: double + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + ignore_failure: true + ignore_missing: true + ignore_failure: true + if: ctx.json?.Vulnerabilities != null && ctx.json?.Vulnerabilities instanceof List + - foreach: + field: json.Vulnerabilities + processor: + foreach: + field: _ingest._value.Cvss + processor: + rename: + field: _ingest._value.BaseVector + target_field: _ingest._value.base_vector + ignore_missing: true + ignore_failure: true + ignore_missing: true + ignore_failure: true + if: ctx.json?.Vulnerabilities != null && ctx.json?.Vulnerabilities instanceof List + - foreach: + field: json.Vulnerabilities + processor: + foreach: + field: _ingest._value.Cvss + processor: + rename: + field: _ingest._value.Source + target_field: _ingest._value.source + ignore_missing: true + ignore_failure: true + ignore_missing: true + ignore_failure: true + if: ctx.json?.Vulnerabilities != null && ctx.json?.Vulnerabilities instanceof List + - foreach: + field: json.Vulnerabilities + processor: + foreach: + field: _ingest._value.Cvss + processor: + rename: + field: _ingest._value.Version + target_field: _ingest._value.version + ignore_missing: true + ignore_failure: true + ignore_missing: true + ignore_failure: true + if: ctx.json?.Vulnerabilities != null && ctx.json?.Vulnerabilities instanceof List + - foreach: + field: json.Vulnerabilities + processor: + foreach: + field: _ingest._value.Cvss + processor: + set: + field: vulnerability.score.base + copy_from: _ingest._value.base_score + ignore_failure: true + ignore_failure: true + ignore_missing: true + ignore_failure: true + if: ctx.json?.Vulnerabilities != null && ctx.json?.Vulnerabilities instanceof List + - foreach: + field: json.Vulnerabilities + processor: + foreach: + field: _ingest._value.Cvss + processor: + set: + field: vulnerability.score.version + copy_from: _ingest._value.version + ignore_failure: true + ignore_failure: true + ignore_missing: true + ignore_failure: true + if: ctx.json?.Vulnerabilities != null && ctx.json?.Vulnerabilities instanceof List + - foreach: + field: json.Vulnerabilities + processor: + foreach: + field: _ingest._value.Cvss + processor: + remove: + field: + - _ingest._value.BaseScore + ignore_missing: true + ignore_failure: true + ignore_missing: true + ignore_failure: true + if: ctx.json?.Vulnerabilities != null && ctx.json?.Vulnerabilities instanceof List + - foreach: + field: json.Vulnerabilities + processor: + rename: + field: _ingest._value.Cvss + target_field: _ingest._value.cvss + ignore_missing: true + ignore_failure: true + if: ctx.json?.Vulnerabilities != null && ctx.json?.Vulnerabilities instanceof List + - foreach: + field: json.Vulnerabilities + processor: + rename: + field: _ingest._value.Id + target_field: _ingest._value.id + ignore_missing: true + ignore_failure: true + if: ctx.json?.Vulnerabilities != null && ctx.json?.Vulnerabilities instanceof List + - foreach: + field: json.Vulnerabilities + processor: + set: + field: vulnerability.id + copy_from: _ingest._value.id + ignore_failure: true + ignore_failure: true + if: ctx.json?.Vulnerabilities != null && ctx.json?.Vulnerabilities instanceof List + - foreach: + field: json.Vulnerabilities + processor: + rename: + field: _ingest._value.ReferenceUrls + target_field: _ingest._value.reference_urls + ignore_missing: true + ignore_failure: true + if: ctx.json?.Vulnerabilities != null && ctx.json?.Vulnerabilities instanceof List + - foreach: + field: json.Vulnerabilities + processor: + set: + field: vulnerability.reference + copy_from: _ingest._value.reference_urls + ignore_failure: true + ignore_failure: true + if: ctx.json?.Vulnerabilities != null && ctx.json?.Vulnerabilities instanceof List + - foreach: + field: json.Vulnerabilities + processor: + rename: + field: _ingest._value.RelatedVulnerabilities + target_field: _ingest._value.related_vulnerabilities + ignore_missing: true + ignore_failure: true + if: ctx.json?.Vulnerabilities != null && ctx.json?.Vulnerabilities instanceof List + - foreach: + field: json.Vulnerabilities + processor: + rename: + field: _ingest._value.Vendor.Name + target_field: _ingest._value.vendor.name + ignore_missing: true + ignore_failure: true + if: ctx.json?.Vulnerabilities != null && ctx.json?.Vulnerabilities instanceof List + - foreach: + field: json.Vulnerabilities + processor: + set: + field: vulnerability.scanner.vendor + copy_from: _ingest._value.vendor.name + ignore_failure: true + ignore_failure: true + if: ctx.json?.Vulnerabilities != null && ctx.json?.Vulnerabilities instanceof List + - foreach: + field: json.Vulnerabilities + processor: + rename: + field: _ingest._value.Vendor.Url + target_field: _ingest._value.vendor.url + ignore_missing: true + ignore_failure: true + if: ctx.json?.Vulnerabilities != null && ctx.json?.Vulnerabilities instanceof List + - foreach: + field: json.Vulnerabilities + processor: + date: + field: _ingest._value.Vendor.VendorCreatedAt + target_field: _ingest._value.vendor.created_at + formats: + - ISO8601 + - yyyy-MM-dd'T'HH:mm:ss.SSS'Z' + ignore_failure: true + ignore_failure: true + if: ctx.json?.Vulnerabilities != null && ctx.json?.Vulnerabilities instanceof List + - foreach: + field: json.Vulnerabilities + processor: + rename: + field: _ingest._value.Vendor.VendorSeverity + target_field: _ingest._value.vendor.severity + ignore_missing: true + ignore_failure: true + if: ctx.json?.Vulnerabilities != null && ctx.json?.Vulnerabilities instanceof List + - foreach: + field: json.Vulnerabilities + processor: + date: + field: _ingest._value.Vendor.VendorUpdatedAt + target_field: _ingest._value.vendor.updated_at + formats: + - ISO8601 + - yyyy-MM-dd'T'HH:mm:ss.SSS'Z' + ignore_failure: true + ignore_failure: true + if: ctx.json?.Vulnerabilities != null && ctx.json?.Vulnerabilities instanceof List + - foreach: + field: json.Vulnerabilities + processor: + remove: + field: + - _ingest._value.Vendor.VendorCreatedAt + - _ingest._value.Vendor.VendorUpdatedAt + ignore_missing: true + ignore_failure: true + if: ctx.json?.Vulnerabilities != null && ctx.json?.Vulnerabilities instanceof List + - foreach: + field: json.Vulnerabilities + processor: + foreach: + field: _ingest._value.VulnerablePackages + processor: + rename: + field: _ingest._value.Category + target_field: _ingest._value.category + ignore_missing: true + ignore_failure: true + ignore_missing: true + ignore_failure: true + if: ctx.json?.Vulnerabilities != null && ctx.json?.Vulnerabilities instanceof List + - foreach: + field: json.Vulnerabilities + processor: + foreach: + field: _ingest._value.VulnerablePackages + processor: + rename: + field: _ingest._value.Architecture + target_field: _ingest._value.architecture + ignore_missing: true + ignore_failure: true + ignore_missing: true + ignore_failure: true + if: ctx.json?.Vulnerabilities != null && ctx.json?.Vulnerabilities instanceof List + - foreach: + field: json.Vulnerabilities + processor: + foreach: + field: _ingest._value.VulnerablePackages + processor: + rename: + field: _ingest._value.Epoch + target_field: _ingest._value.epoch + ignore_missing: true + ignore_failure: true + ignore_missing: true + ignore_failure: true + if: ctx.json?.Vulnerabilities != null && ctx.json?.Vulnerabilities instanceof List + - foreach: + field: json.Vulnerabilities + processor: + foreach: + field: _ingest._value.VulnerablePackages + processor: + rename: + field: _ingest._value.FilePath + target_field: _ingest._value.file_path + ignore_missing: true + ignore_failure: true + ignore_missing: true + ignore_failure: true + if: ctx.json?.Vulnerabilities != null && ctx.json?.Vulnerabilities instanceof List + - foreach: + field: json.Vulnerabilities + processor: + foreach: + field: _ingest._value.VulnerablePackages + processor: + rename: + field: _ingest._value.Name + target_field: _ingest._value.name + ignore_missing: true + ignore_failure: true + ignore_missing: true + ignore_failure: true + if: ctx.json?.Vulnerabilities != null && ctx.json?.Vulnerabilities instanceof List + - foreach: + field: json.Vulnerabilities + processor: + foreach: + field: _ingest._value.VulnerablePackages + processor: + rename: + field: _ingest._value.PackageManager + target_field: _ingest._value.package_manager + ignore_missing: true + ignore_failure: true + ignore_missing: true + ignore_failure: true + if: ctx.json?.Vulnerabilities != null && ctx.json?.Vulnerabilities instanceof List + - foreach: + field: json.Vulnerabilities + processor: + foreach: + field: _ingest._value.VulnerablePackages + processor: + rename: + field: _ingest._value.Release + target_field: _ingest._value.release + ignore_missing: true + ignore_failure: true + ignore_missing: true + ignore_failure: true + if: ctx.json?.Vulnerabilities != null && ctx.json?.Vulnerabilities instanceof List + - foreach: + field: json.Vulnerabilities + processor: + foreach: + field: _ingest._value.VulnerablePackages + processor: + rename: + field: _ingest._value.Version + target_field: _ingest._value.version + ignore_missing: true + ignore_failure: true + ignore_missing: true + ignore_failure: true + if: ctx.json?.Vulnerabilities != null && ctx.json?.Vulnerabilities instanceof List + - foreach: + field: json.Vulnerabilities + processor: + rename: + field: _ingest._value.VulnerablePackages + target_field: _ingest._value.vulnerable_packages + ignore_missing: true + ignore_failure: true + if: ctx.json?.Vulnerabilities != null && ctx.json?.Vulnerabilities instanceof List + - rename: + field: json.Vulnerabilities + target_field: aws.securityhub_findings_full_posture.vulnerabilities + ignore_missing: true + - rename: + field: json.Workflow.Status + target_field: aws.securityhub_findings_full_posture.workflow.status + ignore_missing: true + - rename: + field: json.WorkflowState + target_field: aws.securityhub_findings_full_posture.workflow.state + ignore_missing: true + - remove: + field: + - json + ignore_missing: true + - append: + field: related.ip + value: '{{{aws.securityhub_findings_full_posture.action.aws_api_call.remote_ip.ip.address_v4}}}' + if: ctx.aws?.securityhub_findings_full_posture?.action?.aws_api_call?.remote_ip?.ip?.address_v4 != null + allow_duplicates: false + ignore_failure: true + - append: + field: related.ip + value: '{{{aws.securityhub_findings_full_posture.action.network_connection.remote_ip.ip.address_v4}}}' + if: ctx.aws?.securityhub_findings_full_posture?.action?.network_connection?.remote_ip?.ip?.address_v4 != null + allow_duplicates: false + ignore_failure: true + - foreach: + field: aws.securityhub_findings_full_posture.action.port_probe.details + processor: + append: + field: related.ip + value: '{{{_ingest._value.local.ip.address_v4}}}' + allow_duplicates: false + ignore_failure: true + ignore_failure: true + if: ctx.aws?.securityhub_findings_full_posture?.action?.port_probe?.details != null && ctx.aws?.securityhub_findings_full_posture?.action?.port_probe?.details instanceof List + - foreach: + field: aws.securityhub_findings_full_posture.action.port_probe.details + processor: + append: + field: related.ip + value: '{{{_ingest._value.remote_ip.ip.address_v4}}}' + allow_duplicates: false + ignore_failure: true + ignore_failure: true + if: ctx.aws?.securityhub_findings_full_posture?.action?.port_probe?.details != null && ctx.aws?.securityhub_findings_full_posture?.action?.port_probe?.details instanceof List + - append: + field: related.ip + value: '{{{aws.securityhub_findings_full_posture.network.destination.ip.v4}}}' + if: ctx.aws?.securityhub_findings_full_posture?.network?.destination?.ip?.v4 != null + allow_duplicates: false + ignore_failure: true + - append: + field: related.ip + value: '{{{aws.securityhub_findings_full_posture.network.destination.ip.v6}}}' + if: ctx.aws?.securityhub_findings_full_posture?.network?.destination?.ip?.v6 != null + allow_duplicates: false + ignore_failure: true + - append: + field: related.ip + value: '{{{aws.securityhub_findings_full_posture.network.source.ip.v4}}}' + if: ctx.aws?.securityhub_findings_full_posture?.network?.source?.ip?.v4 != null + allow_duplicates: false + ignore_failure: true + - append: + field: related.ip + value: '{{{aws.securityhub_findings_full_posture.network.source.ip.v6}}}' + if: ctx.aws?.securityhub_findings_full_posture?.network?.source?.ip?.v6 != null + allow_duplicates: false + ignore_failure: true + - remove: + if: ctx.tags == null || !(ctx.tags.contains('preserve_duplicate_custom_fields')) + field: + - aws.securityhub_findings_full_posture.created_at + - aws.securityhub_findings_full_posture.action.type + - aws.securityhub_findings_full_posture.id + - aws.securityhub_findings_full_posture.network.destination.domain + - aws.securityhub_findings_full_posture.network.destination.ip.v4 + - aws.securityhub_findings_full_posture.network.destination.ip.v6 + - aws.securityhub_findings_full_posture.network.destination.port + - aws.securityhub_findings_full_posture.network.direction + - aws.securityhub_findings_full_posture.network.protocol + - aws.securityhub_findings_full_posture.network.source.domain + - aws.securityhub_findings_full_posture.network.source.ip.v4 + - aws.securityhub_findings_full_posture.network.source.ip.v6 + - aws.securityhub_findings_full_posture.network.source.mac + - aws.securityhub_findings_full_posture.network.source.port + - aws.securityhub_findings_full_posture.process.launched_at + - aws.securityhub_findings_full_posture.process.name + - aws.securityhub_findings_full_posture.process.parent.pid + - aws.securityhub_findings_full_posture.process.path + - aws.securityhub_findings_full_posture.process.pid + - aws.securityhub_findings_full_posture.process.terminated_at + ignore_failure: true + ignore_missing: true + - foreach: + field: aws.securityhub_findings_full_posture.threat_intel_indicators + processor: + remove: + field: + - _ingest._value.last_observed_at + - _ingest._value.type + if: ctx.tags == null || !