AWS Security Finding Format (ASFF)
AWS Security Hub consumes, aggregates, organizes, and prioritizes findings from AWS security services and from the third-party product integrations. Security Hub processes these findings using a standard findings format called the AWS Security Finding Format (ASFF), which eliminates the need for time-consuming data conversion efforts. Then it correlates ingested findings across products to prioritize the most important ones.
ASFF syntax
The following is the syntax of the complete finding JSON in the ASFF.
"Findings": [ { "AwsAccountId": "string", "Compliance": { "RelatedRequirements": ["string"], "Status": "string", "StatusReasons": [ { "Description": "string", "ReasonCode": "string" } ] }, "Confidence": number, "CreatedAt": "string", "Criticality": number, "Description": "string", "FirstObservedAt": "string", "GeneratorId": "string", "Id": "string", "LastObservedAt": "string", "Malware": [ { "Name": "string", "Path": "string", "State": "string", "Type": "string" } ], "Network": { "DestinationDomain": "string", "DestinationIpV4": "string", "DestinationIpV6": "string", "DestinationPort": number, "Direction": "string", "OpenPortRange": { "Begin": integer, "End": integer }, "Protocol": "string", "SourceDomain": "string", "SourceIpV4": "string", "SourceIpV6": "string", "SourceMac": "string", "SourcePort": number }, "NetworkPath" : [ { "ComponentId": "string", "ComponentType": "string", "Egress": { "Destination": { "Address": ["string"], "PortRanges": [ { "Begin": integer, "End": integer } ] }, "Protocol": "string", "Source": { "Address": ["string"], "PortRanges": [ { "Begin": integer, "End": integer } ] } }, "Ingress": { "Destination": { "Address": ["string"], "PortRanges": [ { "Begin": integer, "End": integer } ] }, "Protocol": "string", "Source": { "Address": ["string"], "PortRanges": [ { "Begin": integer, "End": integer } ] } } } ], "Note": { "Text": "string", "UpdatedAt": "string", "UpdatedBy": "string" }, "Process": { "LaunchedAt": "string", "Name": "string", "ParentPid": number, "Path": "string", "Pid": number, "TerminatedAt": "string" }, "ProductArn": "string", "ProductFields": { "string" : "string" }, "RecordState": "string", "RelatedFindings": [ { "Id": "string", "ProductArn": "string" } ], "Remediation": { "Recommendation": { "Text": "string", "Url": "string" } }, "Resources": [ { "Details": { "AwsAutoScalingAutoScalingGroup": { "CreatedTime": "string", "HealthCheckGracePeriod": integer, "HealthCheckType": "string", "LaunchConfigurationName": "string", "LoadBalancerNames": ["string"] }, "AwsCloudFrontDistribution": { "DomainName": "string", "Etag": "string", "LastModifiedTime": "string", "Logging": { "Bucket": "string", "Enabled": boolean, "IncludeCookies": boolean, "Prefix": "string" }, "Origins": { "Items": { "OriginPath": "string", "Id": "string", "DomainName": "string" } }, "Status": "string", "WebAclId": "string" }, "AwsCodeBuildProject": { "EncryptionKey": "string", "Environment": { "Type": "string", "Certificate": "string", "ImagePullCredentialsType": "string", "RegistryCredential": { "Credential": "string", "CredentialProvider": "string" } }, "Name": "string", "ServiceRole": "string", "Source": { "Type": "string", "Location": "string", "GitCloneDepth": integer }, "VpcConfig": { "VpcId": "string", "Subnets": ["string"], "SecurityGroupIds": ["string"] } }, "AwsEc2Instance": { "IamInstanceProfileArn": "string", "ImageId": "string", "IpV4Addresses": [ "string" ], "IpV6Addresses": [ "string" ], "KeyName": "string", "LaunchedAt": "string", "SubnetId": "string", "Type": "string", "VpcId": "string" }, "AwsEc2NetworkInterface": { "Attachment": { "AttachmentId": "string", "AttachTime": "string", "DeleteOnTermination": boolean, "DeviceIndex": number, "InstanceId": "string" "InstanceOwnerId": "string", "Status": "string" }, "SecurityGroups": [ { "GroupId": "string", "GroupName": "string" } ], "NetworkInterfaceId": "string", "SourceDestCheck": boolean }, "AwsEc2SecurityGroup": { "GroupId": "string", "GroupName": "string", "IpPermissions": [ { "FromPort": number, "IpProtocol": "string", "IpRanges": [ { "CidrIp": "string" } ], "PrefixListIds": [ {"PrefixListId": "string"} ], "ToPort": number, "UserIdGroupPairs": [ { "UserId": "string", "GroupId": "string" } ] } ], "IpPermissionsEgress": [ { "FromPort": number, "IpProtocol": "string", "IpRanges": [ { "CidrIp": "string" } ], "PrefixListIds": [ {"PrefixListId": "string"} ], "ToPort": number, "UserIdGroupPairs": [ { "UserId": "string", "GroupId": "string" } ] } ], "OwnerId": "string", "VpcId": "string" }, "AwsEc2Volume": { "Attachments": [ { "AttachTime": "string", "DeleteOnTermination": Boolean, "InstanceId": "string", "Status": "string" } ], "CreateTime": "string", "Encrypted": Boolean, "KmsKeyId": "string", "Size": number, "SnapshotId": "string", "Status": "string" }, "AwsEc2Vpc": { "CidrBlockAssociationSet": [ { "AssociationId": "string", "CidrBlock": "string", "CidrBlockState": "string" } ], "DhcpOptionsId": "string", "Ipv6CidrBlockAssociationSet": [ { "AssociationId": "string", "CidrBlockState": "string", "Ipv6CidrBlock": "string" } ], "State": "string" }, "AwsElasticSearchDomain": { "AccessPolicies": "string", "DomainStatus": { "DomainId": "string", "DomainName": "string", "Endpoint": "string", "Endpoints": { "string": "string" } }, "DomainEndpointOptions": { "EnforceHTTPS": boolean, "TLSSecurityPolicy": "string" }, "ElasticsearchVersion": "string", "EncryptionAtRestOptions": { "Enabled": boolean, "KmsKeyId": "string" }, "NodeToNodeEncryptionOptions": { "Enabled": boolean }, "VPCOptions": { "AvailabilityZones": [ "string" ], "SecurityGroupIds": [ "string" ], "SubnetIds": [ "string" ], "VPCId": "string" } }, "AwsElbv2LoadBalancer": { "AvailabilityZones": { "SubnetId": "string", "ZoneName": "string" }, "CanonicalHostedZoneId": "string", "CreatedTime": "string", "DNSName": "string", "IpAddressType": "string", "Scheme": "string", "SecurityGroups": [ "string" ], "State": { "Code": "string", "Reason": "string" }, "Type": "string", "VpcId": "string" }, "AwsIamAccessKey": { "CreatedAt": "string", "PrincipalId": "string", "PrincipalName": "string", "PrincipalType": "string", "Status": "string" }, "AwsIamRole": { "AssumeRolePolicyDocument": "string", "CreateDate": "string", "MaxSessionDuration": number, "Path": "string", "RoleId": "string", "RoleName": "string" }, "AwsKmsKey": { "AWSAccountId": "string", "CreationDate": "string", "KeyId": "string", "KeyManager": "string", "KeyState": "string", "Origin": "string" }, "AwsLambdaFunction": { "Code" { "S3Bucket": "string", "S3Key": "string", "S3ObjectVersion": "string", "ZipFile": "string" }, "CodeSha256": "string", "DeadLetterConfig": { "TargetArn": "string", }, "Environment": { "Variables": { "string": "string" }, "Error": { "ErrorCode": "string", "Message": "string" } }, "FunctionName": "string", "Handler": "string", "KmsKeyArn": "string", "LastModified": "string", "Layers": { "Arn": "string", "CodeSize": number }, "RevisionId": "string", "Role": "string", "Runtime": "string", "Timeout": "integer", "TracingConfig": { "TracingConfig.Mode": "string" }, "Version": "string", "VpcConfig": { "SecurityGroupIds": [ "string" ], "SubnetIds": [ "string" ] }, "MasterArn": "string", "MemorySize": number }, "AwsLambdaLayerVersion": { "CompatibleRuntimes": [ "string" ], "CreatedDate": "string", "Version": number }, "AwsRdsDbInstance": { "AssociatedRoles": [ { "RoleArn": "string", "FeatureName": "string", "Status": "string" } ], "CACertificateIdentifier": "string", "DBClusterIdentifier": "string", "DBInstanceClass": "string", "DBInstanceIdentifier": "string", "DbInstancePort": number, "DbiResourceId": "string", "DBName": "string", "DeletionProtection": boolean, "Endpoint": { "Address": "string", "Port": number, "HostedZoneId": "string" }, "Engine": "string", "EngineVersion": "string", "IAMDatabaseAuthenticationEnabled": boolean, "InstanceCreateTime": "string", "KmsKeyId": "string", "PubliclyAccessible": boolean, "TdeCredentialArn": "string", "StorageEncrypted": boolean, "VpcSecurityGroups": [ { "VpcSecurityGroupId": "string", "Status": "string" } ] }, "AwsS3Bucket": { "CreatedAt": "string", "OwnerId": "string", "OwnerName": "string" "ServerSideEncryptionConfiguration": { "Rules": [ { "ApplyServerSideEncryptionByDefault": { "KMSMasterKeyID": "string", "SSEAlgorithm": "string" } } ] } }, "AwsS3Object": { "ContentType": "string", "ETag": "string", "LastModified": "string", "ServerSideEncryption": "string", "SSEKMSKeyId": "string", "VersionId": "string" }, "AwsSnsTopic": { "KmsMasterKeyId": "string", "Owner": "string", "Subscription": { "Endpoint": "string", "Protocol": "string" }, "TopicName": "string" }, "AwsSqsQueue": { "DeadLetterTargetArn": "string", "KmsDataKeyReusePeriodSeconds": number, "KmsMasterKeyId": "string", "QueueName": "string" }, "AwsWafWebAcl": { "DefaultAction": "string", "Name": "string", "Rules": [ { "Action": { "Type": "string" }, "ExcludedRules": [ { "RuleId": "string" } ], "OverrideAction": { "Type": "string" }, "Priority": number, "RuleId": "string", "Type": "string" } ], "WebAclId": "string" }, "Container": { "ImageId": "string", "ImageName": "string", "LaunchedAt": "string", "Name": "string" }, "Other": { "string" : "string" } }, "Id": "string", "Partition": "string", "Region": "string", "Tags": { "string" : "string" }, "Type": "string" } ], "SchemaVersion": "string", "Severity": { "Label": "string", "Normalized": number, "Original": "string", "Product": number }, "SourceUrl": "string", "ThreatIntelIndicators": [ { "Category": "string", "LastObservedAt": "string", "Source": "string", "SourceUrl": "string", "Type": "string", "Value": "string" } ], "Title": "string", "Types": [ "string" ], "UpdatedAt": "string", "UserDefinedFields": { "string" : "string" }, "VerificationState": "string", "Workflow": { "Status": "string" }, "WorkflowState": "string" }, "Vulnerabilities" : [ { "Cvss": [ { "BaseScore": number, "BaseVector": "string", "Version": "string" }, ], "Id": "string", "ReferenceUrls":["string"], "RelatedVulnerabilities": ["string"], "Vendor": { "Name": "string", "Url":"string", "VendorCreatedAt":"string", "VendorSeverity":"string", "VendorUpdatedAt":"string" }, "VulnerablePackages": [ { "Architecture": "string", "Epoch": "string", "Name": "string", "Release": "string", "Version": "string" } ] } ] ]
ASFF attributes
The following table lists the top-level attributes and objects for the ASFF. For objects, to see the details for the object attributes and subfields, choose the object name.
