AWS Security Finding Format (ASFF)

AWS Security Hub consumes, aggregates, organizes, and prioritizes findings from AWS security services and from the third-party product integrations. Security Hub processes these findings using a standard findings format called the AWS Security Finding Format (ASFF), which eliminates the need for time-consuming data conversion efforts. Then it correlates ingested findings across products to prioritize the most important ones.

Contents

• ASFF syntax
• ASFF attributes
  • Required attributes
  • Other top-level attributes
  • Action
    • AwsApiCallAction
      • DomainDetails
    • DnsRequestAction
    • NetworkConnectionAction
      • RemotePortDetails
    • PortProbeAction
      • PortProbeDetails
    • LocalPortDetails
    • RemoteIpDetails
      • City
      • Country
      • Geolocation
      • Organization
  • Compliance
    • StatusReasons
  • FindingProviderFields
  • Malware
  • Network (Deprecated)
    • OpenPortRange
  • NetworkPath
    • Egress
    • Ingress
    • Destination
    • Source
  • Note
  • PatchSummary
  • Process
  • RelatedFindings
  • Remediation
    • Recommendation
  • Resources
    • DataClassification
      • Result
      • CustomDataIdentifiers
      • SensitiveData
      • Detections
      • Cells
      • LineRanges
      • OffsetRanges
      • Pages
      • Records
    • AwsApiGatewayRestApi
      • EndpointConfiguration
    • AwsApiGatewayStage
      • AccessLogSettings
      • CanarySettings
      • MethodSettings
    • AwsApiGatewayV2Api
      • CorsConfiguration
    • AwsApiGatewayV2Stage
      • AccessLogSettings
      • DefaultRouteSettings and RouteSettings
    • AwsAutoScalingAutoScalingGroup
    • AwsAutoScalingLaunchConfiguration
      • BlockDeviceMappings
        • Ebs
    • AwsCertificateManagerCertificate
      • DomainValidationOptions
      • ExtendedKeyUsages
      • KeyUsages
      • Options
      • RenewalSummary
    • AwsCloudFrontDistribution
      • CacheBehaviors
      • DefaultCacheBehavior
      • Logging
      • OriginGroups
      • Origins
      • ViewerCertificate
    • AwsCloudTrailTrail
    • AwsCodeBuildProject
      • Artifacts
      • Environment
        • EnvironmentVariables
      • LogsConfig
        • CloudWatchLogs
        • S3Logs
      • Source
      • VpcConfig
    • AwsDynamoDbTable
      • AttributeDefinitions
      • BillingModeSummary
      • GlobalSecondaryIndexes
      • KeySchema
      • LocalSecondaryIndexes
      • Projection (for global and local secondary indexes)
      • ProvisionedThroughput
      • Replicas
      • RestoreSummary
      • SseDescription
      • StreamSpecification
    • AwsEc2Eip
    • AwsEc2Instance
      • NetworkInterfaces
    • AwsEc2NetworkAcl
      • Associations
      • Entries
    • AwsEc2NetworkInterface
      • Attachment
      • Ipv6Addresses
      • PrivateIpAddresses
      • SecurityGroups
    • AwsEc2SecurityGroup
      • IP permission object
    • AwsEc2Subnet
      • Ipv6CidrBlockAssociationSet
    • AwsEc2Volume
      • Attachments
    • AwsEc2Vpc
      • CidrBlockAssociationSet
      • IpV6CidrBlockAssociationSet
    • AwsEc2VpcEndpointService
      • ServiceType
    • AwsEc2VpnConnection
      • Options
      • Routes
      • VgwTelementry
    • AwsEcrContainerImage
    • AwsEcrRepository
      • ImageScanningConfiguration
      • LifecyclePolicy
    • AwsEcsCluster
      • ClusterSettings
      • Configuration
        • LogConfiguration
      • DefaultCapacityProviderStrategy
    • AwsEcsService
      • CapacityProviderStrategy
      • DeploymentConfiguration
        • DeploymentCircuitBreaker
      • DeploymentController
      • LoadBalancers
      • NetworkConfiguration
      • PlacementConstraints
      • PlacementStrategies
      • ServiceRegistries
    • AwsEcsTaskDefinition
      • ContainerDefinitions
      • ContainerDefinitions.DependsOn
      • ContainerDefinitions.Environment
      • ContainerDefinitions.EnvironmentFiles
      • ContainerDefinitions.ExtraHosts
      • ContainerDefinitions.FirelensConfiguration
      • ContainerDefinitions.HealthCheck
      • ContainerDefinitions.LinuxParameters
        • Capabilities
        • Devices