(ctx.tags.contains('preserve_duplicate_custom_fields')) + ignore_failure: true + ignore_missing: true + ignore_missing: true + - foreach: + field: aws.securityhub_findings_full_posture.vulnerabilities + processor: + remove: + field: + - _ingest._value.cvss.base_score + - _ingest._value.cvss.version + - _ingest._value.id + - _ingest._value.reference_urls + - _ingest._value.vendor.name + if: ctx.tags == null || !(ctx.tags.contains('preserve_duplicate_custom_fields')) + ignore_failure: true + ignore_missing: true + ignore_missing: true + - script: + description: Drops null/empty values recursively. + lang: painless + source: | + boolean dropEmptyFields(Object object) { + if (object == null || object == "") { + return true; + } else if (object instanceof Map) { + ((Map) object).values().removeIf(value -> dropEmptyFields(value)); + return (((Map) object).size() == 0); + } else if (object instanceof List) { + ((List) object).removeIf(value -> dropEmptyFields(value)); + return (((List) object).length == 0); + } + return false; + } + dropEmptyFields(ctx); +on_failure: + - set: + field: event.kind + value: pipeline_error + - append: + field: error.message + value: >- + Processor '{{{ _ingest.on_failure_processor_type }}}' + {{{#_ingest.on_failure_processor_tag}}}with tag '{{{ _ingest.on_failure_processor_tag }}}' + {{{/_ingest.on_failure_processor_tag}}}failed with message '{{{ _ingest.on_failure_message }}}' diff --git a/packages/aws/data_stream/securityhub_findings_full_posture/fields/agent.yml b/packages/aws/data_stream/securityhub_findings_full_posture/fields/agent.yml new file mode 100644 index 00000000000..7573d81577c --- /dev/null +++ b/packages/aws/data_stream/securityhub_findings_full_posture/fields/agent.yml @@ -0,0 +1,41 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + +- name: input.type + type: keyword + description: Input type +- name: log.offset + type: long + description: Log offset diff --git a/packages/aws/data_stream/securityhub_findings_full_posture/fields/base-fields.yml b/packages/aws/data_stream/securityhub_findings_full_posture/fields/base-fields.yml new file mode 100644 index 00000000000..538309e2459 --- /dev/null +++ b/packages/aws/data_stream/securityhub_findings_full_posture/fields/base-fields.yml @@ -0,0 +1,16 @@ +- name: data_stream.type + external: ecs +- name: data_stream.dataset + external: ecs +- name: data_stream.namespace + external: ecs +- name: event.module + external: ecs + type: constant_keyword + value: aws +- name: event.dataset + external: ecs + type: constant_keyword + value: aws.securityhub_findings_full_posture +- name: '@timestamp' + external: ecs diff --git a/packages/aws/data_stream/securityhub_findings_full_posture/fields/ecs.yml b/packages/aws/data_stream/securityhub_findings_full_posture/fields/ecs.yml new file mode 100644 index 00000000000..4c81090790d --- /dev/null +++ b/packages/aws/data_stream/securityhub_findings_full_posture/fields/ecs.yml @@ -0,0 +1,7 @@ +# Define ECS constant fields as constant_keyword +- name: cloud.provider + type: constant_keyword +- name: event.kind + type: constant_keyword +- name: observer.vendor + type: constant_keyword diff --git a/packages/aws/data_stream/securityhub_findings_full_posture/fields/fields.yml b/packages/aws/data_stream/securityhub_findings_full_posture/fields/fields.yml new file mode 100644 index 00000000000..3bf8b0dc96f --- /dev/null +++ b/packages/aws/data_stream/securityhub_findings_full_posture/fields/fields.yml @@ -0,0 +1,803 @@ +- name: aws.securityhub_findings_full_posture + type: group + fields: + - name: action + type: group + fields: + - name: aws_api_call + type: group + fields: + - name: affected_resources + type: flattened + description: Identifies the resources that were affected by the API call. + - name: api + type: keyword + description: The name of the API method that was issued. + - name: caller + type: group + fields: + - name: type + type: keyword + description: Indicates whether the API call originated from a remote IP address(remoteip) or from a DNS domain(domain). + - name: domain_details + type: group + fields: + - name: domain + type: keyword + description: The name of the DNS domain that issued the API call. + - name: first_seen + type: date + description: An ISO8601-formatted timestamp that indicates when the API call was first observed. + - name: last_seen + type: date + description: An ISO8601-formatted timestamp that indicates when the API call was most recently observed. + - name: remote_ip + type: group + fields: + - name: city + type: group + fields: + - name: name + type: keyword + description: The name of the city. + - name: country + type: group + fields: + - name: code + type: keyword + description: The 2-letter ISO 3166 country code for the country. + - name: name + type: keyword + description: The name of the country. + - name: geolocation + type: group + fields: + - name: latitude + type: double + description: The longitude of the location. + - name: longitude + type: double + description: The latitude of the location. + - name: ip + type: group + fields: + - name: address_v4 + type: ip + description: The IP address. + - name: organization + type: group + fields: + - name: asn + type: keyword + description: The Autonomous System Number(ASN) of the internet provider. + - name: asn_organization + type: keyword + description: The name of the organization that registered the ASN. + - name: internet_service_provider + type: keyword + description: The name of the internet provider. + - name: internet_provider + type: keyword + description: The ISP information for the internet provider. + - name: service + type: group + fields: + - name: name + type: keyword + description: The name of the Amazon Web Services service that the API method belongs to. + - name: dns_request + type: group + fields: + - name: blocked + type: boolean + description: Indicates whether the DNS request was blocked. + - name: domain + type: keyword + description: The DNS domain that is associated with the DNS request. + - name: protocol + type: keyword + description: The protocol that was used for the DNS request. + - name: network_connection + type: group + fields: + - name: blocked + type: boolean + description: Indicates whether the network connection attempt was blocked. + - name: direction + type: keyword + description: The direction of the network connection request(IN or OUT). + - name: local + type: group + fields: + - name: port + type: group + fields: + - name: name + type: keyword + description: The port name of the local connection. + - name: number + type: long + description: The number of the port. + - name: protocol + type: keyword + description: The protocol used to make the network connection request. + - name: remote + type: group + fields: + - name: port + type: group + fields: + - name: name + type: keyword + description: The port name of the remote connection. + - name: number + type: long + description: The number of the port. + - name: remote_ip + type: group + fields: + - name: city + type: group + fields: + - name: name + type: keyword + description: The name of the city. + - name: country + type: group + fields: + - name: code + type: keyword + description: The 2-letter ISO 3166 country code for the country. + - name: name + type: keyword + description: The name of the country. + - name: geolocation + type: group + fields: + - name: latitude + type: double + description: The longitude of the location. + - name: longitude + type: double + description: The latitude of the location. + - name: ip + type: group + fields: + - name: address_v4 + type: ip + description: The IP address. + - name: organization + type: group + fields: + - name: asn + type: keyword + description: The Autonomous System Number(ASN) of the internet provider. + - name: asn_organization + type: keyword + description: The name of the organization that registered the ASN. + - name: internet_service_provider + type: keyword + description: The name of the internet provider. + - name: internet_provider + type: keyword + description: The ISP information for the internet provider. + - name: port_probe + type: group + fields: + - name: blocked + type: boolean + description: Indicates whether the port probe was blocked. + - name: details + type: group + fields: + - name: local + type: group + fields: + - name: ip + type: group + fields: + - name: address_v4 + type: ip + description: The IP address. + - name: port + type: group + fields: + - name: name + type: keyword + description: The port name of the local connection. + - name: number + type: long + description: The number of the port. + - name: remote_ip + type: group + fields: + - name: city + type: group + fields: + - name: name + type: keyword + description: The name of the city. + - name: country + type: group + fields: + - name: code + type: keyword + description: The 2-letter ISO 3166 country code for the country. + - name: name + type: keyword + description: The name of the country. + - name: geolocation + type: group + fields: + - name: latitude + type: double + description: The longitude of the location. + - name: longitude + type: double + description: The latitude of the location. + - name: ip + type: group + fields: + - name: address_v4 + type: ip + description: The IP address. + - name: organization + type: group + fields: + - name: asn + type: keyword + description: The Autonomous System Number(ASN) of the internet provider. + - name: asn_organization + type: keyword + description: The name of the organization that registered the ASN. + - name: internet_service_provider + type: keyword + description: The name of the internet provider. + - name: internet_provider + type: keyword + description: The ISP information for the internet provider. + - name: type + type: keyword + description: The type of action that was detected. + - name: aws_account_id + type: keyword + description: The Amazon Web Services account ID that a finding is generated in. + - name: company + type: group + fields: + - name: name + type: keyword + description: The name of the company for the product that generated the finding. + - name: compliance + type: group + fields: + - name: security_control_id + type: keyword + description: Unique identifier of a control across standards. + - name: related_requirements + type: keyword + description: For a control, the industry or regulatory framework requirements that are related to the control. + - name: status + type: keyword + description: The result of a standards check. + - name: status_reasons + type: group + fields: + - name: description + type: keyword + description: The corresponding description for the status reason code. + - name: reason_code + type: keyword + description: A code that represents a reason for the control status. + - name: confidence + type: long + description: A finding's confidence. Confidence is defined as the likelihood that a finding accurately identifies the behavior or issue that it was intended to identify. + - name: processed_at + type: date + description: Indicates when AWS Security Hub received a finding and begins to process it. + - name: created_at + type: date + description: Indicates when the security-findings provider created the potential security issue that a finding captured. + - name: criticality + type: long + description: The level of importance assigned to the resources associated with the finding. + - name: description + type: keyword + description: A finding's description. + - name: first_observed_at + type: date + description: Indicates when the security-findings provider first observed the potential security issue that a finding captured. + - name: generator + type: group + fields: + - name: id + type: keyword + description: The identifier for the solution-specific component(a discrete unit of logic) that generated a finding. In various security-findings providers' solutions, this generator can be called a rule, a check, a detector, a plugin, etc. + - name: id + type: keyword + description: The security findings provider-specific identifier for a finding. + - name: last_observed_at + type: date + description: Indicates when the security-findings provider most recently observed the potential security issue that a finding captured. + - name: malware + type: group + fields: + - name: name + type: keyword + description: The name of the malware that was observed. + - name: path + type: keyword + description: The file system path of the malware that was observed. + - name: state + type: keyword + description: The state of the malware that was observed. + - name: type + type: keyword + description: The type of the malware that was observed. + - name: network + type: group + fields: + - name: destination + type: group + fields: + - name: domain + type: keyword + description: The destination domain of network-related information about a finding. + - name: ip + type: group + fields: + - name: v4 + type: ip + description: The destination IPv4 address of network-related information about a finding. + - name: v6 + type: ip + description: The destination IPv6 address of network-related information about a finding. + - name: port + type: long + description: The destination port of network-related information about a finding. + - name: direction + type: keyword + description: The direction of network traffic associated with a finding. + - name: open_port_range + type: group + fields: + - name: begin + type: long + description: The first port in the port range. + - name: end + type: long + description: The last port in the port range. + - name: protocol + type: keyword + description: The protocol of network-related information about a finding. + - name: source + type: group + fields: + - name: domain + type: keyword + description: The source domain of network-related information about a finding. + - name: ip + type: group + fields: + - name: v4 + type: ip + description: The source IPv4 address of network-related information about a finding. + - name: v6 + type: ip + description: The source IPv6 address of network-related information about a finding. + - name: mac + type: keyword + description: The source media access control(MAC) address of network-related information about a finding. + - name: port + type: long + description: The source port of network-related information about a finding. + - name: network_path + type: group + fields: + - name: component + type: group + fields: + - name: id + type: keyword + description: The identifier of a component in the network path. + - name: type + type: keyword + description: The type of component. + - name: egress + type: group + fields: + - name: destination + type: group + fields: + - name: address + type: keyword + description: The IP addresses of the destination. + - name: port_ranges + type: group + fields: + - name: begin + type: long + description: The first port in the port range. + - name: end + type: long + description: The last port in the port range. + - name: protocol + type: keyword + description: The protocol used for the component. + - name: source + type: group + fields: + - name: address + type: keyword + description: The IP addresses of the destination. + - name: port_ranges + type: group + fields: + - name: begin + type: long + description: The first port in the port range. + - name: end + type: long + description: The last port in the port range. + - name: ingress + type: group + fields: + - name: destination + type: group + fields: + - name: address + type: keyword + description: The IP addresses of the destination. + - name: port_ranges + type: group + fields: + - name: begin + type: long + description: The first port in the port range. + - name: end + type: long + description: The last port in the port range. + - name: protocol + type: keyword + description: The protocol used for the component. + - name: source + type: group + fields: + - name: address + type: keyword + description: The IP addresses of the destination. + - name: port_ranges + type: group + fields: + - name: begin + type: long + description: The first port in the port range. + - name: end + type: long + description: The last port in the port range. + - name: note + type: group + fields: + - name: text + type: keyword + description: The text of a note. + - name: updated_at + type: date + description: The timestamp of when the note was updated. + - name: updated_by + type: keyword + description: The principal that created a note. + - name: patch_summary + type: group + fields: + - name: failed + type: group + fields: + - name: count + type: long + description: The number of patches from the compliance standard that failed to install. + - name: id + type: keyword + description: The identifier of the compliance standard that was used to determine the patch compliance status. + - name: installed + type: group + fields: + - name: count + type: long + description: The number of patches from the compliance standard that were installed successfully. + - name: other + type: group + fields: + - name: count + type: long + description: The number of installed patches that are not part of the compliance standard. + - name: pending_reboot + type: long + description: The number of patches that were applied, but that require the instance to be rebooted in order to be marked as installed. + - name: rejected + type: group + fields: + - name: count + type: long + description: The number of patches that are installed but are also on a list of patches that the customer rejected. + - name: missing + type: group + fields: + - name: count + type: long + description: The number of patches that are part of the compliance standard but are not installed. The count includes patches that failed to install. + - name: operation + type: group + fields: + - name: end_time + type: date + description: Indicates when the operation completed. + - name: start_time + type: date + description: Indicates when the operation started. + - name: type + type: keyword + description: The type of patch operation performed. For Patch Manager, the values are SCAN and INSTALL. + - name: reboot_option + type: keyword + description: The reboot option specified for the instance. + - name: process + type: group + fields: + - name: launched_at + type: date + description: Indicates when the process was launched. + - name: name + type: keyword + description: The name of the process. + - name: parent + type: group + fields: + - name: pid + type: long + description: The parent process ID. + - name: path + type: keyword + description: The path to the process executable. + - name: pid + type: long + description: The process ID. + - name: terminated_at + type: date + description: Indicates when the process was terminated. + - name: product + type: group + fields: + - name: arn + type: keyword + description: The ARN generated by Security Hub that uniquely identifies a product that generates findings. This can be the ARN for a third-party product that is integrated with Security Hub, or the ARN for a custom integration. + - name: fields + type: flattened + description: A data type where security-findings providers can include additional solution-specific details that aren't part of the defined AwsSecurityFinding format. + - name: name + type: keyword + description: The name of the product that generated the finding. + - name: provider_fields + type: group + fields: + - name: confidence + type: long + description: A finding's confidence. Confidence is defined as the likelihood that a finding accurately identifies the behavior or issue that it was intended to identify. + - name: criticality + type: long + description: The level of importance assigned to the resources associated with the finding. + - name: related_findings + type: group + fields: + - name: id + type: keyword + description: The product-generated identifier for a related finding. + - name: product + type: group + fields: + - name: arn + type: keyword + description: The ARN of the product that generated a related finding. + - name: severity + type: group + fields: + - name: label + type: keyword + description: The severity label assigned to the finding by the finding provider. + - name: normalized + type: keyword + description: The normalized severity of a finding provider. + - name: original + type: keyword + description: The finding provider's original value for the severity. + - name: product + type: keyword + description: The finding provider's product for the severity. + - name: types + type: keyword + description: One or more finding types in the format of namespace/category/classifier that classify a finding. + - name: record_state + type: keyword + description: The record state of a finding. + - name: region + type: keyword + description: The Region from which the finding was generated. + - name: related_findings + type: group + fields: + - name: id + type: keyword + description: The product-generated identifier for a related finding. + - name: product + type: group + fields: + - name: arn + type: keyword + description: The ARN of the product that generated a related finding. + - name: remediation + type: group + fields: + - name: recommendation + type: group + fields: + - name: text + type: text + description: Describes the recommended steps to take to remediate an issue identified in a finding. + - name: url + type: keyword + description: A URL to a page or site that contains information about how to remediate a finding. + - name: resources + type: flattened + description: A set of resource data types that describe the resources that the finding refers to. + - name: sample + type: boolean + description: Indicates whether the finding is a sample finding. + - name: schema + type: group + fields: + - name: version + type: keyword + description: The schema version that a finding is formatted for. + - name: severity + type: group + fields: + - name: label + type: keyword + description: The severity value of the finding. + - name: normalized + type: keyword + description: The normalized severity of a finding. + - name: original + type: keyword + description: The native severity from the finding product that generated the finding. + - name: product + type: keyword + description: The native severity as defined by the Amazon Web Services service or integrated partner product that generated the finding. + - name: source_url + type: keyword + description: A URL that links to a page about the current finding in the security-findings provider's solution. + - name: threat_intel_indicators + type: group + fields: + - name: category + type: keyword + description: The category of a threat intelligence indicator. + - name: last_observed_at + type: date + description: Indicates when the most recent instance of a threat intelligence indicator was observed. + - name: source + type: keyword + description: The source of the threat intelligence indicator. + - name: source_url + type: keyword + description: The URL to the page or site where you can get more information about the threat intelligence indicator. + - name: type + type: keyword + description: The type of threat intelligence indicator. + - name: value + type: keyword + description: The value of a threat intelligence indicator. + - name: title + type: text + description: A finding's title. + - name: types + type: keyword + description: One or more finding types in the format of namespace/category/classifier that classify a finding. + - name: updated_at + type: date + description: Indicates when the security-findings provider last updated the finding record. + - name: user_defined_fields + type: flattened + description: A list of name/value string pairs associated with the finding. These are custom, user-defined fields added to a finding. + - name: verification_state + type: keyword + description: Indicates the veracity of a finding. + - name: vulnerabilities + type: group + fields: + - name: cvss + type: group + fields: + - name: adjustments + type: group + fields: + - name: metric + type: keyword + description: The metric to adjust. + - name: reason + type: keyword + description: The reason for the adjustment. + - name: base_score + type: double + description: The base CVSS score. + - name: base_vector + type: keyword + description: The base scoring vector for the CVSS score. + - name: source + type: keyword + description: The origin of the original CVSS score and vector. + - name: version + type: keyword + description: The version of CVSS for the CVSS score. + - name: id + type: keyword + description: The identifier of the vulnerability. + - name: reference_urls + type: keyword + description: A list of URLs that provide additional information about the vulnerability. + - name: related_vulnerabilities + type: keyword + description: List of vulnerabilities that are related to this vulnerability. + - name: vendor + type: group + fields: + - name: created_at + type: date + description: Indicates when the vulnerability advisory was created. + - name: name + type: keyword + description: The name of the vendor. + - name: severity + type: keyword + description: The severity that the vendor assigned to the vulnerability. + - name: updated_at + type: date + description: Indicates when the vulnerability advisory was last updated. + - name: url + type: keyword + description: The URL of the vulnerability advisory. + - name: vulnerable_packages + type: group + fields: + - name: architecture + type: keyword + description: The architecture used for the software package. + - name: epoch + type: keyword + description: The epoch of the software package. + - name: file_path + type: keyword + description: The file system path to the package manager inventory file. + - name: name + type: keyword + description: The name of the software package. + - name: package_manager + type: keyword + description: The source of the package. + - name: release + type: keyword + description: The release of the software package. + - name: version + type: keyword + description: The version of the software package. + - name: workflow + type: group + fields: + - name: state + type: keyword + description: The workflow state of a finding. + - name: status + type: keyword + description: The status of the investigation into the finding. +- name: url.user_info + type: keyword diff --git a/packages/aws/data_stream/securityhub_findings_full_posture/fields/resource.yml b/packages/aws/data_stream/securityhub_findings_full_posture/fields/resource.yml new file mode 100644 index 00000000000..6912b7ee058 --- /dev/null +++ b/packages/aws/data_stream/securityhub_findings_full_posture/fields/resource.yml @@ -0,0 +1,9 @@ +- name: resource + type: group + fields: + - name: id + type: keyword + - name: name + type: keyword + - name: type + type: keyword diff --git a/packages/aws/data_stream/securityhub_findings_full_posture/fields/result.yml b/packages/aws/data_stream/securityhub_findings_full_posture/fields/result.yml new file mode 100644 index 00000000000..75f840ce005 --- /dev/null +++ b/packages/aws/data_stream/securityhub_findings_full_posture/fields/result.yml @@ -0,0 +1,5 @@ +- name: result + type: group + fields: + - name: evaluation + type: keyword diff --git a/packages/aws/data_stream/securityhub_findings_full_posture/fields/rule.yml b/packages/aws/data_stream/securityhub_findings_full_posture/fields/rule.yml new file mode 100644 index 00000000000..9def88f8fba --- /dev/null +++ b/packages/aws/data_stream/securityhub_findings_full_posture/fields/rule.yml @@ -0,0 +1,5 @@ +- name: rule + type: group + fields: + - name: remediation + type: keyword diff --git a/packages/aws/data_stream/securityhub_findings_full_posture/manifest.yml b/packages/aws/data_stream/securityhub_findings_full_posture/manifest.yml new file mode 100644 index 00000000000..7be8b690b32 --- /dev/null +++ b/packages/aws/data_stream/securityhub_findings_full_posture/manifest.yml @@ -0,0 +1,95 @@ +title: Collect AWS Security Hub Findings Full Posture logs from AWS +type: logs +streams: + - input: httpjson + title: Collect AWS Security Hub Findings Full Posture from AWS + description: Collect AWS Security Hub Findings Full Posture from AWS. + template_path: httpjson.yml.hbs + vars: + - name: enable_request_tracer + type: bool + title: Enable request tracing + multi: false + required: false + show_user: false + description: The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-httpjson.html#_request_tracer_filename) for details. + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - aws_securityhub_findings_full_posture + - name: aws_region + type: text + title: AWS Region + description: AWS Region. + required: true + - name: tld + type: text + title: Top Level Domain + multi: false + required: true + default: amazonaws.com + - name: proxy_url + type: text + title: Proxy URL + multi: false + required: false + show_user: false + description: URL to proxy connections in the form of http[s]://:@:. Please ensure your username and password are in URL encoded format. + - name: ssl + type: yaml + title: SSL Configuration + description: i.e. certificate_authorities, supported_protocols, verification_mode etc. + multi: false + required: false + show_user: false + default: | + #certificate_authorities: + # - | + # -----BEGIN CERTIFICATE----- + # MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF + # ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2 + # MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB + # BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n + # fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl + # 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t + # /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP + # PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41 + # CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O + # BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux + # 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D + # 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw + # 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA + # H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu + # 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0 + # yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk + # sxSmbIUfc2SGJGCJD4I= + # -----END CERTIFICATE----- + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original`. + type: bool + multi: false + default: false + - name: preserve_duplicate_custom_fields + required: true + show_user: true + title: Preserve duplicate custom fields + description: Preserve aws.security_findings_full_posture fields that were copied to Elastic Common Schema (ECS) fields. + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/aws/data_stream/securityhub_findings_full_posture/sample_event.json b/packages/aws/data_stream/securityhub_findings_full_posture/sample_event.json new file mode 100644 index 00000000000..dadfd2819e1 --- /dev/null +++ b/packages/aws/data_stream/securityhub_findings_full_posture/sample_event.json @@ -0,0 +1,428 @@ +{ + "@timestamp": "2017-03-22T13:22:13.933Z", + "agent": { + "ephemeral_id": "01f4fdba-8670-479d-b54f-7d39403bb723", + "id": "eea1c0db-3657-4195-add3-da25a54834e7", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.4.0" + }, + "aws": { + "securityhub_findings_full_posture": { + "action": { + "port_probe": { + "blocked": false, + "details": [ + { + "local": { + "ip": { + "address_v4": "1.128.0.0" + }, + "port": { + "name": "HTTP", + "number": 80 + } + }, + "remote_ip": { + "city": { + "name": "Example City" + }, + "country": { + "name": "Example Country" + }, + "geolocation": { + "latitude": 0, + "longitude": 0 + }, + "organization": { + "asn": "64496", + "asn_organization": "ExampleASO", + "internet_provider": "ExampleOrg", + "internet_service_provider": "ExampleISP" + } + } + } + ] + } + }, + "aws_account_id": "111111111111", + "company": { + "name": "AWS" + }, + "compliance": { + "related_requirements": [ + "Req1", + "Req2" + ], + "status": "PASSED", + "status_reasons": [ + { + "description": "CloudWatch alarms do not exist in the account", + "reason_code": "CLOUDWATCH_ALARMS_NOT_PRESENT" + } + ] + }, + "confidence": 42, + "criticality": 99, + "description": "The version of openssl found on instance i-abcd1234 is known to contain a vulnerability.", + "first_observed_at": "2017-03-22T13:22:13.933Z", + "generator": { + "id": "acme-vuln-9ab348" + }, + "last_observed_at": "2017-03-23T13:22:13.933Z", + "malware": [ + { + "name": "Stringler", + "path": "/usr/sbin/stringler", + "state": "OBSERVED", + "type": "COIN_MINER" + } + ], + "network": { + "open_port_range": { + "begin": 443, + "end": 443 + } + }, + "network_path": [ + { + "component": { + "id": "abc-01a234bc56d8901ee", + "type": "AWS::EC2::InternetGateway" + }, + "egress": { + "destination": { + "address": [ + "1.128.0.0/24" + ], + "port_ranges": [ + { + "begin": 443, + "end": 443 + } + ] + }, + "protocol": "TCP", + "source": { + "address": [ + "175.16.199.1/24" + ] + } + }, + "ingress": { + "destination": { + "address": [ + "175.16.199.1/24" + ], + "port_ranges": [ + { + "begin": 443, + "end": 443 + } + ] + }, + "protocol": "TCP", + "source": { + "address": [ + "175.16.199.1/24" + ] + } + } + } + ], + "note": { + "text": "Don't forget to check under the mat.", + "updated_at": "2018-08-31T00:15:09.000Z", + "updated_by": "jsmith" + }, + "patch_summary": { + "failed": { + "count": 0 + }, + "id": "pb-123456789098", + "installed": { + "count": 100, + "other": { + "count": 1023 + }, + "pending_reboot": 0, + "rejected": { + "count": 0 + } + }, + "missing": { + "count": 100 + }, + "operation": { + "end_time": "2018-09-27T23:39:31.000Z", + "start_time": "2018-09-27T23:37:31.000Z", + "type": "Install" + }, + "reboot_option": "RebootIfNeeded" + }, + "product": { + "arn": "arn:aws:securityhub:us-east-1:111111111111:product/111111111111/default", + "fields": { + "Service_Name": "cloudtrail.amazonaws.com", + "aws/inspector/AssessmentTargetName": "My prod env", + "aws/inspector/AssessmentTemplateName": "My daily CVE assessment", + "aws/inspector/RulesPackageName": "Common Vulnerabilities and Exposures", + "generico/secure-pro/Count": "6" + }, + "name": "Security Hub" + }, + "provider_fields": { + "confidence": 42, + "criticality": 99, + "related_findings": [ + { + "id": "123e4567-e89b-12d3-a456-426655440000", + "product": { + "arn": "arn:aws:securityhub:us-west-2::product/aws/guardduty" + } + } + ], + "severity": { + "label": "MEDIUM", + "original": "MEDIUM" + }, + "types": [ + "Software and Configuration Checks/Vulnerabilities/CVE" + ] + }, + "record_state": "ACTIVE", + "region": "us-east-1", + "related_findings": [ + { + "id": "123e4567-e89b-12d3-a456-426655440000", + "product": { + "arn": "arn:aws:securityhub:us-west-2::product/aws/guardduty" + } + }, + { + "id": "AcmeNerfHerder-111111111111-x189dx7824", + "product": { + "arn": "arn:aws:securityhub:us-west-2::product/aws/guardduty" + } + } + ], + "remediation": { + "recommendation": { + "text": "Run sudo yum update and cross your fingers and toes.", + "url": "http://myfp.com/recommendations/dangerous_things_and_how_to_fix_them.html" + } + }, + "resources": [ + { + "Details": { + "IamInstanceProfileArn": "arn:aws:iam::123456789012:role/IamInstanceProfileArn", + "ImageId": "ami-79fd7eee", + "IpV4Addresses": [ + "175.16.199.1" + ], + "IpV6Addresses": [ + "2a02:cf40::" + ], + "KeyName": "testkey", + "LaunchedAt": "2018-09-29T01:25:54Z", + "MetadataOptions": { + "HttpEndpoint": "enabled", + "HttpProtocolIpv6": "enabled", + "HttpPutResponseHopLimit": 1, + "HttpTokens": "optional", + "InstanceMetadataTags": "disabled" + }, + "NetworkInterfaces": [ + { + "NetworkInterfaceId": "eni-e5aa89a3" + } + ], + "SubnetId": "PublicSubnet", + "Type": "i3.xlarge", + "VirtualizationType": "hvm", + "VpcId": "TestVPCIpv6" + }, + "Id": "i-cafebabe", + "Partition": "aws", + "Region": "us-west-2", + "Tags": { + "billingCode": "Lotus-1-2-3", + "needsPatching": "true" + }, + "Type": "AwsEc2Instance" + } + ], + "sample": true, + "schema": { + "version": "2018-10-08" + }, + "severity": { + "label": "CRITICAL", + "original": "8.3" + }, + "source_url": "http://threatintelweekly.org/backdoors/8888", + "threat_intel_indicators": [ + { + "category": "BACKDOOR", + "source": "Threat Intel Weekly", + "source_url": "http://threatintelweekly.org/backdoors/8888", + "value": "175.16.199.1" + } + ], + "title": "EC2.20 Both VPN tunnels for an AWS Site-to-Site VPN connection should be up", + "types": [ + "Software and Configuration Checks/Vulnerabilities/CVE" + ], + "updated_at": "2018-08-31T00:15:09.000Z", + "user_defined_fields": { + "comeBackToLater": "Check this again on Monday", + "reviewedByCio": "true" + }, + "verification_state": "UNKNOWN", + "vulnerabilities": [ + { + "cvss": [ + { + "base_score": 4.7, + "base_vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "version": "V3" + }, + { + "base_score": 4.7, + "base_vector": "AV:L/AC:M/Au:N/C:C/I:N/A:N", + "version": "V2" + } + ], + "related_vulnerabilities": [ + "CVE-2020-12345" + ], + "vendor": { + "created_at": "2020-01-16T00:01:43.000Z", + "severity": "Medium", + "updated_at": "2020-01-16T00:01:43.000Z", + "url": "https://alas.aws.amazon.com/ALAS-2020-1337.html" + }, + "vulnerable_packages": [ + { + "architecture": "x86_64", + "epoch": "1", + "name": "openssl", + "release": "16.amzn2.0.3", + "version": "1.0.2k" + } + ] + } + ], + "workflow": { + "state": "NEW", + "status": "NEW" + } + } + }, + "cloud": { + "account": { + "id": "111111111111" + } + }, + "data_stream": { + "dataset": "aws.securityhub_findings_full_posture", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "domain": "example2.com", + "ip": [ + "1.128.0.0", + "2a02:cf40::" + ], + "port": 80 + }, + "ecs": { + "version": "8.11.0" + }, + "elastic_agent": { + "id": "eea1c0db-3657-4195-add3-da25a54834e7", + "snapshot": true, + "version": "8.4.0" + }, + "event": { + "action": "port_probe", + "agent_id_status": "verified", + "created": "2022-07-27T12:47:41.799Z", + "dataset": "aws.securityhub_findings_full_posture", + "id": "us-west-2/111111111111/98aebb2207407c87f51e89943f12b1ef", + "ingested": "2022-07-27T12:47:45Z", + "kind": "state", + "original": "{\"Action\":{\"ActionType\":\"PORT_PROBE\",\"PortProbeAction\":{\"Blocked\":false,\"PortProbeDetails\":[{\"LocalIpDetails\":{\"IpAddressV4\":\"1.128.0.0\"},\"LocalPortDetails\":{\"Port\":80,\"PortName\":\"HTTP\"},\"RemoteIpDetails\":{\"City\":{\"CityName\":\"Example City\"},\"Country\":{\"CountryName\":\"Example Country\"},\"GeoLocation\":{\"Lat\":0,\"Lon\":0},\"Organization\":{\"Asn\":64496,\"AsnOrg\":\"ExampleASO\",\"Isp\":\"ExampleISP\",\"Org\":\"ExampleOrg\"}}}]}},\"AwsAccountId\":\"111111111111\",\"CompanyName\":\"AWS\",\"Compliance\":{\"RelatedRequirements\":[\"Req1\",\"Req2\"],\"Status\":\"PASSED\",\"StatusReasons\":[{\"Description\":\"CloudWatch alarms do not exist in the account\",\"ReasonCode\":\"CLOUDWATCH_ALARMS_NOT_PRESENT\"}]},\"Confidence\":42,\"CreatedAt\":\"2017-03-22T13:22:13.933Z\",\"Criticality\":99,\"Description\":\"The version of openssl found on instance i-abcd1234 is known to contain a vulnerability.