|
Attribute |
Required |
Description |
|---|---|---|
|
|
Yes |
The AWS account ID that the finding applies to. Type: String (12 digits max) Example:
|
|
No |
Finding details related to a control. Only returned for findings generated from a control. Type: Object Example:
|
|
|
|
No |
A finding's confidence. Confidence is defined as the likelihood that a finding accurately identifies the behavior or issue that it was intended to identify. A finding provider can provide an initial value for this
attribute, but cannot update it after that. This attribute can only
be updated using Type: Integer (range 0–100) Confidence is scored on a 0–100 basis using a ratio scale, where 0 means zero-percent confidence and 100 means 100-percent confidence. However, a data exfiltration detection based on a statistical deviation of network traffic has a much lower confidence because an actual exfiltration hasn't been verified. Example:
|
|
|
Yes |
An ISO8601-formatted timestamp (as defined in RFC-3339 Date and Time
on the Internet: Timestamps The This timestamp must be provided on the first generation of the finding and can't be changed upon subsequent updates to the finding. Type: Timestamp Example:
Findings are deleted 90 days after the most recent update or 90 days after the creation date if no update occurs. To store findings for longer than 90 days, you can configure a rule in CloudWatch Events that routes findings to your Amazon S3 bucket. |
|
|
No |
The level of importance that is assigned to the resources that are associated with the finding. A score of 0 means that the underlying resources have no criticality, and a score of 100 is reserved for the most critical resources. A finding provider can provide an initial value for this
attribute, but cannot update it after that. This attribute can only
be updated using Type: Integer (range 0–100) Criticality is scored on a 0–100 basis, using a ratio scale that supports only full integers. A score of 0 means that the underlying resources have no criticality, and a score of 100 is reserved for the most critical resources. At a high level, when assessing criticality, you need to consider the following:
For each resource, consider the following:
You can use the following guidelines:
Example:
|
|
|
Yes |
A finding's description. This field can be nonspecific boilerplate text or details that are specific to the instance of the finding. Type: String (1,024 characters max) Example:
|
|
|
No |
An ISO8601-formatted timestamp (as defined in RFC-3339 Date and Time
on the Internet: Timestamps Type: Timestamp Because this timestamp reflects the time of when the event or
vulnerability was first observed, it can differ from the
This timestamp should be immutable between updates of the finding record, but can be updated if a more accurate timestamp has been determined. Example:
|
|
|
Yes |
The identifier for the solution-specific component (a discrete unit of logic) that generated a finding. In various solutions from security findings products, this generator can be called a rule, a check, a detector, a plugin, and so on. Type: String (512 characters max) or Amazon Resource Name (ARN) Example:
|
|
|
Yes |
The product-specific identifier for a finding. Type: String (512 characters max) or ARN The finding ID must comply with the following constraints:
These constraints are expected to hold within a findings product, but are not required to hold across findings products. Example:
|
|
|
No |
An ISO8601-formatted timestamp (as defined in RFC-3339 Date and Time
on the Internet: Timestamps Type: Timestamp This timestamp reflects the time of when the event or vulnerability was last or most
recently observed. Consequently, it can differ from the
You can provide this timestamp, but it isn't required upon the
first observation. If you provide the field in this case, the
timestamp should be the same as the Example:
|
|
No |
A list of malware related to a finding. Type: Array of up to five malware objects Example:
|
|
|
No |
The details of network-related information about a finding. Type: Object Example:
|
|
|
No |
A network path that is related to the finding. Each entry in Type: Array of objects |
|
|
No |
A user-defined note that is added to a finding. A finding provider can provide an initial note for a finding, but cannot add notes after that. A note can only be updated using Type: Object Example:
|
|
|
No |
The details of process-related information about a finding. Type: Object Example:
|
|
|
|
Yes |
The ARN generated by Security Hub that uniquely identifies a third-party findings product after the product is registered with Security Hub. Type: ARN The format of this field is
Example:
|
|
|
No |
A data type where security findings products can include additional solution-specific details that aren't part of the defined AWS Security Finding Format. Type: Map of up to 50 key-value pairs This field should not contain redundant data and must not contain data that conflicts with AWS Security Finding Format fields. The " Although not required, products should format field names as
Field names can include alphanumeric characters, white space, and the following symbols: _ . / = + \ - @ Example:
|
|
|
No |
The record state of a finding. By default, when initially generated by a service, findings are considered
The Finding providers can update the record state. Security Hub also automatically archives control-based findings if the associated resource is deleted, the resource does not exist, or the control is disabled. Type: Enum Valid values: Example:
|
|
No |
A list of related findings. A finding provider can provide an initial list of related
findings, but cannot update the list after that. The list of related
findings can only be updated using Type: Array of up to 10 Example:
|
|
|
No |
The remediation options for a finding. Type: Object Example:
|
|
|
Yes |
A set of resource data types that describe the resources that the finding refers to. Type: Array of up to 32 resource objects Example:
|
|
|
|
Yes |
The schema version that a finding is formatted for. The value of this field must be one of the officially published versions identified by AWS. In the current release, the AWS Security Finding Format schema
version is Type: String (10 characters max, conforms to Example:
|
|
Yes |
A finding's severity. The finding must have either A finding provider can provide initial severity information for a
finding, but cannot update it after that. The severity information
can only be updated using Type: Object Example:
|
|
|
|
No |
A URL that links to a page about the current finding in the finding product. Type: URL |
|
No |
Threat intelligence details that are related to a finding. Type: Array of up to five threat intelligence indicator objects Example:
|
|
|
|
Yes |
A finding's title. This field can contain nonspecific boilerplate text or details that are specific to this instance of the finding. Type: String (256 characters max) |
|
|
Yes |
One or more finding types in the format of
Type: Array of 50 strings max
Namespaces are required for all finding types, but categories and classifiers are optional. If you specify a classifier, you must also specify a category. The ' Example:
|
|
|
Yes |
An ISO8601-formatted timestamp (as defined in RFC-3339 Date and Time on the Internet: Timestamps When you update the finding record, you must update this timestamp
to the current timestamp. Upon creation of a finding record, the
Note that Type: Timestamp Findings are deleted 90 days after the most recent update or 90 days after the creation date if no update occurs. To store findings for longer than 90 days, you can configure a rule in CloudWatch Events that routes findings to your Amazon S3 bucket. |
|
|
No |
A list of name-value string pairs that are associated with the finding. These are
custom,
user-defined fields that are added to a finding. These fields can be
generated automatically via your specific configuration. Findings
products must not use this field
for data that the product generates. Instead, findings products can
use the These fields can only be updated using Type: map of up to 50 key-value pairs Example:
|
|
|
No |
The veracity of a finding. Findings products can provide the value of A finding provider can provide an initial value for this attribute, but cannot update
it after that. This attribute can only be updated using Type: Enum Valid values:
|
|
No |
A list of vulnerabilities that apply to the finding. Type: Array of objects |
|
|
No |
Provides information about the status of the investigation into a finding. The workflow status is not intended for finding providers. The workflow status can
only
be updated using Type: Object Example:
|
|
|
|
No |
This field is being deprecated in favor of the The workflow state of a finding. Findings products can provide
the value of Type: Enum Valid values:
Example:
|
Details for AWS Security Finding Format objects
- Compliance
- Malware
- Network
- NetworkPath
- Note
- Process
- RelatedFindings
- Remediation
- Resources
- AwsAutoScalingAutoScalingGroup
- AwsCloudFrontDistribution
- AwsCodeBuildProject
- AwsEc2Instance
- AwsEc2NetworkInterface
- AwsEc2SecurityGroup
- AwsEc2Volume
- AwsEc2Vpc
- AwsElasticSearchDomain
- AwsElbv2LoadBalancer
- AwsIamAccessKey
- AwsIamRole
- AwsKmsKey
- AwsLambdaFunction
- AwsLambdaLayerVersion
- AwsRdsDbInstance
- AwsS3Bucket
- AwsS3Object
- AwsSnsTopic
- AwsSqsQueue
- AwsWafWebAcl
- Container
- Other
- Severity
- ThreatIntelIndicators
- Vulnerabilities
- Workflow
Compliance
Contains finding details related to a control. Only returned for findings that are generated as the result of a check that is run on a control.
Example
"Compliance": { "RelatedRequirements": ["Req1", "Req2"], "Status": "FAILED", "StatusReasons": [ { "ReasonCode": "CLOUDWATCH_ALARMS_NOT_PRESENT", "Description": "CloudWatch alarms do not exist in the account" } ] }
The Compliance object can have the following attributes.
|
Attribute |
Required |
Description |
|---|---|---|
|
|
No |
For a Security Hub control, the industry or regulatory framework requirements that are related to the control. The check for that control is aligned with those requirements. You can provide up to 32 related requirements. To identify a requirement, use its identifier. Type: Array of strings |
|
|
No |
The result of a security check. Type: Enum Valid values:
Example:
|
|
No |
For findings generated from controls, a list of reasons behind
the value of For the list of status codes and their meanings, see Standards-related information in the ASFF. Type: String Example:
|
StatusReasons
For findings generated from controls, a list of reasons for the value of
Compliance.Status.