        • Tmpfs
      • ContainerDefinitions.LogConfiguration
        • SecretOptions
      • ContainerDefinitions.MountPoints
      • ContainerDefinitions.PortMappings
      • ContainerDefinitions.RepositoryCredentials
      • ContainerDefinitions.ResourceRequirements
      • ContainerDefinitions.Secrets
      • ContainerDefinitions.SystemControls
      • ContainerDefinitions.Ulimits
      • ContainerDefinitions.VolumesFrom
      • InferenceAccelerators
      • PlacementConstraints
      • ProxyConfiguration
        • ProxyConfigurationProperties
      • Volumes
        • DockerVolumeConfiguration
        • EfsVolumeConfiguration
        • Host
    • AwsEksCluster
      • Logging
      • ResourcesVpcConfig
    • AwsElasticBeanstalkEnvironment
      • EnvironmentLinks
      • OptionSettings
      • Tier
    • AwsElasticSearchDomain
      • DomainEndpointOptions
      • DomainStatus
      • ElasticsearchClusterConfig
      • EncryptionAtRestOptions
      • LogPublishingOptions
      • NodeToNodeEncryptionOptions
      • ServiceSoftwareOptions
      • VpcOptions
    • AwsElbLoadBalancer
      • BackendServerDescriptions
      • HealthCheck
      • Instances
      • ListenerDescriptions
      • LoadBalancerAttributes
      • Policies
      • SourceSecurityGroup
    • AwsElbv2LoadBalancer
      • AvailabilityZones
      • LoadBalancerProperties
      • State
    • AwsIamAccessKey
      • SessionContext
    • AwsIamGroup
      • AttachedManagedPolicies
      • GroupPolicyList
    • AwsIamPolicy
      • PolicyVersionList
    • AwsIamRole
      • AttachedManagedPolicies
      • InstanceProfileList
      • PermissionsBoundary
      • RolePolicyList
    • AwsIamUser
      • AttachedManagedPolicies
      • PermissionsBoundary
      • UserPolicyList
    • AwsKmsKey
    • AwsLambdaFunction
      • Code
      • DeadLetterConfig
      • Environment
      • Layers
      • TracingConfig
      • VpcConfig
    • AwsLambdaLayerVersion
    • AwsOpenSearchServiceDomain
      • ClusterConfig
      • DomainEndpointOptions
      • EncryptionAtRestOptions
      • LogPublishingOptions
      • NodeToNodeEncryptionOptions
      • ServiceSoftwareOptions
      • VpcOptions
    • AwsRdsDbCluster
      • AssociatedRoles
      • DbClusterMembers
      • DbClusterOptionGroupMemberships
      • DomainMemberships
      • VpcSecurityGroups
    • AwsRdsDbClusterSnapshot
    • AwsRdsDbInstance
      • AssociatedRoles
      • DbParameterGroups
      • DbSubnetGroup
      • DomainMemberships
      • Endpoint
      • ListenerEndpoint
      • OptionGroupMemberships
      • PendingModifiedValues
      • ProcessorFeatures
      • StatusInfos
      • VpcSecurityGroups
    • AwsRdsDbSnapshot
    • AwsRdsEventSubscription
    • AwsRedshiftCluster
      • ClusterNodes
      • ClusterParameterGroups
      • ClusterSecurityGroups
      • ClusterSnapshotCopyStatus
      • DeferredMaintenanceWindows
      • ElasticIpStatus
      • Endpoint
      • HsmStatus
      • IamRoles
      • PendingModifiedValues
      • ResizeInfo
      • RestoreStatus
      • VpcSecurityGroups
    • AwsS3AccountPublicAccessBlock
    • AwsS3Bucket
      • BucketLifecycleConfiguration
        • AbortIncompleteMultipartUpload
        • Filter
        • NoncurrentVersionTransitions
        • Transitions
      • BucketLoggingConfiguration
      • BucketNotificationConfiguration
        • Filter
      • BucketWebsiteConfiguration
        • RedirectAllRequestsTo
        • RoutingRules
      • PublicAccessBlockConfiguration
      • ServerSideEncryptionConfiguration
    • AwsS3Object
    • AwsSecretsManagerSecret
    • AwsSnsTopic
      • Subscription
    • AwsSqsQueue
    • AwsSsmPatchCompliance
    • AwsWafRateBasedRule
      • MatchPredicates
    • AwsWafRegionalRateBasedRule
      • MatchPredicates
    • AwsWafWebAcl
      • Rule object
    • AwsXrayEncryptionConfig
    • Container
    • Other
  • Severity
    • Guidance for assigning severity (AWS services and partners)
    • How Security Hub maps Label and Normalized values
  • ThreatIntelIndicators
  • Vulnerabilities
    • Cvss
      • Adjustments
    • Vendor
    • VulnerablePackages
  • Workflow
• Types taxonomy for ASFF