forked from splunk/security_content
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathaws_security_hub.yml
More file actions
129 lines (129 loc) · 9.21 KB
/
aws_security_hub.yml
File metadata and controls
129 lines (129 loc) · 9.21 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
name: AWS Security Hub
id: b02bfbf3-294f-478e-99a1-e24b8c692d7e
version: 2
date: '2025-01-23'
author: Patrick Bareiss, Splunk
description: Logs an event when AWS Security Hub identifies potential security risks
or deviations from configured best practices across AWS accounts.
mitre_components:
- Cloud Service Metadata
- Cloud Service Enumeration
- Cloud Service Modification
- Cloud Service Disable
source: aws_securityhub_finding
sourcetype: aws:securityhub:finding
supported_TA:
- name: Splunk Add-on for AWS
url: https://splunkbase.splunk.com/app/1876
version: 8.1.0
fields:
- _time
- AwsAccountId
- CreatedAt
- Description
- FirstObservedAt
- GeneratorId
- Id
- LastObservedAt
- ProductArn
- ProductFields.aws/guardduty/service/action/actionType
- ProductFields.aws/guardduty/service/action/awsApiCallAction/affectedResources/AWS::S3::Bucket
- ProductFields.aws/guardduty/service/action/awsApiCallAction/api
- ProductFields.aws/guardduty/service/action/awsApiCallAction/callerType
- ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/city/cityName
- ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/country/countryName
- ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/geoLocation/lat
- ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/geoLocation/lon
- ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/ipAddressV4
- ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/organization/asn
- ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/organization/asnOrg
- ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/organization/isp
- ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/organization/org
- ProductFields.aws/guardduty/service/action/awsApiCallAction/serviceName
- ProductFields.aws/guardduty/service/additionalInfo/sample
- ProductFields.aws/guardduty/service/additionalInfo/unusual/hoursOfDay.0_
- ProductFields.aws/guardduty/service/additionalInfo/unusual/userNames.0_
- ProductFields.aws/guardduty/service/archived
- ProductFields.aws/guardduty/service/count
- ProductFields.aws/guardduty/service/detectorId
- ProductFields.aws/guardduty/service/eventFirstSeen
- ProductFields.aws/guardduty/service/eventLastSeen
- ProductFields.aws/guardduty/service/resourceRole
- ProductFields.aws/guardduty/service/serviceName
- ProductFields.aws/securityhub/CompanyName
- ProductFields.aws/securityhub/FindingId
- ProductFields.aws/securityhub/ProductName
- RecordState
- Resources{}.Details.AwsEc2Instance.IamInstanceProfileArn
- Resources{}.Details.AwsEc2Instance.ImageId
- Resources{}.Details.AwsEc2Instance.IpV4Addresses{}
- Resources{}.Details.AwsEc2Instance.LaunchedAt
- Resources{}.Details.AwsEc2Instance.SubnetId
- Resources{}.Details.AwsEc2Instance.Type
- Resources{}.Details.AwsEc2Instance.VpcId
- Resources{}.Details.AwsIamAccessKey.PrincipalId
- Resources{}.Details.AwsIamAccessKey.PrincipalName
- Resources{}.Details.AwsIamAccessKey.PrincipalType
- Resources{}.Details.AwsS3Bucket.CreatedAt
- Resources{}.Details.AwsS3Bucket.OwnerId
- Resources{}.Details.AwsS3Bucket.ServerSideEncryptionConfiguration.Rules{}.ApplyServerSideEncryptionByDefault.KMSMasterKeyID
- Resources{}.Details.AwsS3Bucket.ServerSideEncryptionConfiguration.Rules{}.ApplyServerSideEncryptionByDefault.SSEAlgorithm
- Resources{}.Id
- Resources{}.Partition
- Resources{}.Region
- Resources{}.Tags.GeneratedFindingInstaceTag1
- Resources{}.Tags.GeneratedFindingInstaceTag2
- Resources{}.Tags.GeneratedFindingInstaceTag3
- Resources{}.Tags.GeneratedFindingInstaceTag4
- Resources{}.Tags.GeneratedFindingInstaceTag5
- Resources{}.Tags.GeneratedFindingInstaceTag6
- Resources{}.Tags.GeneratedFindingInstaceTag7
- Resources{}.Tags.GeneratedFindingInstaceTag8
- Resources{}.Tags.GeneratedFindingInstaceTag9
- Resources{}.Tags.foo
- Resources{}.Type
- SchemaVersion
- Severity.Label
- Severity.Normalized
- Severity.Product
- SourceUrl
- Title
- Types{}
- UpdatedAt
- Workflow.Status
- WorkflowState
- accesskey_extract
- app
- body
- description
- dest
- dest_type
- eventtype
- host
- id
- index
- instance_extract
- linecount
- punct
- s3bucket_extract
- severity
- severity_id
- signature
- signature_id
- source
- sourcetype
- splunk_server
- subject
- tag
- tag::eventtype
- timestamp
- type
- vendor_account
- vendor_region
example_log: '{"ProductArn":"arn:aws:securityhub:us-east-1::product/aws/guardduty","Types":["Software