"StatusReasons": [ { "Description": "CloudWatch alarms do not exist in the account", "ReasonCode": "CW_ALARMS_NOT_PRESENT" } ]
Each reason in the StatusReasons object can have the following
attributes.
|
Attribute |
Required |
Description |
|---|---|---|
|
|
No |
The corresponding description for the reason. Type: String |
|
|
Yes |
A code that represents a reason for the current control status. Type: String For the list of available status codes and their meanings, see Results of security checks. |
Malware
The Malware object provides a list of malware related to a finding. It is an
array that can contain up to five malware objects.
Example
"Malware": [ { "Name": "Stringler", "Type": "COIN_MINER", "Path": "/usr/sbin/stringler", "State": "OBSERVED" } ]
Each malware object can have the following attributes.
|
Attribute |
Required |
Description |
|---|---|---|
|
|
Yes |
The name of the malware that was observed. Type: String (64 characters max) Example:
|
|
|
No |
The filesystem path of the malware that was observed. Type: String (512 characters max) Example:
|
|
|
No |
The state of the malware that was observed. Type: Enum Valid values: Example:
|
|
|
No |
The type of the malware that was observed. Type: Enum Valid values: Example:
|
Network
The details of network-related information about a finding.
Type: Object
Example:
"Network": { "Direction": "IN", "OpenPortRange": { "Begin": 443, "End": 443 }, "Protocol": "TCP", "SourceIpV4": "1.2.3.4", "SourceIpV6": "FE80:CD00:0000:0CDE:1257:0000:211E:729C", "SourcePort": "42", "SourceDomain": "example1.com", "SourceMac": "00:0d:83:b1:c0:8e", "DestinationIpV4": "2.3.4.5", "DestinationIpV6": "FE80:CD00:0000:0CDE:1257:0000:211E:729C", "DestinationPort": "80", "DestinationDomain": "example2.com" }
The Network object can have the following attributes.
|
Attribute |
Required |
Description |
|---|---|---|
|
|
No |
The destination domain of network-related information about a finding. Type: String (128 characters max) Example:
|
|
|
No |
The destination IPv4 address of network-related information about a finding. Type: IPv4 Example:
|
|
|
No |
The destination IPv6 address of network-related information about a finding. Type: IPv6 Example:
|
|
|
No |
The destination port of network-related information about a finding. Type: Number (range of 0–65535) Example:
|
|
|
No |
The direction of network traffic that is associated with a finding. Type: Enum Valid values: Example:
|
|
The range of open ports that is present in the network. Type: Object |
||
|
|
No |
The protocol of network-related information about a finding. Type: String (16 characters max) The name should be the IANA registered name Example:
|
|
|
No |
The source domain of network-related information about a finding. Type: String (128 characters max) Example:
|
|
|
No |
The source IPv4 address of network-related information about a finding. Type: IPv4 Example:
|
|
|
No |
The source IPv6 address of network-related information about a finding. Type: IPv6 Example:
|
|
|
No |
The source media access control (MAC) address of network-related information about a finding. Type: String (must match Example:
|
|
|
No |
The source port of network-related information about a finding. Type: Number (range of 0–65535) Example:
|
OpenPortRange
Provides the beginning and end ports of the open port range.
OpenPortRange can have the following attributes.
|
Attribute |
Required |
Description |
|---|---|---|
|
|
No |
The first port in the port range. Type: Integer |
|
End |
No |
The last port in the port range. Type: Integer |
NetworkPath
The NetworkPath object provides information about a network path that
is relevant to a finding. Each entry under NetworkPath represents a
component of that path.
Example
"NetworkPath" : [ { "ComponentId": "abc-01a234bc56d8901ee", "ComponentType": "AWS::EC2::InternetGateway", "Egress": { "Destination": { "Address": [ "192.0.2.0/24" ], "PortRanges": [ { "Begin": 443, "End": 443 } ] }, "Protocol": "TCP", "Source": { Address": ["203.0.113.0/24"] } }, "Ingress": { "Destination": { "Address": [ "198.51.100.0/24" ], "PortRanges": [ { "Begin": 443, "End": 443 } ] }, "Protocol": "TCP", "Source": { "Address": [ "203.0.113.0/24" ] } } } ]
Each component of the network path can have the following attributes.
|
Attribute |
Required |
Description |
|---|---|---|
|
|
Yes |
The identifier of a component in the network path. Type: String |
|
|
Yes |
The type of component. Type: String |
|
No |
Information about the component that comes after the current component in the network path. Type: Object |
|
|
No |
Information about the component that comes before the current component in the network path. Type: Object |
Egress
The Egress object contains information about the component that
comes after the current component in the network path. It can have the following
attributes.
|
Attribute |
Required |
Description |
|---|---|---|
|
No |
Information about the destination of the component. Type: Object |
|
|
|
No |
The protocol used for the component. Type: String |
|
No |
Information about the origin of the component. Type: Object |
Ingress
The Ingress object contains information about the previous
component in the network path. It can have the following attributes.
|
Attribute |
Required |
Description |
|---|---|---|
|
No |
Information about the destination for the previous component. Type: Object |
|
|
|
No |
The protocol used by the previous component. Type: String |
|
No |
Information about the origin of the previous component. Type: Object |
Destination
The Destination object in Egress or
Ingress contains the destination information for the previous
or next component. It can have the following attributes.
|
Attribute |
Required |
Description |
|---|---|---|
|
|
No |
IP addresses of the previous or next component. Type: Array of strings |
|
|
No |
List of open port ranges for the destination of the previous or next component. Type: Array of objects |
|
|
No |
For an open port range, the beginning of the range. Type: Integer |
|
|
No |
For an open port range, the end of the range. Type: Number |
Source
The Source object under Egress or
Ingress contains information about the origin of the previous
or next component. It can have the following attributes.
|
Attribute |
Required |
Description |
|---|---|---|
|
|
No |
IP addresses for the origin of the previous or next component. Type: Array of strings |
|
|
No |
List of open port ranges for the origin of the previous or next component. Type: Array of objects |
|
|
No |
For an open port range, the beginning of the range. Type: Integer |
|
|
No |
For an open port range, the end of the range. Type: Number |
Note
The Note object adds a user-defined note to the finding.
A finding provider can provide an initial note for a finding, but cannot add notes
after
that. A note can only be updated using BatchUpdateFindings. Notes can be added by both master
accounts and member accounts.
Example
"Note": { "Text": "Don't forget to check under the mat.", "UpdatedBy": "jsmith", "UpdatedAt": "2018-08-31T00:15:09Z" }
The Note object can have the following attributes.
|
Attribute |
Required |
Description |
|---|---|---|
|
|
Yes |
The text of a finding note. Type: String (512 characters max) Example:
|
|
|
Yes |
The timestamp of when the note was updated. Type: Timestamp Example:
|
|
|
Yes |
The principal that created a note. Type: String (512 characters max) or ARN Example:
|
Process
The Process object provides process-related details about the
finding.
Example
"Process": { "Name": "syslogd", "Path": "/usr/sbin/syslogd", "Pid": 12345, "ParentPid": 56789, "LaunchedAt": "2018-09-27T22:37:31Z", "TerminatedAt": "2018-09-27T23:37:31Z" }
The Process object can have the following attributes.
|
Attribute |
Required |
Description |
|---|---|---|
|
|
No |
The timestamp for the date and time when the process was launched. Type: Timestamp Example:
|
|
|
No |
The name of the process. Type: String (64 characters max) Example:
|
|
|
No |
The parent process ID. Type: Number Example:
|
|
|
No |
The path to the process executable. Type: String (512 characters max) Example:
|
|
|
No |
The process ID. Type: Number Example:
|
|
|
No |
The timestamp for the date and time when the process was terminated. Type: Timestamp Example:
|
RelatedFindings
The RelatedFindings object provides a list of findings that are related to the
current finding.
A finding provider can provide an initial list of related findings, but cannot update
it
after that. RelatedFindings can only be updated using BatchUpdateFindings. It can only be updated by a
master account. It cannot be updated by a member account.
Example
"RelatedFindings": [ { "ProductArn": "arn:aws:securityhub:us-west-2::product/aws/guardduty", "Id": "123e4567-e89b-12d3-a456-426655440000" }, { "ProductArn": "arn:aws:securityhub:us-west-2::product/aws/guardduty", "Id": "AcmeNerfHerder-111111111111-x189dx7824" } ]
Each related finding object can have the following attributes.
|
Attribute |
Required |
Description |
|---|---|---|
|
|
Yes |
The product-generated identifier for a related finding. Type: String (512 characters max) or ARN Example:
|
|
|
Yes |
The ARN of the product that generated a related finding. Type: ARN Example:
|
Remediation
The Remediation object provides information about recommended
remediation steps to address the finding.
Example
"Remediation": { "Recommendation": { "Text": "Run sudo yum update and cross your fingers and toes.", "Url": "http://myfp.com/recommendations/dangerous_things_and_how_to_fix_them.html" } }
The Remediation object can have the following attributes.
|
Attribute |
Required |
Description |
|---|---|---|
|
No |
A recommendation on how to remediate the issue identified within a finding. The If the recommendation object is present, then either the Type: Object Example:
|
Recommendation
The Recommendation object can have the following
attributes.
|
Attribute |
Required |
Description |
|---|---|---|
|
|
No |
A free-form string that is the recommendation of what to do about the finding when presented to a user. This field can contain nonspecific boilerplate text or details that are specific to this instance of the finding. Type: String (512 characters max) Example:
|
|
|
No |
A URL to link to general remediation information for the finding type of a finding. This URL must not require credentials to access. It must be accessible from the public internet and must not expect any context or session. Type: URL Example:
|
Resources
The Resources object provides information about the resources
involved in a finding.
