Required attributes - AWS Security Hub

Required attributes

The following attributes are required for all findings in Security Hub. For more information about these required attributes, see AwsSecurityFinding in the AWS Security Hub API Reference.

AwsAccountId

The AWS account ID that the finding applies to.

Example

"AwsAccountId": "111111111111"

CreatedAt

Indicates when the potential security issue captured by a finding was created.

Example

"CreatedAt": "2017-03-22T13:22:13.933Z"
Note

Security Hub deletes findings 90 days after the most recent update or 90 days after the creation date if no update occurs. To store findings for longer than 90 days, you can configure a rule in Amazon EventBridge that routes findings to your S3 bucket.

Description

A finding's description. This field can be nonspecific boilerplate text or details that are specific to the instance of the finding.

Example

"Description": "The version of openssl found on instance i-abcd1234 is known to contain a vulnerability."

GeneratorId

The identifier for the solution-specific component (a discrete unit of logic) that generated a finding.

Example

"GeneratorId": "acme-vuln-9ab348"

Id

The product-specific identifier for a finding.

Example

"Id": "us-west-2/111111111111/98aebb2207407c87f51e89943f12b1ef"

ProductArn

The Amazon Resource Name (ARN) generated by Security Hub that uniquely identifies a third-party findings product after the product is registered with Security Hub.

The format of this field is arn:partition:securityhub:region:account-id:product/company-id/product-id.

  • For AWS services that are integrated with Security Hub, the company-id must be "aws", and the product-id must be the AWS public service name. Because AWS products and services aren't associated with an account, the account-id section of the ARN is empty. AWS services that are not yet integrated with Security Hub are considered third-party products.

  • For public products, the company-id and product-id must be the ID values specified at the time of registration.

  • For private products, the company-id must be the account ID. The product-id must be the reserved word "default" or the ID that was specified at the time of registration.

Example

// Private ARN "ProductArn": "arn:aws:securityhub:us-east-1:111111111111:product/111111111111/default" // Public ARN "ProductArn": "arn:aws:securityhub:us-west-2::product/aws/guardduty" "ProductArn": "arn:aws:securityhub:us-west-2:222222222222:product/generico/secure-pro"

Resources

The Resources object provides a set of resource data types that describe the AWS resources that the finding refers to.

Example

"Resources": [ { "Type": "AwsEc2Instance", "Id": "arn:aws:ec2:us-west-2:111122223333:instance/i-1234567890abcdef0", "Partition": "aws", "Region": "us-west-2", "ResourceRole": "Target", "Tags": { "billingCode": "Lotus-1-2-3", "needsPatching": true }, "Details": { "IamInstanceProfileArn": "arn:aws:iam::123456789012:role/IamInstanceProfileArn", "ImageId": "ami-79fd7eee", "IpV4Addresses": ["1.1.1.1"], "IpV6Addresses": ["2001:db8:1234:1a2b::123"], "KeyName": "testkey", "LaunchedAt": "2018-09-29T01:25:54Z", "MetadataOptions": { "HttpEndpoint": "enabled", "HttpProtocolIpv6": "enabled", "HttpPutResponseHopLimit": 1, "HttpTokens": "optional", "InstanceMetadataTags": "disabled" } }, "NetworkInterfaces": [ { "NetworkInterfaceId": "eni-e5aa89a3" } ], "SubnetId": "PublicSubnet", "Type": "i3.xlarge", "VirtualizationType": "hvm", "VpcId": "TestVPCIpv6" } ]

SchemaVersion

The schema version that a finding is formatted for. The value of this field must be one of the officially published versions identified by AWS. In the current release, the AWS Security Finding Format schema version is 2018-10-08.

Example

"SchemaVersion": "2018-10-08"

Severity

Defines the importance of a finding. For details about this object, see Severity in the AWS Security Hub API Reference.

To designate severity, the finding must have either the Label or Normalized field populated. Label is the preferred attribute. If neither attribute is populated, then the finding is invalid.

To provide severity information, finding providers should use the Severity object under FindingProviderFields when making a BatchImportFindings API request. If a BatchImportFindings request for a new finding only provides Label or only provides Normalized, then Security Hub automatically populates the value of the other field.

The value of the Severity object for a finding should only be updated by the BatchUpdateFindings API operation.

The finding severity does not consider the criticality of the involved assets or the underlying resource. Criticality is defined as the level of importance of the resources that are associated with the finding. For example, a resource that is associated with a mission critical application versus one that is associated with nonproduction testing. To capture information about resource criticality, use the Criticality field.

We recommend using the following guidance when translating findings' native severity scores to the value of Severity.Label in the ASFF.

  • INFORMATIONAL – This category may include a finding for a PASSED, WARNING, or NOT AVAILABLE check or a sensitive data identification.

  • LOW – Findings that could result in future compromises. For example, this category may include vulnerabilities, configuration weaknesses, and exposed passwords.

  • MEDIUM – Findings that indicate an active compromise, but no indication that an adversary completed their objectives. For example, this category may include malware activity, hacking activity, and unusual behavior detection.

  • HIGH or CRITICAL – Findings that indicate that an adversary completed their objectives, such as active data loss or compromise or a denial of service.

Example

"Severity": { "Label": "CRITICAL", "Original": "8.3" }

Title

A finding's title. This field can contain nonspecific boilerplate text or details that are specific to this instance of the finding.

Example

"Title": "S3.13 S3 buckets should have lifecycle policies configured"

Types

One or more finding types in the format of namespace/category/classifier that classify a finding. For a list of namespaces, classifier, and categories, see Types taxonomy for ASFF.

Types should only be updated using BatchUpdateFindings.

Finding providers who want to provide a value for Types should use the Types attribute under FindingProviderFields.

Example

"Types": [ "Software and Configuration Checks/Vulnerabilities/CVE" ]

UpdatedAt

Indicates when the finding provider last updated the finding record.

This timestamp reflects the time when the finding record was last or most recently updated. Consequently, it can differ from the LastObservedAt timestamp, which reflects when the event or vulnerability was last or most recently observed.

When you update the finding record, you must update this timestamp to the current timestamp. Upon creation of a finding record, the CreatedAt and UpdatedAt timestamps must be the same. After an update to the finding record, the value of this field must be more recent than all of the previous values that it contained.

Note that UpdatedAt cannot be updated by using the BatchUpdateFindings API operation. You can only update it by using BatchImportFindings.

Example

"UpdatedAt": "2017-04-22T13:22:13.933Z"
Note

Security Hub deletes findings 90 days after the most recent update or 90 days after the creation date if no update occurs. To store findings for longer than 90 days, you can configure a rule in Amazon EventBridge that routes findings to your S3 bucket.