and Configuration Checks/Exfiltration:S3.ObjectRead.Unusual"],"SourceUrl":"https://us-east-1.console.aws.amazon.com/guardduty/home?region=us-east-1#/findings?macros=current&fId=6aba6b696aea10606e8b336f68d98819","Description":"Principal
GeneratedFindingUserName read objects from S3 bucket GeneratedFindingS3Bucket in
an unusual way.","SchemaVersion":"2018-10-08","GeneratorId":"arn:aws:guardduty:us-east-1:802684071507:detector/48ba636359b884eb132865311fdeb317","FirstObservedAt":"2020-09-28T22:26:15.636Z","CreatedAt":"2020-09-28T22:26:15.636Z","RecordState":"ACTIVE","Title":"Unusual
reads of objects in S3 bucket GeneratedFindingS3Bucket.","Workflow":{"Status":"NEW"},"LastObservedAt":"2020-09-28T22:26:15.636Z","Severity":{"Normalized":20,"Label":"LOW","Product":2},"UpdatedAt":"2020-09-28T22:26:15.636Z","WorkflowState":"NEW","ProductFields":{"aws/guardduty/service/archived":"false","aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/organization/asnOrg":"GeneratedFindingASNOrg","aws/guardduty/service/additionalInfo/unusual/userNames.0_":"GeneratedFindingUserName","aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/organization/org":"GeneratedFindingORG","aws/guardduty/service/resourceRole":"TARGET","aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/organization/isp":"GeneratedFindingISP","aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/geoLocation/lat":"0","aws/guardduty/service/count":"1","aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/ipAddressV4":"198.51.100.0","aws/guardduty/service/additionalInfo/sample":"true","aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/country/countryName":"GeneratedFindingCountryName","aws/guardduty/service/action/awsApiCallAction/callerType":"Remote
IP","aws/guardduty/service/action/awsApiCallAction/serviceName":"GeneratedFindingAPIServiceName","aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/city/cityName":"GeneratedFindingCityName","aws/guardduty/service/action/awsApiCallAction/api":"GeneratedFindingAPIName","aws/guardduty/service/serviceName":"guardduty","aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/geoLocation/lon":"0","aws/guardduty/service/detectorId":"48ba636359b884eb132865311fdeb317","aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/organization/asn":"-1","aws/guardduty/service/eventFirstSeen":"2020-09-28T22:26:15.636Z","aws/guardduty/service/action/awsApiCallAction/affectedResources/AWS::S3::Bucket":"GeneratedFindingS3Bucket","aws/guardduty/service/eventLastSeen":"2020-09-28T22:26:15.636Z","aws/guardduty/service/additionalInfo/unusual/hoursOfDay.0_":"1513609200000","aws/guardduty/service/action/actionType":"AWS_API_CALL","aws/securityhub/FindingId":"arn:aws:securityhub:us-east-1::product/aws/guardduty/arn:aws:guardduty:us-east-1:802684071507:detector/48ba636359b884eb132865311fdeb317/finding/6aba6b696aea10606e8b336f68d98819","aws/securityhub/ProductName":"GuardDuty","aws/securityhub/CompanyName":"Amazon"},"AwsAccountId":"802684071507","Id":"arn:aws:guardduty:us-east-1:802684071507:detector/48ba636359b884eb132865311fdeb317/finding/6aba6b696aea10606e8b336f68d98819","Resources":[{"Partition":"aws","Type":"AwsEc2Instance","Details":{"AwsEc2Instance":{"Type":"m3.xlarge","VpcId":"GeneratedFindingVPCId","ImageId":"ami-99999999","IpV4Addresses":["10.0.0.1","198.51.100.0"],"SubnetId":"GeneratedFindingSubnetId","LaunchedAt":"2016-08-02T02:05:06Z","IamInstanceProfileArn":"arn:aws:iam::802684071507:example/instance/profile"}},"Region":"us-east-1","Id":"arn:aws:ec2:us-east-1:802684071507:instance/i-99999999","Tags":{"GeneratedFindingInstaceTag7":"GeneratedFindingInstaceTagValue7","GeneratedFindingInstaceTag8":"GeneratedFindingInstaceTagValue8","GeneratedFindingInstaceTag9":"GeneratedFindingInstaceTagValue9","GeneratedFindingInstaceTag1":"GeneratedFindingInstaceValue1","GeneratedFindingInstaceTag2":"GeneratedFindingInstaceTagValue2","GeneratedFindingInstaceTag3":"GeneratedFindingInstaceTagValue3","GeneratedFindingInstaceTag4":"GeneratedFindingInstaceTagValue4","GeneratedFindingInstaceTag5":"GeneratedFindingInstaceTagValue5","GeneratedFindingInstaceTag6":"GeneratedFindingInstaceTagValue6"}},{"Partition":"aws","Type":"AwsIamAccessKey","Details":{"AwsIamAccessKey":{"PrincipalId":"GeneratedFindingPrincipalId","PrincipalName":"GeneratedFindingUserName","PrincipalType":"IAMUser"}},"Region":"us-east-1","Id":"AWS::IAM::AccessKey:GeneratedFindingAccessKeyId"},{"Partition":"aws","Type":"AwsS3Bucket","Details":{"AwsS3Bucket":{"OwnerId":"CanonicalId
of Owner","CreatedAt":"2017-12-18T15:58:11.551Z","ServerSideEncryptionConfiguration":{"Rules":[{"ApplyServerSideEncryptionByDefault":{"SSEAlgorithm":"SSEAlgorithm","KMSMasterKeyID":"arn:aws:kms:region:123456789012:key/key-id"}}]}}},"Region":"us-east-1","Id":"arn:aws:s3:::bucketName","Tags":{"foo":"bar"}}]}'