Type: Array of up to 32 resource objects
Example:
"Resources": [ { "Type": "AwsEc2Instance", "Id": "i-cafebabe", "Partition": "aws", "Region": "us-west-2", "Tags": { "billingCode": "Lotus-1-2-3", "needsPatching": "true" }, "Details": { "AwsEc2Instance": { "Type": "i3.xlarge", "ImageId": "ami-abcd1234", "IpV4Addresses": [ "54.194.252.215", "192.168.1.88" ], "IpV6Addresses": [ "2001:db8:1234:1a2b::123" ], "KeyName": "my_keypair", "IamInstanceProfileArn": "arn:aws:iam::111111111111:instance-profile/AdminRole", "VpcId": "vpc-11112222", "SubnetId": "subnet-56f5f633", "LaunchedAt": "2018-05-08T16:46:19.000Z" } } } ]
Each resource object can have the following attributes.
|
Attribute |
Required |
Description |
||||||||
|---|---|---|---|---|---|---|---|---|---|---|
|
|
No |
This field provides additional details about a single resource using the appropriate subfields. Each resource must be provided in a separate resource object in the
Security Hub provides a set of available subfields for its supported resource types.
These
subfields correspond to values of the resource
For example, if the resource is an S3 bucket, then set the resource The Other subfield
allows you to provide custom fields and values. You use the
Type: Object Example:
|
||||||||
|
|
Yes |
The canonical identifier for the given resource type. For AWS resources that are identified by ARNs, this must be the ARN. For all other AWS resource types that lack ARNs, this must be the identifier as defined by the AWS service that created the resource. For non AWS resources, this should be a unique identifier that is associated with the resource. Type: String (512 characters max) or ARN Example:
|
||||||||
|
|
No |
The canonical AWS partition name that the Region is assigned to. Type: Enum Valid values:
Example:
|
||||||||
|
|
No |
The canonical AWS external Region name where this resource is located. Type: String (16 characters max) Example:
|
||||||||
|
|
No |
A list of AWS tags that are associated with a resource at the time the finding was
processed. Include the Type: Map of up to 50 tags (values are limited to 256 characters max) The following basic restrictions apply to tags:
Example:
|
||||||||
|
|
Yes |
The type of the resource that you are providing details for. Whenever possible, use one of the provided resource types, such as
If the resource type does not match any of the provided resource types, then set the
resource Type: String (256 characters max) Supported values are as follows. If a type has a corresponding subfield, then to view the details for the subfield, choose the type name.
Example:
|
AwsAutoScalingAutoScalingGroup
The AwsAutoScalingAutoScalingGroup object provides details about an automatic
scaling group.
Example
"AwsAutoScalingAutoScalingGroup": { "CreatedTime": "2017-10-17T14:47:11Z", "HealthCheckGracePeriod": 300, "HealthCheckType": "EC2", "LaunchConfigurationName": "mylaunchconf", "LoadBalancerNames": [] }
The AwsAutoScalingAutoScalingGroup object can have the following
attributes.
|
Attribute |
Required |
Description |
|---|---|---|
|
|
No |
The date and time when the automatic scaling group was created. Type: String (timestamp) Format: yyyy-MM-ddTHH:mm:ssZ |
|
|
No |
The amount of time, in seconds, that Amazon EC2 Auto Scaling waits before it checks the health status of an EC2 instance that has come into service. Type: Integer |
|
|
No |
The service to use for the health checks. Type: String (32 characters max) Valid values: |
|
|
No |
The name of the launch configuration. Type: String (32 characters max) |
|
|
No |
The list of load balancers that are associated with the group. Type: Array of strings Each load balancer name is limited to 255 characters. |
AwsCloudFrontDistribution
The AwsCloudFrontDistribution object provides details about a
distribution configuration.
It can have the following attributes.
|
Attribute |
Required |
Description |
|---|---|---|
|
|
No |
The domain name corresponding to the distribution. Type: String |
|
|
No |
The entity tag is a hash of the object. Type: String |
|
|
No |
The date and time that the distribution was last modified. Type: String |
|
No |
A complex type that controls whether access logs are written for the distribution. Type: Object |
|
|
No |
A complex type that contains information about origins and origin groups for this distribution. Type: String |
|
|
|
No |
Indicates the current status of the distribution. Type: String |
|
|
No |
A unique identifier that specifies the AWS WAF web ACL, if any, to associate with this distribution. Type: String |
Logging
The Logging object provides information about the logging for
the distribution.
It can have the following attributes.
|
Attribute |
Required |
Description |
|---|---|---|
|
|
No |
The S3 bucket to store the access logs in. Type: String |
|
|
No |
With this field, you can enable or disable the selected distribution. Type: Boolean |
|
|
No |
Specifies whether you want CloudFront to include cookies in access logs. Type: Boolean |
|
|
No |
An optional string that you want CloudFront to prefix to the access log file names for this distribution. Type: String |
Origins
The Origins object contains information about origins and
origin groups for this distribution.
It can contain the following attributes.
|
Attribute |
Required |
Description |
|---|---|---|
|
|
No |
A complex type that contains origins or origin groups for this distribution. Type: Object |
Each item can have the following attributes.
|
Attribute |
Required |
Description |
|---|---|---|
|
|
No |
An optional element that causes CloudFront to request your content from a directory in your S3 bucket or your custom origin. Type: String |
|
|
No |
A unique identifier for the origin or origin group. Type: String |
|
|
No |
Amazon S3 origins: The DNS name of the S3 bucket from which you want CloudFront to get objects for this origin. Type: String |
AwsCodeBuildProject
The AwsCodeBuildProject object provides information about an
AWS CodeBuild project.
Example
"AwsCodeBuildProject": { "EncryptionKey": "my-symm-key", "Environment": { "Type": "LINUX_CONTAINER", "Certificate": "myX509", "ImagePullCredentialsType": "CODEBUILD", "RegistryCredential": { "Credential": "my_dockerhub_secret", "CredentialProvider": "SECRETS_MANAGER" } }, "Name": "my-cd-project", "Source": { "Type": "CODECOMMIT", "Location": "https://git-codecommit.us-east-2.amazonaws.com/v1/repos/MyDemoRepo", "GitCloneDepth": 1 }, "ServiceRole": "arn:aws:iam:myrole", "VpcConfig": { "VpcId": "vpc-1234456", "Subnets": ["sub-12344566"], "SecurityGroupIds": ["sg-123456789012"] } }
The AwsCodeBuildProject object can have the following
attributes.
|
Attribute |
Required |
Description |
|---|---|---|
|
|
No |
The AWS KMS customer master key (CMK) to be used for encrypting the build output artifacts. You can use a cross-account KMS key to encrypt the build output artifacts if your service role has permission to that key. You can specify either the ARN of the CMK or, if
available, the CMK alias (using the format
Type: String Length constraints: Minimum length of 1 |
|
No |
Information about the build environment for this build project. Type: Object |
|
|
|
No |
The name of the build project. Type: String Length constraints: Minimum length of 2. Maximum length of 255. Pattern: [A-Za-z0-9][A-Za-z0-9\-_]{1,254} |
|
|
No |
The ARN of the IAM role that enables CodeBuild to interact with dependent AWS services on behalf of the AWS account. Type: String Length constraints: Minimum length of 1 |
|
No |
Information about the build input source code for this build project. Type: Object |
|
|
No |
Information about the VPC configuration that CodeBuild accesses. Type: Object |
Environment
The Environment object provides information about the build
environment for the build project.
It can have the following attributes.
|
Attribute |
Required |
Description |
|---|---|---|
|
|
No |
The certificate to use with this build project. Type: String |
|
|
No |
The type of credentials CodeBuild uses to pull images in your build. There are two valid values:
When you use a cross-account or private registry
image, you must use Type: String Valid values: |
|
|
No |
The credentials for access to a private registry. Type: Object |
|
|
Yes |
The type of build environment to use for related builds. Type: String Valid values: |
Each registry credential in the RegistryCredentials object
has the following attributes.
|
Attribute |
Required |
Description |
|---|---|---|
|
|
Yes |
The ARN or name of credentials created using AWS Secrets Manager. The credential can use the name of the credentials only if they exist in your current AWS Region. Type: String Length constraints: Minimum length of 1 |
|
|
Yes |
The service that created the credentials to access a
private Docker registry. The valid value, Type: String Valid values: |
Source
The Source object provides information about the build input
source code for this build project.
It can have the following attributes.
|
Attribute |
Required |
Description |
|---|---|---|
|
|
No |
Information about the Git clone depth for the build project. Type: Integer Valid range: Minimum value of 0 |
|
|
No |
Information about the location of the source code to be built. Type: String Valid values:
|
|
|
Yes |
The type of repository that contains the source code to be built. Type: String Valid values:
|
VpcConfig
The VpcConfig object provides information about the VPC
configuration that CodeBuild accesses.
It can have the following attributes.
|
Attribute |
Required |
Description |
|---|---|---|
|
|
No |
A list of one or more security group IDs in your Amazon VPC. Type: Array of strings Array members: Maximum number of 5 items Length constraints: Minimum length of 1 |
|
|
No |
A list of one or more subnet IDs in your Amazon VPC. Type: Array of strings Array members: Maximum number of 16 items Length constraints: Minimum length of 1 |
|
VpcId |
No |
The ID of the VPC. Type: String Length constraints: Minimum length of 1 |
AwsEc2Instance
The details of an Amazon EC2 instance.
Type: Object
The AwsEc2Instance object can have the following
attributes.
|
Attribute |
Required |
Description |
|---|---|---|
|
|
No |
The IAM profile ARN of the instance. Type: String (conforms to the AWS ARN format) |
|
|
No |
The Amazon Machine Image (AMI) ID of the instance. Type: String (64 characters max) |
|
|
No |
The IPv4 addresses that are associated with the instance. Type: Array of up to 10 IPv4 addresses |
|
|
No |
The IPv6 addresses that are associated with the instance. Type: Array of up to 10 IPv6 addresses |
|
|
No |
The key name that is associated with the instance. Type: String (128 characters max) |
|
|
No |
The date and time when the instance was launched. Type: Timestamp |
|
|
No |
The identifier of the subnet where the instance was launched. Type: String (32 characters max) |
|
|
No |
The instance type of the instance. This must be a valid EC2 instance type. Type: String (16 characters max) |
|
|
No |
The identifier of the VPC where the instance was launched. Type: String (32 characters max) |
AwsEc2NetworkInterface
The AwsEc2NetworkInterface object provides information about an Amazon EC2 network
interface.
