Sample exposure finding
Note
Security Hub is in preview release and is subject to change.
Security Hub normalizes exposure findings in the Open Cybersecurity Schema Framework (OCSF).
Sample OCSF schema
In the following sample OCSF schema, the related_events parameter contains details unique to the exposure finding, such as contributing findings.
Contributing findings are the traits and signals associated with an exposure finding.
A single contributing finding can include one or more traits.
The observables parameter identifies the resource associated with the contributing finding.
This can be different from the resources parameter, which identifies the resource associated with the exposure finding.
{ "activity_id": 1, "activity_name": "Create", "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "uid": "123456789012", "name": "production-application" }, "cloud_partition": "aws", "provider": "AWS", "region": "us-east-1" }, "finding_info": { "analytic": { "name": "Exposure", "type": "Rule", "type_id": 1, "uid": "0.0.1" }, "created_time_dt": "2024-11-15T21:39:26.337224100Z", "desc": "Publicly invocable Lambda function executed outside of VPC has vulnerability with known exploit that can be exploited from remote network", "finding.info.modified_time_dt": "2024-11-15T21:39:26.337224100Z", "related_events_count": 3, "related_events": [ { "tags": [ { "name": "Vulnerability", "values": [ "Attack Vector Network", "EPSS Level >= High", "EPSS Level >= Medium", "Exploit Available", "No Privileges Required", "No User Interaction Required", "Vulnerable" ] } ], "product": { "uid": "arn:aws:securityhub:us-east-1::productv2/aws/inspector" }, "observables": [ { "type": "Resource UID", "type_id": 10, "value": "arn:aws:lambda:us-east-1:123456789012:application-function" } ], "type": "Finding", "title": "CVE-2023-33246 - org.apache.rocketmq:rocketmq-controller", "uid": "arn:aws:inspector2:us-east-1:123456789012:finding/1234567890abcdef0" }, { "tags": [ { "name": "Reachability", "values": [ "Publicly Invocable" ] } ], "product": { "uid": "arn:aws:securityhub:us-east-1::productv2/aws/securityhub" }, "observables": [ { "type": "Resource UID", "type_id": 10, "value": "arn:aws:lambda:us-east-1:123456789012:application-function" } ], "type": "Finding", "title": "Lambda function policies should prohibit public access", "uid": "arn:aws:securityhub:us-east-1:123456789012:security-control/Lambda.1/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLEaaaaa" }, { "tags": [ { "name": "Misconfiguration", "values": [ "Deployed outside VPC" ] } ], "product": { "uid": "arn:aws:securityhub:us-east-1::productv2/aws/securityhub" }, "observables": [ { "type": "Resource UID", "type_id": 10, "value": "arn:aws:lambda:us-east-1:123456789012:application-function" } ], "type": "Finding", "title": "Lambda functions should be in a VPC", "uid": "arn:aws:securityhub:us-east-1:123456789012:security-control/Lambda.3/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" } ], "title": "Publicly invocable Lambda function executed outside of VPC has vulnerability with known exploit that can be exploited from remote network", "types": [ "Exposure/Potential Impact/Resource Hijacking" ], "uid": "arn:aws:securityhub:us-east-1:123456789012:risk:1234f781c7ae7507f01e2fb460f15ca8fe7f9c95e257698a092cb74a4ea84a42" }, "metadata": { "product": { "name": "Security Hub Exposure Analysis", "uid": "arn:aws:securityhub:us-east-1::productv2/aws/securityhub-risk", "vendor_name": "Amazon" }, "processed_time_dt": "2024-11-15T21:39:58.819Z", "profiles": [ "cloud", "datetime" ], "version": "1.4.0-dev" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "tags": [ { "name": "aws:cloudformation:stack-name", "value": "VeepLambdaRule3" }, { "name": "aws:cloudformation:stack-id", "value": "arn:aws:cloudformation:us-east-1:123456789012:stack/VeepLambdaRule3/a1b2c3d4-5678-90ab-cdef-EXAMPLE22222" }, { "name": "aws:cloudformation:logical-id", "value": "lambdar3function94D10D40" } ], "type": "AwsLambdaFunction", "uid": "arn:aws:lambda:us-east-1:123456789012:application-function" } ], "severity": "Critical", "severity_id": 5, "status": "New", "status_id": 1, "time": 1731706766337, "time_dt": "2024-11-15T21:39:26.337224100Z", "type_name": "Detection Finding: Create", "type_uid": 200401, "vendor_attributes": { "severity_id": 5, "severity": "Critical" } }
