Data Source: AWS Security Hub

Date: 2024-07-18

ID: b02bfbf3-294f-478e-99a1-e24b8c692d7e

Author: Patrick Bareiss, Splunk

Description

Data source object for AWS Security Hub

Details

Property	Value
Source	`aws_securityhub_finding`
Sourcetype	`aws:securityhub:finding`

Supported Apps

Splunk Add-on for AWS (version 7.7.0)

Event Fields

+ Fields

  <span class="pill kill-chain">_time</span>
  
  <span class="pill kill-chain">AwsAccountId</span>
  
  <span class="pill kill-chain">CreatedAt</span>
  
  <span class="pill kill-chain">Description</span>
  
  <span class="pill kill-chain">FirstObservedAt</span>
  
  <span class="pill kill-chain">GeneratorId</span>
  
  <span class="pill kill-chain">Id</span>
  
  <span class="pill kill-chain">LastObservedAt</span>
  
  <span class="pill kill-chain">ProductArn</span>
  
  <span class="pill kill-chain">ProductFields.aws/guardduty/service/action/actionType</span>
  
  <span class="pill kill-chain">ProductFields.aws/guardduty/service/action/awsApiCallAction/affectedResources/AWS::S3::Bucket</span>
  
  <span class="pill kill-chain">ProductFields.aws/guardduty/service/action/awsApiCallAction/api</span>
  
  <span class="pill kill-chain">ProductFields.aws/guardduty/service/action/awsApiCallAction/callerType</span>
  
  <span class="pill kill-chain">ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/city/cityName</span>
  
  <span class="pill kill-chain">ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/country/countryName</span>
  
  <span class="pill kill-chain">ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/geoLocation/lat</span>
  
  <span class="pill kill-chain">ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/geoLocation/lon</span>
  
  <span class="pill kill-chain">ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/ipAddressV4</span>
  
  <span class="pill kill-chain">ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/organization/asn</span>
  
  <span class="pill kill-chain">ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/organization/asnOrg</span>
  
  <span class="pill kill-chain">ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/organization/isp</span>
  
  <span class="pill kill-chain">ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/organization/org</span>
  
  <span class="pill kill-chain">ProductFields.aws/guardduty/service/action/awsApiCallAction/serviceName</span>
  
  <span class="pill kill-chain">ProductFields.aws/guardduty/service/additionalInfo/sample</span>
  
  <span class="pill kill-chain">ProductFields.aws/guardduty/service/additionalInfo/unusual/hoursOfDay.0_</span>
  
  <span class="pill kill-chain">ProductFields.aws/guardduty/service/additionalInfo/unusual/userNames.0_</span>
  
  <span class="pill kill-chain">ProductFields.aws/guardduty/service/archived</span>
  
  <span class="pill kill-chain">ProductFields.aws/guardduty/service/count</span>
  
  <span class="pill kill-chain">ProductFields.aws/guardduty/service/detectorId</span>
  
  <span class="pill kill-chain">ProductFields.aws/guardduty/service/eventFirstSeen</span>
  
  <span class="pill kill-chain">ProductFields.aws/guardduty/service/eventLastSeen</span>
  
  <span class="pill kill-chain">ProductFields.aws/guardduty/service/resourceRole</span>
  
  <span class="pill kill-chain">ProductFields.aws/guardduty/service/serviceName</span>
  
  <span class="pill kill-chain">ProductFields.aws/securityhub/CompanyName</span>
  
  <span class="pill kill-chain">ProductFields.aws/securityhub/FindingId</span>
  
  <span class="pill kill-chain">ProductFields.aws/securityhub/ProductName</span>
  
  <span class="pill kill-chain">RecordState</span>
  
  <span class="pill kill-chain">Resources{}.Details.AwsEc2Instance.IamInstanceProfileArn</span>
  
  <span class="pill kill-chain">Resources{}.Details.AwsEc2Instance.ImageId</span>
  
  <span class="pill kill-chain">Resources{}.Details.AwsEc2Instance.IpV4Addresses{}</span>
  
  <span class="pill kill-chain">Resources{}.Details.AwsEc2Instance.LaunchedAt</span>
  
  <span class="pill kill-chain">Resources{}.Details.AwsEc2Instance.SubnetId</span>
  
  <span class="pill kill-chain">Resources{}.Details.AwsEc2Instance.Type</span>
  
  <span class="pill kill-chain">Resources{}.Details.AwsEc2Instance.VpcId</span>
  
  <span class="pill kill-chain">Resources{}.Details.AwsIamAccessKey.PrincipalId</span>
  
  <span class="pill kill-chain">Resources{}.Details.AwsIamAccessKey.PrincipalName</span>
  
  <span class="pill kill-chain">Resources{}.Details.AwsIamAccessKey.PrincipalType</span>
  