Example
"AwsEc2NetworkInterface": { "Attachment": { "AttachTime": "2019-01-01T03:03:21Z", "AttachmentId": "eni-attach-43348162", "DeleteOnTermination": true, "DeviceIndex": 123, "InstanceId": "i-1234567890abcdef0", "InstanceOwnerId": "123456789012", "Status": 'ATTACHED' }, "SecurityGroups": [ { "GroupName": "my-security-group", "GroupId": "sg-903004f8" }, ], "NetworkInterfaceId": 'eni-686ea200', "SourceDestCheck": false }
The AwsEc2NetworkInterface object can have the following
attributes.
|
Attribute |
Required |
Description |
|---|---|---|
|
No |
Information about the network interface attachment. Type: Object |
|
|
|
No |
The ID of the network interface. Type: String |
|
No |
Security groups for the network interface. Type: Array of group objects |
|
|
|
No |
Indicates whether traffic to or from the instance is validated. Type: Boolean |
Attachment
The Attachment object provides information about the network
interface attachment.
It can have the following attributes.
|
Attribute |
Required |
Description |
|---|---|---|
|
|
No |
The identifier of the network interface attachment Type: String |
|
|
No |
The timestamp indicating when the attachment initiated. Type: Timestamp |
|
|
No |
Indicates whether the network interface is deleted when the instance is terminated. Type: Boolean |
|
|
No |
The device index of the network interface attachment on the instance. Type: Integer |
|
|
No |
The ID of the instance. Type: String |
|
|
No |
The AWS account ID of the owner of the instance. Type: String |
|
|
No |
The attachment state. Type: String Valid values: |
SecurityGroups
The SecurityGroups object contains the list of security
groups for the network interface.
Each security group can have the following attributes.
|
Attribute |
Required |
Description |
|---|---|---|
|
|
No |
The ID of the security group. Type: String |
|
GroupName |
The name of the security group. Type: String |
AwsEc2SecurityGroup
The AwsEc2SecurityGroup object describes an Amazon EC2 security
group.
Example
"AwsEc2SecurityGroup": { "GroupName": "MySecurityGroup", "GroupId": "sg-903004f8", "OwnerId": "123456789012", "VpcId": "vpc-1a2b3c4d", "IpPermissions": [ { "IpProtocol": "-1", "IpRanges": [], "UserIdGroupPairs": [ { "UserId": "123456789012", "GroupId": "sg-903004f8" } ], "PrefixListIds": [ {"PrefixListId": "pl-63a5400a"} ] }, { "PrefixListIds": [], "FromPort": 22, "IpRanges": [ { "CidrIp": "203.0.113.0/24" } ], "ToPort": 22, "IpProtocol": "tcp", "UserIdGroupPairs": [] } ] }
The AwsEc2SecurityGroup object can have the following
attributes.
|
Attribute |
Required |
Description |
|---|---|---|
|
|
No |
The ID of the security group. Type: String |
|
|
No |
The name of the security group. Type: String |
|
No |
The inbound rules that are associated with the security group. Type: Array of IP permission objects |
|
|
No |
[VPC only] The outbound rules that are associated with the security group. Type: Array of IP permission objects |
|
|
|
No |
The AWS account ID of the owner of the security group. Type: String |
|
|
No |
[VPC only] The ID of the VPC for the security group. Type: String |
IP permission object
The IpPermissions and IpPermissionsEgress
objects both contain an array of IP permission objects.
Each IP permission object can have the following attributes.
|
Attribute |
Required |
Description |
|---|---|---|
|
|
No |
The start of the port range for the TCP and UDP protocols, or an ICMP/ICMPv6 type number. A value of Type: Integer |
|
|
No |
The IP protocol name ( [VPC only] Use When authorizing security group rules, specifying
For For Type: String |
|
|
No |
The ranges of IP addresses. Type: Array of IP range objects |
|
|
No |
[VPC only] The prefix list IDs for an AWS service. With outbound rules, this is the AWS service to access through a VPC endpoint from instances that are associated with the security group. Type: Array of prefix list ID objects |
|
|
No |
The end of the port range for the TCP and UDP protocols, or an ICMP/ICMPv6 code. A value of Type: Integer |
|
|
No |
The security group and AWS account ID pairs. Type: Array of user ID group pair objects |
Each entry in the IpRanges array can have the following attributes.
|
Attribute |
Required |
Description |
|---|---|---|
|
|
No |
A range of IP addresses. You can either specify a CIDR range or a source security group, but not both. To specify a single IPv4 address, use the /32 prefix length. To specify a single IPv6 address, use the /128 prefix length. Type: String |
Each entry in the PrefixListIds array can have the following
attributes.
|
Attribute |
Required |
Description |
|---|---|---|
|
|
No |
The ID of the prefix. Type: String |
Each entry in the UserIdGroupPairs array can have the following
attributes.
|
Attribute |
Required |
Description |
|---|---|---|
|
GroupId |
No |
The ID of the security group. Type: String |
|
UserId |
No |
The ID of an AWS account. For a referenced security group in another VPC, the account ID of the referenced security group is returned in the response. If the referenced security group is deleted, this value is not returned. [Amazon EC2-Classic] Required when adding or removing rules that reference a security group in another AWS account. Type: String |
AwsEc2Volume
The AwsEc2Volume object provides details about an EC2
volume.
Example
"AwsEc2Volume": { "Attachments": [ { "AttachTime": "2017-10-17T14:47:11Z", "DeleteOnTermination": true, "InstanceId": "i-123abc456def789g", "Status": "attached" } ], "CreateTime": "2020-02-24T15:54:30Z", "Encrypted": true, "KmsKeyId": "arn:aws:kms:us-east-1:111122223333:key/wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY", "Size": 80, "SnapshotId": "", "Status": "available" }
The AwsEc2Volume object can have the following attributes.
|
Attribute |
Required |
Description |
|---|---|---|
|
No |
The volume attachments. Type: Array of objects |
|
|
|
No |
The date and time when the volume was created. Type: String (timestamp) Format: yyyy-MM-ddTHH:mm:ssZ |
|
|
No |
Whether the volume is encrypted. Type: Boolean |
|
|
No |
The ARN of the AWS KMS customer master key (CMK) that was used to protect the volume encryption key for the volume. Type: String |
|
|
No |
The size of the volume, in GiBs. Type: Integer |
|
|
No |
The snapshot from which the volume was created. Type: String |
|
|
No |
The volume state. Type: String Valid values: |
Attachments
The Attachments object contains the set of attachments for
the EC2 volume. Each attachment can have the following attributes.
|
Attribute |
Required |
Description |
|---|---|---|
|
|
No |
The date and time when the attachment initiated. Type: String (timestamp) Format: |
|
|
No |
Whether the EBS volume is deleted when the EC2 instance is terminated. Type: Boolean |
|
|
No |
The identifier of the EC2 instance. Type: String |
|
|
No |
The attachment state of the volume. Type: String Valid values: |
AwsEc2Vpc
The AwsEc2Vpc object provides details about an EC2 virtual private cloud
(VPC).
Example
"AwsEc2Vpc": { "CidrBlockAssociationSet": [ { "AssociationId": "vpc-cidr-assoc-0dc4c852f52abda97", "CidrBlock": "192.0.2.0/24", "CidrBlockState": "associated" } ], "DhcpOptionsId": "dopt-4e42ce28", "Ipv6CidrBlockAssociationSet": [ { "AssociationId": "vpc-cidr-assoc-0dc4c852f52abda97", "CidrBlockState": "associated", "Ipv6CidrBlock": "192.0.2.0/24" } ], "State": "available" }
The AwsEc2Vpc object can have the following attributes.
|
Attribute |
Required |
Description |
|---|---|---|
|
No |
Information about the IPv4 CIDR blocks that are associated with the VPC. Type: Array of objects |
|
|
|
No |
The identifier of the set of Dynamic Host Configuration
Protocol (DHCP) options that are associated with the VPC. If
the default options are associated with the VPC, then this
is Type: String (32 characters max) |
|
No |
Information about the IPv6 CIDR blocks that are associated with the VPC. Type: Array of objects. |
|
|
|
No |
The current state of the VPC. Type: String (32 characters max) Valid values: |
CidrBlockAssociationSet
The CidrBlockAssociationSet object provides a list of IPV4
CIDR block associations.
Each CIDR block association can contain the following attributes.
|
Attribute |
Required |
Description |
|---|---|---|
|
|
No |
The association ID for the IPv4 CIDR block. Type: String (32 characters max) |
|
|
No |
The IPv4 CIDR block. Type: CIDR IPV4 |
|
|
No |
Information about the state of the CIDR block. Type: String (32 characters max) |
IpV6CidrBlockAssociationSet
The IPV6CidrBlockAssociationSet object provides a list of
IPV6 CIDR block associations.
Each CIDR block association can contain the following attributes.
|
Attribute |
Required |
Description |
|---|---|---|
|
|
No |
The association ID for the IPv6 CIDR block. Type: String (32 characters max) |
|
|
No |
Information about the state of the CIDR block. Type: String (32 characters max) |
|
|
No |
The IPv6 CIDR block. Type: CIDR IPV6 |
AwsElasticSearchDomain
The AwsElasticSearchDomain object provides details about an
Elasticsearch domain.
It can have the following attributes.
|
Attribute |
Required |
Description |
|---|---|---|
|
|
No |
IAM policy document specifying the access policies for the new Amazon ES domain. Type: String |
|
No |
Additional options for the domain endpoint. Type: Object |
|
|
No |
Details about the domain status. Type: Object |
|
|
|
No |
Elasticsearch version. Type: String |
|
No |
Details about the configuration for encryption at rest. Type: Object |
|
|
No |
Details about the configuration for node-to-node encryption. Type: Object |
|
|
No |
Information that Amazon ES derives based on
Type: Object |
DomainEndpointOptions
The DomainEndpointOptions object provides information about
additional options for the domain endpoint.
It can have the following attributes.
|
Attribute |
Required |
Description |
|---|---|---|
|
|
No |
Whether to require that all traffic to the domain arrive over HTTPS. Type: Boolean |
|
|
No |
The TLS security policy to apply to the HTTPS endpoint of the Elasticsearch domain. Type: String Valid values:
|
DomainStatus
The DomainStatus object provides details about the domain
status.