\",\"FindingProviderFields\":{\"Confidence\":42,\"Criticality\":99,\"RelatedFindings\":[{\"Id\":\"123e4567-e89b-12d3-a456-426655440000\",\"ProductArn\":\"arn:aws:securityhub:us-west-2::product/aws/guardduty\"}],\"Severity\":{\"Label\":\"MEDIUM\",\"Original\":\"MEDIUM\"},\"Types\":[\"Software and Configuration Checks/Vulnerabilities/CVE\"]},\"FirstObservedAt\":\"2017-03-22T13:22:13.933Z\",\"GeneratorId\":\"acme-vuln-9ab348\",\"Id\":\"us-west-2/111111111111/98aebb2207407c87f51e89943f12b1ef\",\"LastObservedAt\":\"2017-03-23T13:22:13.933Z\",\"Malware\":[{\"Name\":\"Stringler\",\"Path\":\"/usr/sbin/stringler\",\"State\":\"OBSERVED\",\"Type\":\"COIN_MINER\"}],\"Network\":{\"DestinationDomain\":\"example2.com\",\"DestinationIpV4\":\"1.128.0.0\",\"DestinationIpV6\":\"2a02:cf40::\",\"DestinationPort\":\"80\",\"Direction\":\"IN\",\"OpenPortRange\":{\"Begin\":443,\"End\":443},\"Protocol\":\"TCP\",\"SourceDomain\":\"example1.com\",\"SourceIpV4\":\"1.128.0.0\",\"SourceIpV6\":\"2a02:cf40::\",\"SourceMac\":\"00:0d:83:b1:c0:8e\",\"SourcePort\":\"42\"},\"NetworkPath\":[{\"ComponentId\":\"abc-01a234bc56d8901ee\",\"ComponentType\":\"AWS::EC2::InternetGateway\",\"Egress\":{\"Destination\":{\"Address\":[\"1.128.0.0/24\"],\"PortRanges\":[{\"Begin\":443,\"End\":443}]},\"Protocol\":\"TCP\",\"Source\":{\"Address\":[\"175.16.199.1/24\"]}},\"Ingress\":{\"Destination\":{\"Address\":[\"175.16.199.1/24\"],\"PortRanges\":[{\"Begin\":443,\"End\":443}]},\"Protocol\":\"TCP\",\"Source\":{\"Address\":[\"175.16.199.1/24\"]}}}],\"Note\":{\"Text\":\"Don't forget to check under the mat.\",\"UpdatedAt\":\"2018-08-31T00:15:09Z\",\"UpdatedBy\":\"jsmith\"},\"PatchSummary\":{\"FailedCount\":\"0\",\"Id\":\"pb-123456789098\",\"InstalledCount\":\"100\",\"InstalledOtherCount\":\"1023\",\"InstalledPendingReboot\":\"0\",\"InstalledRejectedCount\":\"0\",\"MissingCount\":\"100\",\"Operation\":\"Install\",\"OperationEndTime\":\"2018-09-27T23:39:31Z\",\"OperationStartTime\":\"2018-09-27T23:37:31Z\",\"RebootOption\":\"RebootIfNeeded\"},\"Process\":{\"LaunchedAt\":\"2018-09-27T22:37:31Z\",\"Name\":\"syslogd\",\"ParentPid\":56789,\"Path\":\"/usr/sbin/syslogd\",\"Pid\":12345,\"TerminatedAt\":\"2018-09-27T23:37:31Z\"},\"ProductArn\":\"arn:aws:securityhub:us-east-1:111111111111:product/111111111111/default\",\"ProductFields\":{\"Service_Name\":\"cloudtrail.amazonaws.com\",\"aws/inspector/AssessmentTargetName\":\"My prod env\",\"aws/inspector/AssessmentTemplateName\":\"My daily CVE assessment\",\"aws/inspector/RulesPackageName\":\"Common Vulnerabilities and Exposures\",\"generico/secure-pro/Count\":\"6\"},\"ProductName\":\"Security Hub\",\"RecordState\":\"ACTIVE\",\"Region\":\"us-east-1\",\"RelatedFindings\":[{\"Id\":\"123e4567-e89b-12d3-a456-426655440000\",\"ProductArn\":\"arn:aws:securityhub:us-west-2::product/aws/guardduty\"},{\"Id\":\"AcmeNerfHerder-111111111111-x189dx7824\",\"ProductArn\":\"arn:aws:securityhub:us-west-2::product/aws/guardduty\"}],\"Remediation\":{\"Recommendation\":{\"Text\":\"Run sudo yum update and cross your fingers and toes.\",\"Url\":\"http://myfp.com/recommendations/dangerous_things_and_how_to_fix_them.html\"}},\"Resources\":[{\"Details\":{\"IamInstanceProfileArn\":\"arn:aws:iam::123456789012:role/IamInstanceProfileArn\",\"ImageId\":\"ami-79fd7eee\",\"IpV4Addresses\":[\"175.16.199.1\"],\"IpV6Addresses\":[\"2a02:cf40::\"],\"KeyName\":\"testkey\",\"LaunchedAt\":\"2018-09-29T01:25:54Z\",\"MetadataOptions\":{\"HttpEndpoint\":\"enabled\",\"HttpProtocolIpv6\":\"enabled\",\"HttpPutResponseHopLimit\":1,\"HttpTokens\":\"optional\",\"InstanceMetadataTags\":\"disabled\"},\"NetworkInterfaces\":[{\"NetworkInterfaceId\":\"eni-e5aa89a3\"}],\"SubnetId\":\"PublicSubnet\",\"Type\":\"i3.xlarge\",\"VirtualizationType\":\"hvm\",\"VpcId\":\"TestVPCIpv6\"},\"Id\":\"i-cafebabe\",\"Partition\":\"aws\",\"Region\":\"us-west-2\",\"Tags\":{\"billingCode\":\"Lotus-1-2-3\",\"needsPatching\":\"true\"},\"Type\":\"AwsEc2Instance\"}],\"Sample\":true,\"SchemaVersion\":\"2018-10-08\",\"Severity\":{\"Label\":\"CRITICAL\",\"Original\":\"8.3\"},\"SourceUrl\":\"http://threatintelweekly.org/backdoors/8888\",\"ThreatIntelIndicators\":[{\"Category\":\"BACKDOOR\",\"LastObservedAt\":\"2018-09-27T23:37:31Z\",\"Source\":\"Threat Intel Weekly\",\"SourceUrl\":\"http://threatintelweekly.org/backdoors/8888\",\"Type\":\"IPV4_ADDRESS\",\"Value\":\"175.16.199.1\"}],\"Threats\":[{\"FilePaths\":[{\"FileName\":\"b.txt\",\"FilePath\":\"/tmp/b.txt\",\"Hash\":\"sha256\",\"ResourceId\":\"arn:aws:ec2:us-west-2:123456789012:volume/vol-032f3bdd89aee112f\"}],\"ItemCount\":3,\"Name\":\"Iot.linux.mirai.vwisi\",\"Severity\":\"HIGH\"}],\"Title\":\"EC2.20 Both VPN tunnels for an AWS Site-to-Site VPN connection should be up\",\"Types\":[\"Software and Configuration Checks/Vulnerabilities/CVE\"],\"UpdatedAt\":\"2018-08-31T00:15:09Z\",\"UserDefinedFields\":{\"comeBackToLater\":\"Check this again on Monday\",\"reviewedByCio\":\"true\"},\"VerificationState\":\"UNKNOWN\",\"Vulnerabilities\":[{\"Cvss\":[{\"BaseScore\":4.7,\"BaseVector\":\"AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\",\"Version\":\"V3\"},{\"BaseScore\":4.7,\"BaseVector\":\"AV:L/AC:M/Au:N/C:C/I:N/A:N\",\"Version\":\"V2\"}],\"Id\":\"CVE-2020-12345\",\"ReferenceUrls\":[\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12418\",\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17563\"],\"RelatedVulnerabilities\":[\"CVE-2020-12345\"],\"Vendor\":{\"Name\":\"Alas\",\"Url\":\"https://alas.aws.amazon.com/ALAS-2020-1337.html\",\"VendorCreatedAt\":\"2020-01-16T00:01:43Z\",\"VendorSeverity\":\"Medium\",\"VendorUpdatedAt\":\"2020-01-16T00:01:43Z\"},\"VulnerablePackages\":[{\"Architecture\":\"x86_64\",\"Epoch\":\"1\",\"Name\":\"openssl\",\"Release\":\"16.amzn2.0.3\",\"Version\":\"1.0.2k\"}]}],\"Workflow\":{\"Status\":\"NEW\"},\"WorkflowState\":\"NEW\"}", + "type": [ + "info" + ] + }, + "input": { + "type": "httpjson" + }, + "network": { + "direction": "ingress", + "protocol": "tcp" + }, + "organization": { + "name": "AWS" + }, + "process": { + "end": "2018-09-27T23:37:31.000Z", + "executable": "/usr/sbin/syslogd", + "name": "syslogd", + "parent": { + "pid": 56789 + }, + "pid": 12345, + "start": "2018-09-27T22:37:31.000Z" + }, + "related": { + "ip": [ + "1.128.0.0", + "2a02:cf40::" + ] + }, + "source": { + "domain": "example1.com", + "ip": [ + "1.128.0.0", + "2a02:cf40::" + ], + "mac": "00-0D-83-B1-C0-8E", + "port": 42 + }, + "tags": [ + "preserve_original_event", + "forwarded", + "aws_securityhub_findings_full_posture" + ], + "threat": { + "indicator": { + "last_seen": "2018-09-27T23:37:31.000Z", + "type": "ipv4-addr" + } + }, + "url": { + "domain": "threatintelweekly.org", + "full": "http://threatintelweekly.org/backdoors/8888", + "original": "http://threatintelweekly.org/backdoors/8888", + "path": "/backdoors/8888", + "scheme": "http" + }, + "vulnerability": { + "id": "CVE-2020-12345", + "reference": [ + "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12418", + "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17563" + ], + "scanner": { + "vendor": "Alas" + }, + "score": { + "base": 4.7, + "version": "V2" + } + } +} \ No newline at end of file diff --git a/packages/aws/docs/securityhub.md b/packages/aws/docs/securityhub.md index c892d773ec5..c00e3c2b73b 100644 --- a/packages/aws/docs/securityhub.md +++ b/packages/aws/docs/securityhub.md @@ -22,6 +22,7 @@ The [AWS Security Hub](https://docs.aws.amazon.com/securityhub/) integration col 1. For the current integration package, it is recommended to have interval in hours. 2. For the current integration package, it is compulsory to add Secret Access Key and Access Key ID. + 3. Findings Full Posture data stream request all the historical findings every 24 hours. ## Logs @@ -674,6 +675,655 @@ Please refer to the following [document](https://www.elastic.co/guide/en/ecs/cur | url.user_info | | keyword | +### Findings Full Posture + +This is the [`securityhub_findings_full_posture`](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_GetFindings.html#API_GetFindings_ResponseElements) data stream. + +An example event for `securityhub_findings_full_posture` looks as following: + +```json +{ + "@timestamp": "2017-03-22T13:22:13.933Z", + "agent": { + "ephemeral_id": "01f4fdba-8670-479d-b54f-7d39403bb723", + "id": "eea1c0db-3657-4195-add3-da25a54834e7", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.4.0" + }, + "aws": { + "securityhub_findings_full_posture": { + "action": { + "port_probe": { + "blocked": false, + "details": [ + { + "local": { + "ip": { + "address_v4": "1.128.0.0" + }, + "port": { + "name": "HTTP", + "number": 80 + } + }, + "remote_ip": { + "city": { + "name": "Example City" + }, + "country": { + "name": "Example Country" + }, + "geolocation": { + "latitude": 0, + "longitude": 0 + }, + "organization": { + "asn": "64496", + "asn_organization": "ExampleASO", + "internet_provider": "ExampleOrg", + "internet_service_provider": "ExampleISP" + } + } + } + ] + } + }, + "aws_account_id": "111111111111", + "company": { + "name": "AWS" + }, + "compliance": { + "related_requirements": [ + "Req1", + "Req2" + ], + "status": "PASSED", + "status_reasons": [ + { + "description": "CloudWatch alarms do not exist in the account", + "reason_code": "CLOUDWATCH_ALARMS_NOT_PRESENT" + } + ] + }, + "confidence": 42, + "criticality": 99, + "description": "The version of openssl found on instance i-abcd1234 is known to contain a vulnerability.", + "first_observed_at": "2017-03-22T13:22:13.933Z", + "generator": { + "id": "acme-vuln-9ab348" + }, + "last_observed_at": "2017-03-23T13:22:13.933Z", + "malware": [ + { + "name": "Stringler", + "path": "/usr/sbin/stringler", + "state": "OBSERVED", + "type": "COIN_MINER" + } + ], + "network": { + "open_port_range": { + "begin": 443, + "end": 443 + } + }, + "network_path": [ + { + "component": { + "id": "abc-01a234bc56d8901ee", + "type": "AWS::EC2::InternetGateway" + }, + "egress": { + "destination": { + "address": [ + "1.128.0.0/24" + ], + "port_ranges": [ + { + "begin": 443, + "end": 443 + } + ] + }, + "protocol": "TCP", + "source": { + "address": [ + "175.16.199.1/24" + ] + } + }, + "ingress": { + "destination": { + "address": [ + "175.16.199.1/24" + ], + "port_ranges": [ + { + "begin": 443, + "end": 443 + } + ] + }, + "protocol": "TCP", + "source": { + "address": [ + "175.16.199.1/24" + ] + } + } + } + ], + "note": { + "text": "Don't forget to check under the mat.", + "updated_at": "2018-08-31T00:15:09.000Z", + "updated_by": "jsmith" + }, + "patch_summary": { + "failed": { + "count": 0 + }, + "id": "pb-123456789098", + "installed": { + "count": 100, + "other": { + "count": 1023 + }, + "pending_reboot": 0, + "rejected": { + "count": 0 + } + }, + "missing": { + "count": 100 + }, + "operation": { + "end_time": "2018-09-27T23:39:31.000Z", + "start_time": "2018-09-27T23:37:31.000Z", + "type": "Install" + }, + "reboot_option": "RebootIfNeeded" + }, + "product": { + "arn": "arn:aws:securityhub:us-east-1:111111111111:product/111111111111/default", + "fields": { + "Service_Name": "cloudtrail.amazonaws.com", + "aws/inspector/AssessmentTargetName": "My prod env", + "aws/inspector/AssessmentTemplateName": "My daily CVE assessment", + "aws/inspector/RulesPackageName": "Common Vulnerabilities and Exposures", + "generico/secure-pro/Count": "6" + }, + "name": "Security Hub" + }, + "provider_fields": { + "confidence": 42, + "criticality": 99, + "related_findings": [ + { + "id": "123e4567-e89b-12d3-a456-426655440000", + "product": { + "arn": "arn:aws:securityhub:us-west-2::product/aws/guardduty" + } + } + ], + "severity": { + "label": "MEDIUM", + "original": "MEDIUM" + }, + "types": [ + "Software and Configuration Checks/Vulnerabilities/CVE" + ] + }, + "record_state": "ACTIVE", + "region": "us-east-1", + "related_findings": [ + { + "id": "123e4567-e89b-12d3-a456-426655440000", + "product": { + "arn": "arn:aws:securityhub:us-west-2::product/aws/guardduty" + } + }, + { + "id": "AcmeNerfHerder-111111111111-x189dx7824", + "product": { + "arn": "arn:aws:securityhub:us-west-2::product/aws/guardduty" + } + } + ], + "remediation": { + "recommendation": { + "text": "Run sudo yum update and cross your fingers and toes.", + "url": "http://myfp.com/recommendations/dangerous_things_and_how_to_fix_them.html" + } + }, + "resources": [ + { + "Details": { + "IamInstanceProfileArn": "arn:aws:iam::123456789012:role/IamInstanceProfileArn", + "ImageId": "ami-79fd7eee", + "IpV4Addresses": [ + "175.16.199.1" + ], + "IpV6Addresses": [ + "2a02:cf40::" + ], + "KeyName": "testkey", + "LaunchedAt": "2018-09-29T01:25:54Z", + "MetadataOptions": { + "HttpEndpoint": "enabled", + "HttpProtocolIpv6": "enabled", + "HttpPutResponseHopLimit": 1, + "HttpTokens": "optional", + "InstanceMetadataTags": "disabled" + }, + "NetworkInterfaces": [ + { + "NetworkInterfaceId": "eni-e5aa89a3" + } + ], + "SubnetId": "PublicSubnet", + "Type": "i3.xlarge", + "VirtualizationType": "hvm", + "VpcId": "TestVPCIpv6" + }, + "Id": "i-cafebabe", + "Partition": "aws", + "Region": "us-west-2", + "Tags": { + "billingCode": "Lotus-1-2-3", + "needsPatching": "true" + }, + "Type": "AwsEc2Instance" + } + ], + "sample": true, + "schema": { + "version": "2018-10-08" + }, + "severity": { + "label": "CRITICAL", + "original": "8.3" + }, + "source_url": "http://threatintelweekly.org/backdoors/8888", + "threat_intel_indicators": [ + { + "category": "BACKDOOR", + "source": "Threat Intel Weekly", + "source_url": "http://threatintelweekly.org/backdoors/8888", + "value": "175.16.199.1" + } + ], + "title": "EC2.20 Both VPN tunnels for an AWS Site-to-Site VPN