  <span class="pill kill-chain">Resources{}.Details.AwsS3Bucket.CreatedAt</span>
  
  <span class="pill kill-chain">Resources{}.Details.AwsS3Bucket.OwnerId</span>
  
  <span class="pill kill-chain">Resources{}.Details.AwsS3Bucket.ServerSideEncryptionConfiguration.Rules{}.ApplyServerSideEncryptionByDefault.KMSMasterKeyID</span>
  
  <span class="pill kill-chain">Resources{}.Details.AwsS3Bucket.ServerSideEncryptionConfiguration.Rules{}.ApplyServerSideEncryptionByDefault.SSEAlgorithm</span>
  
  <span class="pill kill-chain">Resources{}.Id</span>
  
  <span class="pill kill-chain">Resources{}.Partition</span>
  
  <span class="pill kill-chain">Resources{}.Region</span>
  
  <span class="pill kill-chain">Resources{}.Tags.GeneratedFindingInstaceTag1</span>
  
  <span class="pill kill-chain">Resources{}.Tags.GeneratedFindingInstaceTag2</span>
  
  <span class="pill kill-chain">Resources{}.Tags.GeneratedFindingInstaceTag3</span>
  
  <span class="pill kill-chain">Resources{}.Tags.GeneratedFindingInstaceTag4</span>
  
  <span class="pill kill-chain">Resources{}.Tags.GeneratedFindingInstaceTag5</span>
  
  <span class="pill kill-chain">Resources{}.Tags.GeneratedFindingInstaceTag6</span>
  
  <span class="pill kill-chain">Resources{}.Tags.GeneratedFindingInstaceTag7</span>
  
  <span class="pill kill-chain">Resources{}.Tags.GeneratedFindingInstaceTag8</span>
  
  <span class="pill kill-chain">Resources{}.Tags.GeneratedFindingInstaceTag9</span>
  