It can have the following attributes.
|
Attribute |
Required |
Description |
|---|---|---|
|
|
No |
Unique identifier for an Amazon ES domain. Type: String |
|
|
No |
Name of an Amazon ES domain. Domain names are unique across all domains owned by the same account within an AWS Region. Domain names must start with a lowercase letter and must be between 3 and 28 characters. Valid characters are a-z (lowercase only), 0-9, and – (hyphen). Type: String |
|
|
No |
Domain-specific endpoint used to submit index, search, and data upload requests to an Amazon ES domain. The endpoint is a service URL. Type: String |
|
|
No |
The key-value pair that exists if the Amazon ES domain uses VPC endpoints. Type: Map of key-value pairs Example:
|
EncryptionAtRestOptions
The EncryptionAtRestOptions object provides details about the
configuration for encryption at rest.
It can have the following attributes.
|
Attribute |
Required |
Description |
|---|---|---|
|
|
No |
Whether encryption at rest is enabled. Type: Boolean |
|
|
No |
The AWS KMS key ID. Takes the form
Type: String |
NodeToNodeEncryptionOptions
The NodeToNodeEncryptionOptions object provides details about
the configuration for node-to-node encryption.
It can have the following attributes.
|
Attribute |
Required |
Description |
|---|---|---|
|
Enabled |
No |
Whether node-to-node encryption is enabled. Type: Boolean |
VpcOptions
The VpcOptions object contains information that Amazon ES derives
based on the VPCOptions for the domain.
It can have the following attributes.
|
Attribute |
Required |
Description |
|---|---|---|
|
|
No |
The list of Availability Zones that are associated with the VPC subnets. Type: Array of strings |
|
|
No |
The list of security group IDs that are associated with the VPC endpoints for the domain Type: Array of strings. |
|
|
No |
A list of subnet IDs that are associated with the VPC endpoints for the domain. Type: Array of strings |
|
|
No |
ID for the VPC. Type: String |
AwsElbv2LoadBalancer
The AwsElbv2LoadBalancer object provides information about a load
balancer.
It can have the following attributes.
|
Attribute |
Required |
Description |
|---|---|---|
|
No |
The Availability Zones for the load balancer. Type: Object |
|
|
|
No |
The ID of the Amazon Route 53 hosted zone that is associated with the load balancer. Type: String |
|
|
No |
The date and time the load balancer was created. Type: String |
|
|
No |
The public DNS name of the load balancer. Type: String |
|
|
No |
The type of IP addresses used by the subnets for your load balancer. The possible values are Type: String |
|
|
No |
The nodes of an Internet-facing load balancer have public IP addresses. Type: String |
|
|
No |
The IDs of the security groups for the load balancer. Type: Array of strings |
|
No |
The state of the load balancer. Type: Object |
|
|
|
No |
The type of load balancer. Type: String |
|
|
No |
The ID of the VPC for the load balancer. Type: String |
AvailabilityZones
Specifies the Availability Zones for the load balancer.
Each Availability Zone can have the following attributes.
|
Attribute |
Required |
Description |
|---|---|---|
|
|
No |
The ID of the subnet. Type: String |
|
|
No |
The name of the Availability Zone. Type: String |
State
Information about the state of the load balancer.
The State object can have the following attributes.
|
Attribute |
Required |
Description |
|---|---|---|
|
|
No |
The state code. The initial state of the load balancer is provisioning. After the load balancer is fully set up and ready to route traffic, its state is active. If the load balancer could not be set up, its state is failed. Type: String |
|
|
No |
A description of the state. Type: String |
AwsIamAccessKey
IAM access key details that are related to a finding.
Type: Object
The AwsIamAccessKey object can have the following
attributes.
|
Attribute |
Required |
Description |
|---|---|---|
|
|
No |
The creation date and time of the IAM access key that is related to a finding. Type: Timestamp |
|
|
No |
The ID of the principal that is associated with an access key. Type: String |
|
|
No |
The name of the principal. Type: String |
|
|
No |
The type of principal. Type: String |
|
|
No |
The status of the IAM access key that is related to a
finding. Valid values are Type: Enum |
AwsIamRole
Contains information about an IAM role, including all of the role's policies.
Type: Object
The AwsIamRole object can have the following attributes.
|
Attribute |
Required |
Description |
|---|---|---|
|
|
No |
The trust policy that grants permission to assume the role. Type: String |
|
|
No |
The date and time, in ISO 8601 date-time format, when the role was created. Type: String |
|
|
No |
The stable and unique string identifying the role. Type: String |
|
|
No |
The friendly name that identifies the role. Type: String |
|
|
No |
The maximum session duration (in seconds) that you want to set for the specified role. Type: Integer |
|
|
No |
The path to the role. Type: String |
AwsKmsKey
Details about an AWS KMS customer master key (CMK).
Type: Object
The AwsKmsKey object can have the following attributes.
|
Attribute |
Required |
Description |
|---|---|---|
|
|
No |
The AWS account identifier of the account that owns the CMK. Type: String |
|
|
No |
The date and time when the CMK was created. Type: Timestamp |
|
|
Yes |
The globally unique identifier for the CMK. Type: String The minimum length is 1. The maximum length is 2048. |
|
|
No |
The manager of the CMK. CMKs in an AWS account are either customer managed or AWS managed. Type: String Valid values: |
|
|
No |
The state of the CMK. Type: String Valid values: |
|
|
No |
The source of the CMK's key material. When this value is When this value is When this value is Type: String Valid values: |
AwsLambdaFunction
The AwsLambdaFunction object provides details about a Lambda
function's configuration.
It can have the following attributes.
|
Attribute |
Required |
Description |
|---|---|---|
|
No |
An Type: Object |
|
|
|
No |
The SHA256 hash of the function's deployment package. Type: String |
|
No |
The function's dead letter queue. Type: Object |
|
|
No |
A function's environment variable settings. Type: Object |
|
|
|
No |
The name of the function. Type: String |
|
|
No |
The function that Lambda calls to begin executing your function. Type: String |
|
|
No |
The AWS KMS key that's used to encrypt the function's environment variables. This key is only returned if you've configured a customer managed CMK. Type: String |
|
|
No |
The date and time that the function was last updated, in ISO-8601 format (YYYY-MM-DDThh:mm:ss.sTZD). Type: String |
|
No |
The function's layers. Type: Object |
|
|
|
No |
For Lambda@Edge functions, the ARN of the master function. Type: String |
|
|
No |
The memory that is allocated to the function. Type: Integer |
|
|
No |
The latest updated revision of the function or alias. Type: String |
|
|
No |
The function's execution role. Type: String |
|
|
No |
The runtime environment for the Lambda function. Type: String |
|
|
No |
The amount of time that Lambda allows a function to run before stopping it. Type: Integer |
|
No |
The function's AWS X-Ray tracing configuration. Type: Object |
|
|
|
No |
The version of the Lambda function. Type: String |
|
No |
The function's networking configuration. Type: Object |
Code
An AwsLambdaFunctionCode object.
The Code object can have the following attributes.
|
Attribute |
Required |
Description |
|---|---|---|
|
|
No |
An S3 bucket in the same AWS Region as your function. The bucket can be in a different AWS account. Type: String |
|
|
No |
The Amazon S3 key of the deployment package. Type: String |
|
|
No |
For versioned objects, the version of the deployment package object to use. Type: String |
|
|
No |
The base64-encoded contents of the deployment package. AWS SDK and AWS CLI clients handle the encoding for you. Type: String |
DeadLetterConfig
Contains information about the Lambda function's dead letter queue.
The DeadLetterConfig object can have the following
attributes.
|
Attribute |
Required |
Description |
|---|---|---|
|
|
No |
The Amazon Resource Name (ARN) of the Amazon SQS queue or Amazon SNS topic containing the dead letter queue. Type: String |
Environment
Contains the Lambda function's environment variable settings.
The Environment object can have the following
attributes.
|
Attribute |
Required |
Description |
|---|---|---|
|
|
No |
Environment variable key-value pairs. Type: String to string map |
|
|
No |
Error messages for environment variables that couldn't be applied. Type: Object |
The Error object can have the following attributes.
|
Attribute |
Required |
Description |
|---|---|---|
|
|
No |
The error code. Type: String |
|
|
No |
The error message. Type: String |
Layers
The Lambda function's layers.
Each layer object can have the following attributes.
|
Attribute |
Required |
Description |
|---|---|---|
|
|
No |
The Amazon Resource Name (ARN) of the function layer. Type: String |
|
|
No |
The size of the layer archive in bytes. Type: Integer |
TracingConfig
Contains the function's AWS X-Ray tracing configuration.
The TracingConfig object can have the following
attributes.
|
Attribute |
Required |
Description |
|---|---|---|
|
|
No |
The tracing mode. Type: String |
VpcConfig
Contains the Lambda function's networking configuration.
The VpcConfig object can have the following
attributes.
|
Attribute |
Required |
Description |
|---|---|---|
|
|
No |
A list of VPC security groups IDs. Type: Array of strings |
|
|
No |
A list of VPC subnet IDs. Type: Array of strings |
AwsLambdaLayerVersion
The AwsLambdaLayerVersion object provides details about a Lambda
layer version.
Example
"AwsLambdaLayerVersion": { "Version": 2, "CompatibleRuntimes": [ "java8" ], "CreatedDate": "2019-10-09T22:02:00.274+0000" }
The AwsLambdaLayerVersion object can have the following
attributes.
|
Attribute |
Required |
Description |
|---|---|---|
|
|
No |
The layer's compatible runtimes. Type: Array of strings Maximum number of items: 5 Valid values: |
|
|
No |
The date that the version was created, in ISO 8601 format. For example, 2018-11-27T15:10:45.123+0000. Type: String |
|
|
No |
The version number. Type: Long |
AwsRdsDbInstance
The AwsRdsDbInstance object provides details about an Amazon RDS DB
instance.