connection should be up", + "types": [ + "Software and Configuration Checks/Vulnerabilities/CVE" + ], + "updated_at": "2018-08-31T00:15:09.000Z", + "user_defined_fields": { + "comeBackToLater": "Check this again on Monday", + "reviewedByCio": "true" + }, + "verification_state": "UNKNOWN", + "vulnerabilities": [ + { + "cvss": [ + { + "base_score": 4.7, + "base_vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "version": "V3" + }, + { + "base_score": 4.7, + "base_vector": "AV:L/AC:M/Au:N/C:C/I:N/A:N", + "version": "V2" + } + ], + "related_vulnerabilities": [ + "CVE-2020-12345" + ], + "vendor": { + "created_at": "2020-01-16T00:01:43.000Z", + "severity": "Medium", + "updated_at": "2020-01-16T00:01:43.000Z", + "url": "https://alas.aws.amazon.com/ALAS-2020-1337.html" + }, + "vulnerable_packages": [ + { + "architecture": "x86_64", + "epoch": "1", + "name": "openssl", + "release": "16.amzn2.0.3", + "version": "1.0.2k" + } + ] + } + ], + "workflow": { + "state": "NEW", + "status": "NEW" + } + } + }, + "cloud": { + "account": { + "id": "111111111111" + } + }, + "data_stream": { + "dataset": "aws.securityhub_findings_full_posture", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "domain": "example2.com", + "ip": [ + "1.128.0.0", + "2a02:cf40::" + ], + "port": 80 + }, + "ecs": { + "version": "8.11.0" + }, + "elastic_agent": { + "id": "eea1c0db-3657-4195-add3-da25a54834e7", + "snapshot": true, + "version": "8.4.0" + }, + "event": { + "action": "port_probe", + "agent_id_status": "verified", + "created": "2022-07-27T12:47:41.799Z", + "dataset": "aws.securityhub_findings_full_posture", + "id": "us-west-2/111111111111/98aebb2207407c87f51e89943f12b1ef", + "ingested": "2022-07-27T12:47:45Z", + "kind": "state", + "original": "{\"Action\":{\"ActionType\":\"PORT_PROBE\",\"PortProbeAction\":{\"Blocked\":false,\"PortProbeDetails\":[{\"LocalIpDetails\":{\"IpAddressV4\":\"1.128.0.0\"},\"LocalPortDetails\":{\"Port\":80,\"PortName\":\"HTTP\"},\"RemoteIpDetails\":{\"City\":{\"CityName\":\"Example City\"},\"Country\":{\"CountryName\":\"Example Country\"},\"GeoLocation\":{\"Lat\":0,\"Lon\":0},\"Organization\":{\"Asn\":64496,\"AsnOrg\":\"ExampleASO\",\"Isp\":\"ExampleISP\",\"Org\":\"ExampleOrg\"}}}]}},\"AwsAccountId\":\"111111111111\",\"CompanyName\":\"AWS\",\"Compliance\":{\"RelatedRequirements\":[\"Req1\",\"Req2\"],\"Status\":\"PASSED\",\"StatusReasons\":[{\"Description\":\"CloudWatch alarms do not exist in the account\",\"ReasonCode\":\"CLOUDWATCH_ALARMS_NOT_PRESENT\"}]},\"Confidence\":42,\"CreatedAt\":\"2017-03-22T13:22:13.933Z\",\"Criticality\":99,\"Description\":\"The version of openssl found on instance i-abcd1234 is known to contain a vulnerability.\",\"FindingProviderFields\":{\"Confidence\":42,\"Criticality\":99,\"RelatedFindings\":[{\"Id\":\"123e4567-e89b-12d3-a456-426655440000\",\"ProductArn\":\"arn:aws:securityhub:us-west-2::product/aws/guardduty\"}],\"Severity\":{\"Label\":\"MEDIUM\",\"Original\":\"MEDIUM\"},\"Types\":[\"Software and Configuration Checks/Vulnerabilities/CVE\"]},\"FirstObservedAt\":\"2017-03-22T13:22:13.933Z\",\"GeneratorId\":\"acme-vuln-9ab348\",\"Id\":\"us-west-2/111111111111/98aebb2207407c87f51e89943f12b1ef\",\"LastObservedAt\":\"2017-03-23T13:22:13.933Z\",\"Malware\":[{\"Name\":\"Stringler\",\"Path\":\"/usr/sbin/stringler\",\"State\":\"OBSERVED\",\"Type\":\"COIN_MINER\"}],\"Network\":{\"DestinationDomain\":\"example2.com\",\"DestinationIpV4\":\"1.128.0.0\",\"DestinationIpV6\":\"2a02:cf40::\",\"DestinationPort\":\"80\",\"Direction\":\"IN\",\"OpenPortRange\":{\"Begin\":443,\"End\":443},\"Protocol\":\"TCP\",\"SourceDomain\":\"example1.com\",\"SourceIpV4\":\"1.128.0.0\",\"SourceIpV6\":\"2a02:cf40::\",\"SourceMac\":\"00:0d:83:b1:c0:8e\",\"SourcePort\":\"42\"},\"NetworkPath\":[{\"ComponentId\":\"abc-01a234bc56d8901ee\",\"ComponentType\":\"AWS::EC2::InternetGateway\",\"Egress\":{\"Destination\":{\"Address\":[\"1.128.0.0/24\"],\"PortRanges\":[{\"Begin\":443,\"End\":443}]},\"Protocol\":\"TCP\",\"Source\":{\"Address\":[\"175.16.199.1/24\"]}},\"Ingress\":{\"Destination\":{\"Address\":[\"175.16.199.1/24\"],\"PortRanges\":[{\"Begin\":443,\"End\":443}]},\"Protocol\":\"TCP\",\"Source\":{\"Address\":[\"175.16.199.1/24\"]}}}],\"Note\":{\"Text\":\"Don't forget to check under the mat.\",\"UpdatedAt\":\"2018-08-31T00:15:09Z\",\"UpdatedBy\":\"jsmith\"},\"PatchSummary\":{\"FailedCount\":\"0\",\"Id\":\"pb-123456789098\",\"InstalledCount\":\"100\",\"InstalledOtherCount\":\"1023\",\"InstalledPendingReboot\":\"0\",\"InstalledRejectedCount\":\"0\",\"MissingCount\":\"100\",\"Operation\":\"Install\",\"OperationEndTime\":\"2018-09-27T23:39:31Z\",\"OperationStartTime\":\"2018-09-27T23:37:31Z\",\"RebootOption\":\"RebootIfNeeded\"},\"Process\":{\"LaunchedAt\":\"2018-09-27T22:37:31Z\",\"Name\":\"syslogd\",\"ParentPid\":56789,\"Path\":\"/usr/sbin/syslogd\",\"Pid\":12345,\"TerminatedAt\":\"2018-09-27T23:37:31Z\"},\"ProductArn\":\"arn:aws:securityhub:us-east-1:111111111111:product/111111111111/default\",\"ProductFields\":{\"Service_Name\":\"cloudtrail.amazonaws.com\",\"aws/inspector/AssessmentTargetName\":\"My prod env\",\"aws/inspector/AssessmentTemplateName\":\"My daily CVE assessment\",\"aws/inspector/RulesPackageName\":\"Common Vulnerabilities and Exposures\",\"generico/secure-pro/Count\":\"6\"},\"ProductName\":\"Security Hub\",\"RecordState\":\"ACTIVE\",\"Region\":\"us-east-1\",\"RelatedFindings\":[{\"Id\":\"123e4567-e89b-12d3-a456-426655440000\",\"ProductArn\":\"arn:aws:securityhub:us-west-2::product/aws/guardduty\"},{\"Id\":\"AcmeNerfHerder-111111111111-x189dx7824\",\"ProductArn\":\"arn:aws:securityhub:us-west-2::product/aws/guardduty\"}],\"Remediation\":{\"Recommendation\":{\"Text\":\"Run sudo yum update and cross your fingers and toes.\",\"Url\":\"http://myfp.com/recommendations/dangerous_things_and_how_to_fix_them.html\"}},\"Resources\":[{\"Details\":{\"IamInstanceProfileArn\":\"arn:aws:iam::123456789012:role/IamInstanceProfileArn\",\"ImageId\":\"ami-79fd7eee\",\"IpV4Addresses\":[\"175.16.199.1\"],\"IpV6Addresses\":[\"2a02:cf40::\"],\"KeyName\":\"testkey\",\"LaunchedAt\":\"2018-09-29T01:25:54Z\",\"MetadataOptions\":{\"HttpEndpoint\":\"enabled\",\"HttpProtocolIpv6\":\"enabled\",\"HttpPutResponseHopLimit\":1,\"HttpTokens\":\"optional\",\"InstanceMetadataTags\":\"disabled\"},\"NetworkInterfaces\":[{\"NetworkInterfaceId\":\"eni-e5aa89a3\"}],\"SubnetId\":\"PublicSubnet\",\"Type\":\"i3.xlarge\",\"VirtualizationType\":\"hvm\",\"VpcId\":\"TestVPCIpv6\"},\"Id\":\"i-cafebabe\",\"Partition\":\"aws\",\"Region\":\"us-west-2\",\"Tags\":{\"billingCode\":\"Lotus-1-2-3\",\"needsPatching\":\"true\"},\"Type\":\"AwsEc2Instance\"}],\"Sample\":true,\"SchemaVersion\":\"2018-10-08\",\"Severity\":{\"Label\":\"CRITICAL\",\"Original\":\"8.3\"},\"SourceUrl\":\"http://threatintelweekly.org/backdoors/8888\",\"ThreatIntelIndicators\":[{\"Category\":\"BACKDOOR\",\"LastObservedAt\":\"2018-09-27T23:37:31Z\",\"Source\":\"Threat Intel Weekly\",\"SourceUrl\":\"http://threatintelweekly.org/backdoors/8888\",\"Type\":\"IPV4_ADDRESS\",\"Value\":\"175.16.199.1\"}],\"Threats\":[{\"FilePaths\":[{\"FileName\":\"b.txt\",\"FilePath\":\"/tmp/b.txt\",\"Hash\":\"sha256\",\"ResourceId\":\"arn:aws:ec2:us-west-2:123456789012:volume/vol-032f3bdd89aee112f\"}],\"ItemCount\":3,\"Name\":\"Iot.linux.mirai.vwisi\",\"Severity\":\"HIGH\"}],\"Title\":\"EC2.20 Both VPN tunnels for an AWS Site-to-Site VPN connection should be up\",\"Types\":[\"Software and Configuration Checks/Vulnerabilities/CVE\"],\"UpdatedAt\":\"2018-08-31T00:15:09Z\",\"UserDefinedFields\":{\"comeBackToLater\":\"Check this again on Monday\",\"reviewedByCio\":\"true\"},\"VerificationState\":\"UNKNOWN\",\"Vulnerabilities\":[{\"Cvss\":[{\"BaseScore\":4.7,\"BaseVector\":\"AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\",\"Version\":\"V3\"},{\"BaseScore\":4.7,\"BaseVector\":\"AV:L/AC:M/Au:N/C:C/I:N/A:N\",\"Version\":\"V2\"}],\"Id\":\"CVE-2020-12345\",\"ReferenceUrls\":[\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12418\",\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17563\"],\"RelatedVulnerabilities\":[\"CVE-2020-12345\"],\"Vendor\":{\"Name\":\"Alas\",\"Url\":\"https://alas.aws.amazon.com/ALAS-2020-1337.html\",\"VendorCreatedAt\":\"2020-01-16T00:01:43Z\",\"VendorSeverity\":\"Medium\",\"VendorUpdatedAt\":\"2020-01-16T00:01:43Z\"},\"VulnerablePackages\":[{\"Architecture\":\"x86_64\",\"Epoch\":\"1\",\"Name\":\"openssl\",\"Release\":\"16.amzn2.0.3\",\"Version\":\"1.0.2k\"}]}],\"Workflow\":{\"Status\":\"NEW\"},\"WorkflowState\":\"NEW\"}", + "type": [ + "info" + ] + }, + "input": { + "type": "httpjson" + }, + "network": { + "direction": "ingress", + "protocol": "tcp" + }, + "organization": { + "name": "AWS" + }, + "process": { + "end": "2018-09-27T23:37:31.000Z", + "executable": "/usr/sbin/syslogd", + "name": "syslogd", + "parent": { + "pid": 56789 + }, + "pid": 12345, + "start": "2018-09-27T22:37:31.000Z" + }, + "related": { + "ip": [ + "1.128.0.0", + "2a02:cf40::" + ] + }, + "source": { + "domain": "example1.com", + "ip": [ + "1.128.0.0", + "2a02:cf40::" + ], + "mac": "00-0D-83-B1-C0-8E", + "port": 42 + }, + "tags": [ + "preserve_original_event", + "forwarded", + "aws_securityhub_findings_full_posture" + ], + "threat": { + "indicator": { + "last_seen": "2018-09-27T23:37:31.000Z", + "type": "ipv4-addr" + } + }, + "url": { + "domain": "threatintelweekly.org", + "full": "http://threatintelweekly.org/backdoors/8888", + "original": "http://threatintelweekly.org/backdoors/8888", + "path": "/backdoors/8888", + "scheme": "http" + }, + "vulnerability": { + "id": "CVE-2020-12345", + "reference": [ + "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12418", + "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17563" + ], + "scanner": { + "vendor": "Alas" + }, + "score": { + "base": 4.7, + "version": "V2" + } + } +} +``` + +**ECS Field Reference** + +Please refer to the following [document](https://www.elastic.co/guide/en/ecs/current/ecs-field-reference.html) for detailed information on ECS fields. + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | +| aws.securityhub_findings_full_posture.action.aws_api_call.affected_resources | Identifies the resources that were affected by the API call. | flattened | +| aws.securityhub_findings_full_posture.action.aws_api_call.api | The name of the API method that was issued. | keyword | +| aws.securityhub_findings_full_posture.action.aws_api_call.caller.type | Indicates whether the API call originated from a remote IP address(remoteip) or from a DNS domain(domain). | keyword | +| aws.securityhub_findings_full_posture.action.aws_api_call.domain_details.domain | The name of the DNS domain that issued the API call. | keyword | +| aws.securityhub_findings_full_posture.action.aws_api_call.first_seen | An ISO8601-formatted timestamp that indicates when the API call was first observed. | date | +| aws.securityhub_findings_full_posture.action.aws_api_call.last_seen | An ISO8601-formatted timestamp that indicates when the API call was most recently observed. | date | +| aws.securityhub_findings_full_posture.action.aws_api_call.remote_ip.city.name | The name of the city. | keyword | +| aws.securityhub_findings_full_posture.action.aws_api_call.remote_ip.country.code | The 2-letter ISO 3166 country code for the country. | keyword | +| aws.securityhub_findings_full_posture.action.aws_api_call.remote_ip.country.name | The name of the country. | keyword | +| aws.securityhub_findings_full_posture.action.aws_api_call.remote_ip.geolocation.latitude | The longitude of the location. | double | +| aws.securityhub_findings_full_posture.action.aws_api_call.remote_ip.geolocation.longitude | The latitude of the location. | double | +| aws.securityhub_findings_full_posture.action.aws_api_call.remote_ip.ip.address_v4 | The IP address. | ip | +| aws.securityhub_findings_full_posture.action.aws_api_call.remote_ip.organization.asn | The Autonomous System Number(ASN) of the internet provider. | keyword | +| aws.securityhub_findings_full_posture.action.aws_api_call.remote_ip.organization.asn_organization | The name of the organization that registered the ASN. | keyword | +| aws.securityhub_findings_full_posture.action.aws_api_call.remote_ip.organization.internet_provider | The ISP information for the internet provider. | keyword | +| aws.securityhub_findings_full_posture.action.aws_api_call.remote_ip.organization.internet_service_provider | The name of the internet provider. | keyword | +| aws.securityhub_findings_full_posture.action.aws_api_call.service.name | The name of the Amazon Web Services service that the API method belongs to. | keyword | +| aws.securityhub_findings_full_posture.action.dns_request.blocked | Indicates whether the DNS request was blocked. | boolean | +| aws.securityhub_findings_full_posture.action.dns_request.domain | The DNS domain that is associated with the DNS request. | keyword | +| aws.securityhub_findings_full_posture.action.dns_request.protocol | The protocol that was used for the DNS request. | keyword | +| aws.securityhub_findings_full_posture.action.network_connection.blocked | Indicates whether the network connection attempt was blocked. | boolean | +| aws.securityhub_findings_full_posture.action.network_connection.direction | The direction of the network connection request(IN or OUT). | keyword | +| aws.securityhub_findings_full_posture.action.network_connection.local.port.name | The port name of the local connection. | keyword | +| aws.securityhub_findings_full_posture.action.network_connection.local.port.number | The number of the port. | long | +| aws.securityhub_findings_full_posture.action.network_connection.protocol | The protocol used to make the network connection request. | keyword | +| aws.securityhub_findings_full_posture.action.network_connection.remote.port.name | The port name of the remote connection. | keyword | +| aws.securityhub_findings_full_posture.action.network_connection.remote.port.number | The number of the port. | long | +| aws.securityhub_findings_full_posture.action.network_connection.remote_ip.city.name | The name of the city. | keyword | +| aws.securityhub_findings_full_posture.action.network_connection.remote_ip.country.code | The 2-letter ISO 3166 country code for the country. | keyword | +| aws.securityhub_findings_full_posture.action.network_connection.remote_ip.country.name | The name of the country. | keyword | +| aws.securityhub_findings_full_posture.action.network_connection.remote_ip.geolocation.latitude | The longitude of the location. | double | +| aws.securityhub_findings_full_posture.action.network_connection.remote_ip.geolocation.longitude | The latitude of the location. | double | +| aws.securityhub_findings_full_posture.action.network_connection.remote_ip.ip.address_v4 | The IP address. | ip | +| aws.securityhub_findings_full_posture.action.network_connection.remote_ip.organization.asn | The Autonomous System Number(ASN) of the internet provider. | keyword | +| aws.securityhub_findings_full_posture.action.network_connection.remote_ip.organization.asn_organization | The name of the organization that registered the ASN. | keyword | +| aws.securityhub_findings_full_posture.action.network_connection.remote_ip.organization.internet_provider | The ISP information for the internet provider. | keyword | +| aws.securityhub_findings_full_posture.action.network_connection.remote_ip.organization.internet_service_provider | The name of the internet provider. | keyword | +| aws.securityhub_findings_full_posture.action.port_probe.blocked | Indicates whether the port probe was blocked. | boolean | +| aws.securityhub_findings_full_posture.action.port_probe.details.local.ip.address_v4 | The IP address. | ip | +| aws.securityhub_findings_full_posture.action.port_probe.details.local.port.name | The port name of the local connection. | keyword | +| aws.securityhub_findings_full_posture.action.port_probe.details.local.port.number | The number of the port. | long | +| aws.securityhub_findings_full_posture.action.port_probe.details.remote_ip.city.name | The name of the city. | keyword | +| aws.securityhub_findings_full_posture.action.port_probe.details.remote_ip.country.code | The 2-letter ISO 3166 country code for the country. | keyword | +| aws.securityhub_findings_full_posture.action.port_probe.details.remote_ip.country.name | The name of the country. | keyword | +| aws.securityhub_findings_full_posture.action.port_probe.details.remote_ip.geolocation.latitude | The longitude of the location. | double | +| aws.securityhub_findings_full_posture.action.port_probe.details.remote_ip.geolocation.longitude | The latitude of the location. | double | +| aws.securityhub_findings_full_posture.action.port_probe.details.remote_ip.ip.address_v4 | The IP address. | ip | +| aws.securityhub_findings_full_posture.action.port_probe.details.remote_ip.organization.asn | The Autonomous System Number(ASN) of the internet provider. | keyword | +| aws.securityhub_findings_full_posture.action.port_probe.details.remote_ip.organization.asn_organization | The name of the organization that registered the ASN. | keyword | +| aws.securityhub_findings_full_posture.action.port_probe.details.remote_ip.organization.internet_provider | The ISP information for the internet provider. | keyword | +| aws.securityhub_findings_full_posture.action.port_probe.details.remote_ip.organization.internet_service_provider | The name of the internet provider. | keyword | +| aws.securityhub_findings_full_posture.action.type | The type of action that was detected. | keyword | +| aws.securityhub_findings_full_posture.aws_account_id | The Amazon Web Services account ID that a finding is generated in. | keyword | +| aws.securityhub_findings_full_posture.company.name | The name of the company for the product that generated the finding. | keyword | +| aws.securityhub_findings_full_posture.compliance.related_requirements | For a control, the industry or regulatory framework requirements that are related to the control. | keyword | +| aws.securityhub_findings_full_posture.compliance.security_control_id | Unique identifier of a control across standards. | keyword | +| aws.securityhub_findings_full_posture.compliance.status | The result of a standards check. | keyword | +| aws.securityhub_findings_full_posture.compliance.status_reasons.description | The corresponding description for the status reason code. | keyword | +| aws.securityhub_findings_full_posture.compliance.status_reasons.reason_code | A code that represents a reason for the control status. | keyword | +| aws.securityhub_findings_full_posture.confidence | A finding's confidence. Confidence is defined as the likelihood that a finding accurately identifies the behavior or issue that it was intended to identify. | long | +| aws.securityhub_findings_full_posture.created_at | Indicates when the security-findings provider created the potential security issue that a finding captured. | date | +| aws.securityhub_findings_full_posture.criticality | The level of importance assigned to the resources associated with the finding. | long | +| aws.securityhub_findings_full_posture.description | A finding's description. | keyword | +| aws.securityhub_findings_full_posture.first_observed_at | Indicates when the security-findings provider first observed the potential security issue that a finding captured. | date | +| aws.securityhub_findings_full_posture.generator.id | The identifier for the solution-specific component(a discrete unit of logic) that generated a finding. In various security-findings providers' solutions, this generator can be called a rule, a check, a detector, a plugin, etc. | keyword | +| aws.securityhub_findings_full_posture.id | The security findings provider-specific identifier for a finding. | keyword | +| aws.securityhub_findings_full_posture.last_observed_at | Indicates when the security-findings provider most recently observed the potential security issue that a finding captured. | date | +| aws.securityhub_findings_full_posture.malware.name | The name of the malware that was observed. | keyword | +| aws.securityhub_findings_full_posture.malware.path | The file system path of the malware that was observed. | keyword | +| aws.securityhub_findings_full_posture.malware.state | The state of the malware that was observed. | keyword | +| aws.securityhub_findings_full_posture.malware.type | The type of the malware that was observed. | keyword | +| aws.securityhub_findings_full_posture.network.destination.domain | The destination domain of network-related information about a finding. | keyword | +| aws.securityhub_findings_full_posture.network.destination.ip.v4 | The destination IPv4 address of network-related information about a finding. | ip | +| aws.securityhub_findings_full_posture.network.destination.ip.v6 | The destination IPv6 address of network-related information about a finding. | ip | +| aws.securityhub_findings_full_posture.network.destination.port | The destination port of network-related information about a finding. | long | +| aws.securityhub_findings_full_posture.network.direction | The direction of network traffic associated with a finding. | keyword | +| aws.securityhub_findings_full_posture.network.open_port_range.begin | The first port in the port range. | long | +| aws.securityhub_findings_full_posture.network.open_port_range.end | The last port in the port range. | long | +| aws.securityhub_findings_full_posture.network.protocol | The protocol of network-related information about a finding. | keyword | +| aws.securityhub_findings_full_posture.network.source.domain | The source domain of network-related information about a finding. | keyword | +| aws.securityhub_findings_full_posture.network.source.ip.v4 | The source IPv4 address of network-related information about a finding. | ip | +| aws.securityhub_findings_full_posture.network.source.ip.v6 | The source IPv6 address of network-related information about a finding. | ip | +| aws.securityhub_findings_full_posture.network.source.mac | The source media access control(MAC) address of network-related information about a finding. | keyword | +| aws.securityhub_findings_full_posture.network.source.port | The source port of network-related information about a finding. | long | +| aws.securityhub_findings_full_posture.network_path.component.id | The identifier of a component in the network path. | keyword | +| aws.securityhub_findings_full_posture.network_path.component.type | The type of component. | keyword | +| aws.securityhub_findings_full_posture.network_path.egress.destination.address | The IP addresses of the destination. | keyword | +| aws.securityhub_findings_full_posture.network_path.egress.destination.port_ranges.begin | The first port in the port range. | long | +| aws.securityhub_findings_full_posture.network_path.egress.destination.port_ranges.end | The last port in the port range. | long | +| aws.securityhub_findings_full_posture.network_path.egress.protocol | The protocol used for the component. | keyword | +| aws.securityhub_findings_full_posture.network_path.egress.source.address | The IP addresses of the destination. | keyword | +| aws.securityhub_findings_full_posture.network_path.egress.source.port_ranges.begin | The first port in the port range. | long | +| aws.securityhub_findings_full_posture.network_path.egress.source.port_ranges.end | The last port in the port range. | long | +| aws.securityhub_findings_full_posture.network_path.ingress.destination.address | The IP addresses of the destination. | keyword | +| aws.securityhub_findings_full_posture.network_path.ingress.destination.port_ranges.begin | The first port in the port range. | long | +| aws.securityhub_findings_full_posture.network_path.ingress.destination.port_ranges.end | The last port in the port range. | long | +| aws.securityhub_findings_full_posture.network_path.ingress.protocol | The protocol used for the component. | keyword | +| aws.securityhub_findings_full_posture.network_path.ingress.source.address | The IP addresses of the destination. | keyword | +| aws.securityhub_findings_full_posture.network_path.ingress.source.port_ranges.begin | The first port in the port range. | long | +| aws.securityhub_findings_full_posture.network_path.ingress.source.port_ranges.end | The last port in the port range. | long | +| aws.securityhub_findings_full_posture.note.text | The text of a note. | keyword | +| aws.securityhub_findings_full_posture.note.updated_at | The timestamp of when the note was updated. | date | +| aws.securityhub_findings_full_posture.note.updated_by | The principal that created a note. | keyword | +| aws.securityhub_findings_full_posture.patch_summary.failed.count | The number of patches from the compliance standard that failed to install. | long | +| aws.securityhub_findings_full_posture.patch_summary.id | The identifier of the compliance standard that was used to determine the patch compliance status. | keyword | +| aws.securityhub_findings_full_posture.patch_summary.installed.count | The number of patches from the compliance standard that were installed successfully. | long | +| aws.securityhub_findings_full_posture.patch_summary.installed.other.count | The number of installed patches that are not part of the compliance standard. | long | +| aws.securityhub_findings_full_posture.patch_summary.installed.pending_reboot | The number of patches that were applied, but that require the instance to be rebooted in order to be marked as installed. | long | +| aws.securityhub_findings_full_posture.patch_summary.installed.rejected.count | The number of patches that are installed but are also on a list of patches that the customer rejected. | long | +| aws.securityhub_findings_full_posture.patch_summary.missing.count | The number of patches that are part of the compliance standard but are not installed. The count includes patches that failed to install. | long | +| aws.securityhub_findings_full_posture.patch_summary.operation.end_time | Indicates when the operation completed. | date | +| aws.securityhub_findings_full_posture.patch_summary.operation.start_time | Indicates when the operation started. | date | +| aws.securityhub_findings_full_posture.patch_summary.operation.type | The type of patch operation performed. For Patch Manager, the values are SCAN and INSTALL. | keyword | +| aws.securityhub_findings_full_posture.patch_summary.reboot_option | The reboot option specified for the instance. | keyword | +| aws.securityhub_findings_full_posture.process.launched_at | Indicates when the process was launched. | date | +| aws.securityhub_findings_full_posture.process.name | The name of the process. | keyword | +| aws.securityhub_findings_full_posture.process.parent.pid | The parent process ID. | long | +| aws.securityhub_findings_full_posture.process.path | The path to the process executable. | keyword | +| aws.securityhub_findings_full_posture.process.pid | The process ID. | long | +| aws.securityhub_findings_full_posture.process.terminated_at | Indicates when the process was terminated. | date | +| aws.securityhub_findings_full_posture.processed_at | Indicates when AWS Security Hub received a finding and begins to process it. | date | +| aws.securityhub_findings_full_posture.product.arn | The ARN generated by Security Hub that uniquely identifies a product that generates findings. This can be the ARN for a third-party product that is integrated with Security Hub, or the ARN for a custom integration. | keyword | +| aws.securityhub_findings_full_posture.product.fields | A data type where security-findings providers can include additional solution-specific details that aren't part of the defined AwsSecurityFinding format. | flattened | +| aws.securityhub_findings_full_posture.product.name | The name of the product that generated the finding. | keyword | +| aws.securityhub_findings_full_posture.provider_fields.confidence | A finding's confidence. Confidence is defined as the likelihood that a finding accurately identifies the behavior or issue that it was intended to identify. | long | +| aws.securityhub_findings_full_posture.provider_fields.criticality | The level of importance assigned to the resources associated with the finding. | long | +| aws.securityhub_findings_full_posture.provider_fields.related_findings.id | The product-generated identifier for a related finding. | keyword | +| aws.securityhub_findings_full_posture.provider_fields.related_findings.product.arn | The ARN of the product that generated a related finding. | keyword | +| aws.securityhub_findings_full_posture.provider_fields.severity.label | The severity label assigned to the finding by the finding provider. | keyword | +| aws.securityhub_findings_full_posture.provider_fields.severity.normalized | The normalized severity of a finding provider. | keyword | +| aws.securityhub_findings_full_posture.provider_fields.severity.original | The finding provider's original value for the severity. | keyword | +| aws.securityhub_findings_full_posture.provider_fields.severity.product | The finding provider's product for the severity. | keyword | +| aws.securityhub_findings_full_posture.provider_fields.types | One or more finding types in the format of namespace/category/classifier that classify a finding. | keyword | +| aws.securityhub_findings_full_posture.record_state | The record state of a finding. | keyword | +| aws.securityhub_findings_full_posture.region | The Region from which the finding was generated. | keyword | +| aws.securityhub_findings_full_posture.related_findings.id | The product-generated identifier for a related finding. | keyword | +| aws.securityhub_findings_full_posture.related_findings.product.arn | The ARN of the product that generated a related finding. | keyword | +| aws.securityhub_findings_full_posture.remediation.recommendation.text | Describes the recommended steps to take to remediate an issue identified in a finding. | text | +| aws.securityhub_findings_full_posture.remediation.recommendation.url | A URL to a page or site that contains information about how to remediate a finding. | keyword | +| aws.securityhub_findings_full_posture.resources | A set of resource data types that describe the resources that the finding refers to. | flattened | +| aws.securityhub_findings_full_posture.sample | Indicates whether the finding is a sample finding. | boolean | +| aws.securityhub_findings_full_posture.schema.version | The schema version that a finding is formatted for. | keyword | +| aws.securityhub_findings_full_posture.severity.label | The severity value of the finding. | keyword | +| aws.securityhub_findings_full_posture.severity.normalized | The normalized severity of a finding. | keyword | +| aws.securityhub_findings_full_posture.severity.original | The native severity from the finding product that generated the finding. | keyword | +| aws.securityhub_findings_full_posture.severity.product | The native severity as defined by the Amazon Web Services service or integrated partner product that generated the finding. | keyword | +| aws.securityhub_findings_full_posture.source_url | A URL that links to a page about the current finding in the security-findings provider's solution. | keyword | +| aws.securityhub_findings_full_posture.threat_intel_indicators.category | The category of a threat intelligence indicator. | keyword | +| aws.securityhub_findings_full_posture.threat_intel_indicators.last_observed_at | Indicates when the most recent instance of a threat intelligence indicator was observed. | date | +| aws.securityhub_findings_full_posture.threat_intel_indicators.source | The source of the threat intelligence indicator. | keyword | +| aws.securityhub_findings_full_posture.threat_intel_indicators.source_url | The URL to the page or site where you can get more information about the threat intelligence indicator. | keyword | +| aws.securityhub_findings_full_posture.threat_intel_indicators.type | The type of threat intelligence indicator. | keyword | +| aws.securityhub_findings_full_posture.threat_intel_indicators.value | The value of a threat intelligence indicator. | keyword | +| aws.securityhub_findings_full_posture.title | A finding's title. | text | +| aws.securityhub_findings_full_posture.types | One or more finding types in the format of namespace/category/classifier that classify a finding. | keyword | +| aws.securityhub_findings_full_posture.updated_at | Indicates when the security-findings provider last updated the finding record. | date | +| aws.securityhub_findings_full_posture.user_defined_fields | A list of name/value string pairs associated with the finding. These are custom, user-defined fields added to a finding. | flattened | +| aws.securityhub_findings_full_posture.verification_state | Indicates the veracity of a finding. | keyword | +| aws.securityhub_findings_full_posture.vulnerabilities.cvss.adjustments.metric | The metric to adjust. | keyword | +| aws.securityhub_findings_full_posture.vulnerabilities.cvss.adjustments.reason | The reason for the adjustment. | keyword | +| aws.securityhub_findings_full_posture.vulnerabilities.cvss.base_score | The base CVSS score. | double | +| aws.securityhub_findings_full_posture.vulnerabilities.cvss.base_vector | The base scoring vector for the CVSS score. | keyword | +| aws.securityhub_findings_full_posture.vulnerabilities.cvss.source | The origin of the original CVSS score and vector. | keyword | +| aws.securityhub_findings_full_posture.vulnerabilities.cvss.version | The version of CVSS for the CVSS score. | keyword | +| aws.securityhub_findings_full_posture.vulnerabilities.id | The identifier of the vulnerability. | keyword | +| aws.securityhub_findings_full_posture.vulnerabilities.reference_urls | A list of URLs that provide additional information about the vulnerability. | keyword | +| aws.securityhub_findings_full_posture.vulnerabilities.related_vulnerabilities | List of vulnerabilities that are related to this vulnerability. | keyword | +| aws.securityhub_findings_full_posture.vulnerabilities.vendor.created_at | Indicates when the vulnerability advisory was created. | date | +| aws.securityhub_findings_full_posture.vulnerabilities.vendor.name | The name of the vendor. | keyword | +| aws.securityhub_findings_full_posture.vulnerabilities.vendor.severity | The severity that the vendor assigned to the vulnerability. | keyword | +| aws.securityhub_findings_full_posture.vulnerabilities.vendor.updated_at | Indicates when the vulnerability advisory was last updated. | date | +| aws.securityhub_findings_full_posture.vulnerabilities.vendor.url | The URL of the vulnerability advisory. | keyword | +| aws.securityhub_findings_full_posture.vulnerabilities.vulnerable_packages.architecture | The architecture used for the software package. | keyword | +| aws.securityhub_findings_full_posture.vulnerabilities.vulnerable_packages.epoch | The epoch of the software package. | keyword | +| aws.securityhub_findings_full_posture.vulnerabilities.vulnerable_packages.file_path | The file system path to the package manager inventory file. | keyword | +| aws.securityhub_findings_full_posture.vulnerabilities.vulnerable_packages.name | The name of the software package. | keyword | +| aws.securityhub_findings_full_posture.vulnerabilities.vulnerable_packages.package_manager | The source of the package. | keyword | +| aws.securityhub_findings_full_posture.vulnerabilities.vulnerable_packages.release | The release of the software package. | keyword | +| aws.securityhub_findings_full_posture.vulnerabilities.vulnerable_packages.version | The version of the software package. | keyword | +| aws.securityhub_findings_full_posture.workflow.state | The workflow state of a finding. | keyword | +| aws.securityhub_findings_full_posture.workflow.status | The status of the investigation into the finding. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.provider | | constant_keyword | +| data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | +| data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | +| data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword | +| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | constant_keyword | +| event.kind | | constant_keyword | +| event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | constant_keyword | +| host.containerized | If the host is a container. | boolean | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| input.type | Input type | keyword | +| log.offset | Log offset | long | +| observer.vendor | | constant_keyword | +| resource.id | | keyword | +| resource.name | | keyword | +| resource.type | | keyword | +| result.evaluation | | keyword | +| rule.remediation | | keyword | +| url.user_info | | keyword | + + ### Insights This is the [`securityhub_insights`](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_GetInsights.html#API_GetInsights_ResponseElements) data stream. diff --git a/packages/aws/elasticsearch/transform/latest_cdr_misconfigurations/fields/base-fields.yml b/packages/aws/elasticsearch/transform/latest_cdr_misconfigurations/fields/base-fields.yml index 9c30c32e06c..55e666b0ab4 100644 --- a/packages/aws/elasticsearch/transform/latest_cdr_misconfigurations/fields/base-fields.yml +++ b/packages/aws/elasticsearch/transform/latest_cdr_misconfigurations/fields/base-fields.yml @@ -12,6 +12,6 @@ - name: event.dataset external: ecs type: constant_keyword - value: aws.securityhub_findings + value: aws.securityhub_findings_full_posture - name: '@timestamp' external: ecs diff --git a/packages/aws/elasticsearch/transform/latest_cdr_misconfigurations/fields/fields.yml b/packages/aws/elasticsearch/transform/latest_cdr_misconfigurations/fields/fields.yml index 03f083a3e5d..3bf8b0dc96f 100644 --- a/packages/aws/elasticsearch/transform/latest_cdr_misconfigurations/fields/fields.yml +++ b/packages/aws/elasticsearch/transform/latest_cdr_misconfigurations/fields/fields.yml @@ -1,4 +1,4 @@ -- name: aws.securityhub_findings +- name: aws.securityhub_findings_full_posture type: group fields: - name: action diff --git a/packages/aws/elasticsearch/transform/latest_cdr_misconfigurations/transform.yml b/packages/aws/elasticsearch/transform/latest_cdr_misconfigurations/transform.yml index 95a85877138..eff989d0072 100644 --- a/packages/aws/elasticsearch/transform/latest_cdr_misconfigurations/transform.yml +++ b/packages/aws/elasticsearch/transform/latest_cdr_misconfigurations/transform.yml @@ -1,8 +1,8 @@ source: index: - - "logs-aws.securityhub_findings-*" + - "logs-aws.securityhub_findings_full_posture-*" dest: - index: "security_solution-aws.misconfiguration_latest-v1" + index: "security_solution-aws.misconfiguration_latest-v2" aliases: - alias: "security_solution-aws.misconfiguration_latest" move_on_creation: true @@ -20,11 +20,11 @@ sync: retention_policy: time: field: "@timestamp" - max_age: 90d + max_age: 24h settings: unattended: true _meta: managed: true # Bump this version to delete, reinstall, and restart the transform during package. # Version bump is needed if there is any code change in transform. - fleet_transform_version: 0.1.0 + fleet_transform_version: 0.2.0 diff --git a/packages/aws/manifest.yml b/packages/aws/manifest.yml index 313b1b38330..4e5aea02842 100644 --- a/packages/aws/manifest.yml +++ b/packages/aws/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.3.1 name: aws title: AWS -version: 2.45.2 +version: 3.0.0 description: Collect logs and metrics from Amazon Web Services (AWS) with Elastic Agent. type: integration categories: @@ -11,7 +11,7 @@ conditions: elastic: subscription: basic kibana: - version: "^8.16.5 || ^9.0.0" + version: "~8.16.6 || ~8.17.4 || ^8.18.0 || ^9.0.0" screenshots: - src: /img/metricbeat-aws-overview.png title: metricbeat aws overview @@ -718,6 +718,7 @@ policy_templates: description: Collect AWS Security Hub Logs with Elastic Agent. data_streams: - securityhub_findings + - securityhub_findings_full_posture - securityhub_insights categories: - security