  <span class="pill kill-chain">Resources{}.Tags.foo</span>
  
  <span class="pill kill-chain">Resources{}.Type</span>
  
  <span class="pill kill-chain">SchemaVersion</span>
  
  <span class="pill kill-chain">Severity.Label</span>
  
  <span class="pill kill-chain">Severity.Normalized</span>
  
  <span class="pill kill-chain">Severity.Product</span>
  
  <span class="pill kill-chain">SourceUrl</span>
  
  <span class="pill kill-chain">Title</span>
  
  <span class="pill kill-chain">Types{}</span>
  
  <span class="pill kill-chain">UpdatedAt</span>
  
  <span class="pill kill-chain">Workflow.Status</span>
  
  <span class="pill kill-chain">WorkflowState</span>
  
  <span class="pill kill-chain">accesskey_extract</span>
  
  <span class="pill kill-chain">app</span>
  
  <span class="pill kill-chain">body</span>
  
  <span class="pill kill-chain">description</span>
  
  <span class="pill kill-chain">dest</span>
  
  <span class="pill kill-chain">dest_type</span>
  
  <span class="pill kill-chain">eventtype</span>
  
  <span class="pill kill-chain">host</span>
  
  <span class="pill kill-chain">id</span>
  
  <span class="pill kill-chain">index</span>
  
  <span class="pill kill-chain">instance_extract</span>
  
  <span class="pill kill-chain">linecount</span>
  
  <span class="pill kill-chain">punct</span>
  
  <span class="pill kill-chain">s3bucket_extract</span>
  
  <span class="pill kill-chain">severity</span>
  
  <span class="pill kill-chain">severity_id</span>
  
  <span class="pill kill-chain">signature</span>
  
  <span class="pill kill-chain">signature_id</span>
  
  <span class="pill kill-chain">source</span>
  
  <span class="pill kill-chain">sourcetype</span>
  
  <span class="pill kill-chain">splunk_server</span>
  
  <span class="pill kill-chain">subject</span>
  
  <span class="pill kill-chain">tag</span>
  
  <span class="pill kill-chain">tag::eventtype</span>
  
  <span class="pill kill-chain">timestamp</span>
  
  <span class="pill kill-chain">type</span>
  
  <span class="pill kill-chain">vendor_account</span>
  
  <span class="pill kill-chain">vendor_region</span>
  
</div>

Example Log

1{"ProductArn":"arn:aws:securityhub:us-east-1::product/aws/guardduty","Types":["Software and Configuration Checks/Exfiltration:S3.ObjectRead.Unusual"],"SourceUrl":"https://us-east-1.console.aws.amazon.com/guardduty/home?region=us-east-1#/findings?macros=current&fId=6aba6b696aea10606e8b336f68d98819","Description":"Principal GeneratedFindingUserName read objects from S3 bucket GeneratedFindingS3Bucket in an unusual way.","SchemaVersion":"2018-10-08","GeneratorId":"arn:aws:guardduty:us-east-1:802684071507:detector/48ba636359b884eb132865311fdeb317","FirstObservedAt":"2020-09-28T22:26:15.636Z","CreatedAt":"2020-09-28T22:26:15.636Z","RecordState":"ACTIVE","Title":"Unusual reads of objects in S3 bucket GeneratedFindingS3Bucket.","Workflow":{"Status":"NEW"},"LastObservedAt":"2020-09-28T22:26:15.636Z","Severity":{"Normalized":20,"Label":"LOW","Product":2},"UpdatedAt":"2020-09-28T22:26:15.636Z","WorkflowState":"NEW","ProductFields":{"aws/guardduty/service/archived":"false","aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/organization/asnOrg":"GeneratedFindingASNOrg","aws/guardduty/service/additionalInfo/unusual/userNames.0_":"GeneratedFindingUserName","aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/organization/org":"GeneratedFindingORG","aws/guardduty/service/resourceRole":"TARGET","aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/organization/isp":"GeneratedFindingISP","aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/geoLocation/lat":"0","aws/guardduty/service/count":"1","aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/ipAddressV4":"198.51.100.0","aws/guardduty/service/additionalInfo/sample":"true","aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/country/countryName":"GeneratedFindingCountryName","aws/guardduty/service/action/awsApiCallAction/callerType":"Remote IP","aws/guardduty/service/action/awsApiCallAction/serviceName":"GeneratedFindingAPIServiceName","aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/city/cityName":"GeneratedFindingCityName","aws/guardduty/service/action/awsApiCallAction/api":"GeneratedFindingAPIName","aws/guardduty/service/serviceName":"guardduty","aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/geoLocation/lon":"0","aws/guardduty/service/detectorId":"48ba636359b884eb132865311fdeb317","aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/organization/asn":"-1","aws/guardduty/service/eventFirstSeen":"2020-09-28T22:26:15.636Z","aws/guardduty/service/action/awsApiCallAction/affectedResources/AWS::S3::Bucket":"GeneratedFindingS3Bucket","aws/guardduty/service/eventLastSeen":"2020-09-28T22:26:15.636Z","aws/guardduty/service/additionalInfo/unusual/hoursOfDay.0_":"1513609200000","aws/guardduty/service/action/actionType":"AWS_API_CALL","aws/securityhub/FindingId":"arn:aws:securityhub:us-east-1::product/aws/guardduty/arn:aws:guardduty:us-east-1:802684071507:detector/48ba636359b884eb132865311fdeb317/finding/6aba6b696aea10606e8b336f68d98819","aws/securityhub/ProductName":"GuardDuty","aws/securityhub/CompanyName":"Amazon"},"AwsAccountId":"802684071507","Id":"arn:aws:guardduty:us-east-1:802684071507:detector/48ba636359b884eb132865311fdeb317/finding/6aba6b696aea10606e8b336f68d98819","Resources":[{"Partition":"aws","Type":"AwsEc2Instance","Details":{"AwsEc2Instance":{"Type":"m3.xlarge","VpcId":"GeneratedFindingVPCId","ImageId":"ami-99999999","IpV4Addresses":["10.0.0.1","198.51.100.0"],"SubnetId":"GeneratedFindingSubnetId","LaunchedAt":"2016-08-02T02:05:06Z","IamInstanceProfileArn":"arn:aws:iam::802684071507:example/instance/profile"}},"Region":"us-east-1","Id":"arn:aws:ec2:us-east-1:802684071507:instance/i-99999999","Tags":{"GeneratedFindingInstaceTag7":"GeneratedFindingInstaceTagValue7","GeneratedFindingInstaceTag8":"GeneratedFindingInstaceTagValue8","GeneratedFindingInstaceTag9":"GeneratedFindingInstaceTagValue9","GeneratedFindingInstaceTag1":"GeneratedFindingInstaceValue1","GeneratedFindingInstaceTag2":"GeneratedFindingInstaceTagValue2","GeneratedFindingInstaceTag3":"GeneratedFindingInstaceTagValue3","GeneratedFindingInstaceTag4":"GeneratedFindingInstaceTagValue4","GeneratedFindingInstaceTag5":"GeneratedFindingInstaceTagValue5","GeneratedFindingInstaceTag6":"GeneratedFindingInstaceTagValue6"}},{"Partition":"aws","Type":"AwsIamAccessKey","Details":{"AwsIamAccessKey":{"PrincipalId":"GeneratedFindingPrincipalId","PrincipalName":"GeneratedFindingUserName","PrincipalType":"IAMUser"}},"Region":"us-east-1","Id":"AWS::IAM::AccessKey:GeneratedFindingAccessKeyId"},{"Partition":"aws","Type":"AwsS3Bucket","Details":{"AwsS3Bucket":{"OwnerId":"CanonicalId of Owner","CreatedAt":"2017-12-18T15:58:11.551Z","ServerSideEncryptionConfiguration":{"Rules":[{"ApplyServerSideEncryptionByDefault":{"SSEAlgorithm":"SSEAlgorithm","KMSMasterKeyID":"arn:aws:kms:region:123456789012:key/key-id"}}]}}},"Region":"us-east-1","Id":"arn:aws:s3:::bucketName","Tags":{"foo":"bar"}}]}

Source: GitHub | Version: 1