It can have the following attributes.
|
Attribute |
Required |
Description |
|---|---|---|
|
No |
The IAM roles that are associated with the DB instance. Type: Array of role objects |
|
|
|
No |
The identifier of the CA certificate for this DB instance. Type: String |
|
|
No |
If the DB instance is a member of a DB cluster, contains the name of the DB cluster that the DB instance is a member of. Type: String |
|
|
No |
Contains the name of the compute and memory capacity class of the DB instance. Type: String |
|
|
No |
Contains a user-supplied database identifier. This identifier is the unique key that identifies a DB instance. Type: String |
|
|
No |
Specifies the port that the DB instance listens on. If the DB instance is part of a DB cluster, this can be a different port than the DB cluster port. Type: Integer |
|
|
No |
The AWS Region-unique, immutable identifier for the DB instance. This identifier is found in CloudTrail log entries whenever the AWS KMS key for the DB instance is accessed. Type: String |
|
|
No |
The meaning of this parameter differs according to the database engine you use. MySQL, MariaDB, SQL Server, PostgreSQL Contains the name of the initial database of this instance that was provided at create time, if one was specified when the DB instance was created. This same name is returned for the life of the DB instance. Type: String Oracle Contains the Oracle System ID (SID) of the created DB instance. Not shown when the returned parameters do not apply to an Oracle DB instance. Type: String |
|
|
No |
Indicates whether the DB instance has deletion protection enabled. The database can't be deleted when deletion protection is enabled. Type: Boolean |
|
No |
Specifies the connection endpoint. Type: Object |
|
|
|
No |
Provides the name of the database engine to be used for this DB instance. Type: String |
|
|
No |
Indicates the database engine version. Type: String |
|
|
No |
True if mapping of IAM accounts to database accounts is enabled, and otherwise false. IAM database authentication can be enabled for the following database engines.
Type: Boolean |
|
|
No |
Provides the date and time the DB instance was created. Type: Timestamp |
|
|
No |
If Type: String |
|
|
No |
Specifies the accessibility options for the DB instance. A value of true specifies an Internet-facing instance with a publicly resolvable DNS name, which resolves to a public IP address. A value of false specifies an internal instance with a DNS name that resolves to a private IP address. Type: Boolean |
|
|
No |
Specifies whether the DB instance is encrypted. Type: Boolean |
|
|
No |
The ARN from the key store with which the instance is associated for TDE encryption. Type: String |
|
No |
List of VPC security groups that the DB instance belongs to. Type: Array of objects |
AssociatedRoles
The AssociatedRoles array lists the IAM roles that are associated with the
DB instance.
Each role object in the AssociatedRoles array can have the
following attributes.
|
Attribute |
Required |
Description |
|---|---|---|
|
|
No |
The name of the feature that is associated with the IAM role. Type: String |
|
|
No |
The ARN of the IAM role that is associated with the DB instance. Type: String |
|
|
No |
Describes the state of association between the IAM role and the DB instance. Type: String Valid values:
|
Endpoint
The Endpoint object provides details about the connection
endpoint for the DB instance.
It can have the following attributes.
|
Attribute |
Required |
Description |
|---|---|---|
|
|
No |
Specifies the DNS address of the DB instance. Type: String |
|
|
No |
Specifies the ID that Amazon Route 53 assigns when you create a hosted zone. Type: String |
|
|
No |
Specifies the port that the database engine is listening on. Type: Integer |
VpcSecurityGroups
The VpcSecurityGroups array provides the list of VPC security
groups that the DB instance belongs to.
Each object in the VpcSecurityGroups array can have the
following attributes.
|
Attribute |
Required |
Description |
|---|---|---|
|
|
No |
The name of the VPC security group. Type: String |
|
|
No |
The status of the VPC security group. Type: String |
AwsS3Bucket
The details of an Amazon S3 bucket.
Type: Object
The AwsS3Bucket object can have the following attributes.
|
Attribute |
Required |
Description |
|---|---|---|
|
|
No |
The date and time when the S3 bucket was created. Type: String (uses the RFC 3339 format) |
|
|
No |
The canonical user ID of the owner of the Amazon S3 bucket. Type: String (64 characters max) |
|
|
No |
The display name of the owner of the Amazon S3 bucket. Type: String (128 characters max) |
|
|
No |
The encryption rules that are applied to the S3 bucket. Type: Object Consists of a Example:
|
ApplyServerSideEncryptionByDefault
Specifies the default server-side encryption to apply to new objects in the bucket.
ApplyServerSideEncryptionByDefault can have the following
attributes.
|
Attribute |
Required |
Description |
|---|---|---|
|
|
No |
AWS KMS customer master key (CMK) ID to use for the default encryption. Can be either the key ID or the CMK ARN. Type: String |
|
|
Yes |
Server-side encryption algorithm to use for the default encryption. Type: String Valid values: |
AwsS3Object
Details about an Amazon S3 object.
Example
"AwsS3Object": { "ContentType": "text/html", "ETag": "\"30a6ec7e1a9ad79c203d05a589c8b400\"", "LastModified": "2012-04-23T18:25:43.511Z", "ServerSideEncryption": "aws:kms", "SSEKMSKeyId": "arn:aws:kms:us-west-2:123456789012:key/4dff8393-e225-4793-a9a0-608ec069e5a7", "VersionId": "ws31OurgOOjH_HHllIxPE35P.MELYaYh" }
AWSS3Object can have the following attributes.
|
Attribute |
Required |
Description |
|---|---|---|
|
|
No |
A standard MIME type describing the format of the object data. Type: String |
|
|
No |
The opaque identifier assigned by a web server to a specific version of a resource found at a URL. Type: String |
|
|
No |
The date and time when the object was last modified. Type: Datetime |
|
|
No |
If the object is stored using server-side encryption, the value of the server-side encryption algorithm used when storing this object in Amazon S3. Type: String |
|
|
No |
The identifier of the AWS Key Management Service) symmetric customer managed customer master key (CMK) that was used for the object. Type: String |
|
|
No |
The version of the object. Type: String |
AwsSnsTopic
A wrapper type for the topic's Amazon Resource Name (ARN).
Type: Object
The AwsSnsTopic object can have the following attributes.
|
Attribute |
Required |
Description |
|---|---|---|
|
|
No |
The ID of an AWS managed customer master key (CMK) for Amazon SNS or a custom CMK. Type: String |
|
|
No |
Subscription is an embedded property that describes the subscription endpoints of an Amazon SNS topic. Type: Array of objects |
|
|
No |
The name of the topic. Type: String |
|
|
No |
The subscription's owner. Type: String |
Subscription
The Subscription object in an AwsSnsTopic object
can have the following attributes.
|
Attribute |
Required |
Description |
|---|---|---|
|
|
No |
The subscription's endpoint (format depends on the protocol). Type: String |
|
|
No |
The subscription's protocol. Type: String |
AwsSqsQueue
Data about an Amazon SQS queue.
Type: Object
The AwsSqsQueue object can have the following attributes.
|
Attribute |
Required |
Description |
|---|---|---|
|
|
No |
The length of time, in seconds, for which Amazon SQS can reuse a data key to encrypt or decrypt messages before calling AWS KMS again. Type: Integer |
|
|
No |
The ID of an AWS managed customer master key (CMK) for Amazon SQS or a custom CMK. Type: String |
|
|
No |
The name of the new queue. Type: String |
|
|
No |
The Amazon Resource Name (ARN) of the dead-letter queue to which Amazon SQS moves
messages after
the value of Type: String |
AwsWafWebAcl
The AwsWafWebAcl object provides details about an AWS WAF
WebACL.
Example
"AwsWafWebAcl": { "DefaultAction": "ALLOW", "Name": "MyWafAcl", "Rules": [ { "Action": { "Type": "ALLOW" }, "ExcludedRules": [ { "RuleId": "5432a230-0113-5b83-bbb2-89375c5bfa98" } ], "OverrideAction": { "Type": "NONE" }, "Priority": 1, "RuleId": "5432a230-0113-5b83-bbb2-89375c5bfa98", "Type": "REGULAR" } ], "WebAclId": "waf-1234567890" }
An AwsWafWebAcl object can have the following attributes.
|
Attribute |
Required |
Description |
|---|---|---|
|
|
Yes |
The action to perform if none of the rules contained in the WebACL match. The action
is specified by the Type: |
|
|
No |
A friendly name or description of the WebACL. You can't change the name of a WebACL after you create it. Type: String Length constraints: Minimum length of 1. Maximum length of 128. |
|
Yes |
A list of rules for the WebACL. Type: Array of objects |
|
|
|
Yes |
A unique identifier for a WebACL. Type: String Length constraints: Minimum length of 1. Maximum length of 128. |
Rule object
The Rules array provides the list of rules for the
WebACL.
Each rule object in the array can have the following attributes.
|
Attribute |
Required |
Description |
|---|---|---|
|
|
No |
Specifies the action that CloudFront or AWS WAF takes when a web request matches the conditions in the rule. Type: Object |
|
|
No |
An array of rules to exclude from a rule group. This is applicable only when the
Type: Array of objects |
|
|
No |
Use the Any rule in a rule group can potentially block a request. If you set the
However, if you first want to test the rule group, set the
Type: Object |
|
|
Yes |
Specifies the order in which to evaluate the rules in a WebACL. Rules with a lower
value for The value must be a unique integer. If you add multiple rules to a WebACL, the values don't need to be consecutive. Type: Integer |
|
|
Yes |
The identifier for a rule. Type: String Length constraints: Minimum length of 1. Maximum length of 128. |
|
|
No |
The rule type, either The default is Type: String Valid values: |
Each action can have the following attributes.
|
Attribute |
Required |
Description |
|---|---|---|
|
|
No |
Specifies how you want AWS WAF to respond to requests that match the settings in a rule.
Type: String Valid values: |
Each excluded rule can have the following attributes.
|
Attribute |
Required |
Description |
|---|---|---|
|
|
Yes |
The unique identifier for the rule to exclude from the rule group. Type: String Length constraints: Minimum length of 1. Maximum length of 128. |
Each override action for a rule can have the following attributes.
|
Attribute |
Required |
Description |
|---|---|---|
|
|
Yes |
If set to Type: String Valid values: |
Container
Container details that are related to a finding.
Type: Object
Example:
"Container": { "Name": "Secret Service Container", "ImageId": "image12", "ImageName": "SecSvc v1.2 Image", "LaunchedAt": "2018-09-29T01:25:54Z" }
The Container object can have the following attributes.
|
Attribute |
Required |
Description |
|---|---|---|
|
|
No |
The identifier of the image that is related to a finding. Type: String (128 characters max) |
|
|
No |
The name of the image that is related to a finding. Type: String (128 characters max) |
|
|
No |
The date and time that the container was started. Type: Timestamp |
|
|
No |
The name of the container that is related to a finding. Type: String (128 characters max) |
Other
The Other subfield allows you to provide custom fields and
values. You use the Other subfield in the following cases.
-
The resource type does not have a corresponding subfield. To provide details for the resource, you use the
Othersubfield. -
The subfield for the resource type does not include all of the fields you want to populate. In this case, use the subfield for the resource type to populate the available fields. Use the
Othersubfield to populate the fields that are not in the type-specific subfield. -
The resource type is not one of the provided types. In this case, you set
Resource.TypetoOther, and use theOthersubfield to populate the details.
Type: Map of up to 50 key-value pairs
Each key-value pair must meet the following requirements.
-
The key must contain fewer than 128 characters.
-
The value must contain fewer than 1,024 characters.
Severity
Details about the severity of the finding.
The finding provider can provide the initial severity, but cannot update it after
that. The
severity can only be updated using BatchUpdateFindings. It can only be updated by a
master account. It cannot be updated by a member account.
The finding severity does not consider the criticality of the involved assets or the
underlying resource. Criticality is defined as the level of importance of the
resources that are associated with the finding. For example, a resource that is
associated with a mission critical application versus one that is associated with
nonproduction testing. To capture information about resource criticality, use
the
Criticality field.
The finding must have either Label or Normalized
populated. If neither attribute is populated, then the finding is invalid.
Label is the preferred attribute.
The Severity object can have the following attributes.
|
Attribute |
Required |
Description |
|---|---|---|
|
|
No |
The severity value for the finding. Type: Enum Available values: At a high level, the
|
|
|
No |
The normalized severity of a finding. We plan to deprecate this attribute. Instead of Type: Integer The value of For guidance on setting the value of |
|
|
No |
The native severity from the finding product that generated the finding. Type: String (maximum 64 characters) |
|
|
No |
The native severity as defined by the finding product that generated the finding. This is deprecated in favor of Type: Number (single-precision 32-bit IEEE 754 floating point number, restricted to finite values) |
How Security Hub maps Label and Normalized values
If a BatchImportFindings request for a new finding only
provides Label or only provides Normalized, then Security Hub
automatically populates the value of the other field.
Security Hub does not make any automatic updates based on changes from BatchUpdateFindings.
If BatchImportFindings provides
Normalized and does not provide Label,
Label is set automatically as follows.
|
Normalized |
Label |
|---|---|
|
0 |
|
|
1–39 |
|
|
40–69 |
|
|
70–89 |
|
|
90–100 |
|
If BatchImportFindings only provides
Label and does not provide Normalized,
Normalized is set automatically as follows.
|
Label |
Normalized |
|---|---|
|
|
0 |
|
|
1 |
|
|
40 |
|
|
70 |
|
|
90 |
Guidance for assigning the normalized severity (AWS services and partners)
For findings generated by AWS services and third-party partner products, the severity is based on the following.
-
Most severe – Findings that are associated with actual data loss or denial of service
-
Second-most severe – Findings that are associated with an active compromise but that do not indicate that data loss or other negative effects have occurred
-
Third-most severe – Findings that are associated with issues that indicate potential for a future compromise
We recommend that you use the following guidance when translating findings' native severity scores to a normalized severity for the ASFF.
-
Informational findings. For example, a finding for a passed check or a sensitive data identification.
Suggested score: 0
-
Findings that are associated with issues that could result in future compromises. For example, vulnerabilities, configuration weaknesses, exposed passwords.
This generally aligns to the
Software and Configuration Checksnamespace under a finding's type.Suggested score: 1–39 (Low)
-
Findings that are associated with issues that indicate an active compromise, but no indication that an adversary completed their objectives. For example, malware activity, hacking activity, or unusual behavior detection.
This generally aligns to the
Threat Detections and Unusual Behaviornamespaces under a finding's type.Suggested score: 40–69 (Medium)
-
Findings that indicate that an adversary completed their objectives, such as active data loss or compromise or a denial of service.
This generally aligns to the
Effectsnamespace under a finding's type.Suggested score: 70–100 (High or Critical)
ThreatIntelIndicators
Threat intelligence details that are related to a finding.
Type: Array of up to five threat intelligence indicator objects
Example:
"ThreatIntelIndicators": [ { "Type": "IPV4_ADDRESS", "Value": "8.8.8.8", "Category": "BACKDOOR", "LastObservedAt": "2018-09-27T23:37:31Z", "Source": "Threat Intel Weekly", "SourceUrl": "http://threatintelweekly.org/backdoors/8888" } ]
Each threat intelligence indicator object can have the following attributes.
|
Attribute |
Required |
Description |
|---|---|---|
|
|
No |
The category of a threat intel indicator. Type: Enum Valid values: |
|
|
No |
The date and time of the last observation of a threat intelligence indicator. Type: Timestamp |
|
|
No |
The source of the threat intelligence. Type: String (64 characters max) |
|
|
No |
The URL for more details from the source of the threat intelligence. Type: URL |
|
|
No |
The type of a threat intelligence indicator. Type: Enum Valid values: |
|
|
No |
The value of a threat intelligence indicator. Type: String (512 characters max) |
Vulnerabilities
The Vulnerabilities object provides a list of vulnerabilities that are
associated with the findings.
Example
"Vulnerabilities" : [ { "Cvss": [ { "BaseScore": 4.7, "BaseVector": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "Version": "V3" }, { "BaseScore": 4.7, "BaseVector": "AV:L/AC:M/Au:N/C:C/I:N/A:N", "Version": "V2" } ], "Id": "CVE-2020-12345", "ReferenceUrls":[ "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12418", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17563" ], "RelatedVulnerabilities": ["CVE-2020-12345"], "Vendor": { "Name": "Alas", "Url":"https://alas.aws.amazon.com/ALAS-2020-1337.html", "VendorCreatedAt":"2020-01-16T00:01:43Z", "VendorSeverity":"Medium", "VendorUpdatedAt":"2020-01-16T00:01:43Z" }, "VulnerablePackages": [ { "Architecture": "x86_64", "Epoch": "1", "Name": "openssl", "Release": "16.amzn2.0.3", "Version": "1.0.2k" } ] } ]
Each vulnerability can have the following attributes.
|
Attribute |
Required |
Description |
|---|---|---|
|
No |
Common Vulnerability Scoring System (CVSS) scores from the advisory that are related to the vulnerability. Type: Array of objects |
|
|
|
Yes |
The identifier of the vulnerability. Type: String (32 characters max) |
|
|
No |
A list of URLs that provide additional information about the vulnerability. Type: Array of strings |
|
|
No |
List of vulnerabilities that are related to this vulnerability. For each vulnerability, provide the vulnerability ID. Type: Array of strings |
|
No |
Information about the vendor that generates the vulnerability report. Type: Object |
|
|
No |
List of packages that have the vulnerability. Type: Array of objects |
Cvss
The Cvss object provides a list of CVSS scores for the
vulnerability.
Each CVSS score can have the following attributes.
|
Attribute |
Required |
Description |
|---|---|---|
|
|
No |
The base CVSS score. Type: Number |
|
|
No |
The base scoring vector for the CVSS score. Type: String |
|
|
No |
The version of CVSS for the CVSS score. Type: String |
Vendor
The Vendor object provides information about the vendor that
generated the vulnerability advisory for the vulnerability.
The Vendor object can have the following attributes.
|
Attribute |
Required |
Description |
|---|---|---|
|
|
Yes |
The name of the vendor. Type: String (32 characters max) |
|
|
No |
The URL of the vulnerability advisory. Type: String |
|
|
No |
The date and time when the vulnerability advisory was created. Type: String (timestamp) Format: |
|
|
No |
The severity that the vendor assigned to the vulnerability. Type: String (32 characters max) |
|
|
No |
The date and time when the vulnerability advisory was last updated. Type: String (timestamp) Format: |
VulnerablePackages
The VulnerablePackages object provides the list of packages that
have the vulnerability.
Each package can have the following attributes.
|
Attribute |
Required |
Description |
|---|---|---|
|
|
No |
The architecture used for the vulnerable package. Type: String |
|
|
No |
The epoch for the vulnerable package. Type: String |
|
|
No |
The name of the vulnerable package. Type: String |
|
|
No |
The release for the vulnerable package. Type: String |
|
|
No |
The version of the vulnerable package. Type: String |
Workflow
The Workflow object provides information about the status of the
investigation into a finding.
It is not intended for finding providers. It is only to be used by customers and by remediation, orchestration, and ticketing tools used by customers.
The workflow status can only be updated using BatchUpdateFindings. Customers can also update it from
the console. See Setting the workflow status for a finding. The workflow status can
only be updated by a master account. It cannot be updated by a member
account.
Workflow can have the following attributes.
|
Attribute |
Required |
Description |
|---|---|---|
|
|
No |
The status of the investigation into the finding. Type: Enum Valid values:
|
Types taxonomy for ASFF
The following information describes the first three levels of the Types path.
In the list, the top-level bullets are namespaces, the second-level bullets are
categories, and the third-level bullets are classifiers. Only the Software and
Configuration Checks namespace has defined classifiers.
-
Namespaces
-
Categories
-
Classifiers
-
-
Finding providers must use the defined namespaces. The defined categories and classifiers are recommended for use, but are not required.
A finding provider might define a partial path for namespace/category/classifier. For example, the following finding types are all valid.
-
TTPs
-
TTPs/Defense Evasion
-
TTPs/Defense Evasion/CloudTrailStopped
TTPs stands for tactics, techniques, and procedures. The TTP categories in the following
list align to the MITRE
ATT&CK MatrixTM
-
Software and Configuration Checks
-
Vulnerabilities
-
CVE
-
-
AWS Security Best Practices
-
Network Reachability
-
Runtime Behavior Analysis
-
-
Industry and Regulatory Standards
-
CIS Host Hardening Benchmarks
-
CIS AWS Foundations Benchmark
-
PCI-DSS Controls
-
Cloud Security Alliance Controls
-
ISO 90001 Controls
-
ISO 27001 Controls
-
ISO 27017 Controls
-
ISO 27018 Controls
-
SOC 1
-
SOC 2
-
HIPAA Controls (USA)
-
NIST 800-53 Controls (USA)
-
NIST CSF Controls (USA)
-
IRAP Controls (Australia)
-
K-ISMS Controls (Korea)
-
MTCS Controls (Singapore)
-
FISC Controls (Japan)
-
My Number Act Controls (Japan)
-
ENS Controls (Spain)
-
-