-
Notifications
You must be signed in to change notification settings - Fork 383
/
Copy pathaws_security_hub.yml
123 lines (123 loc) · 8.99 KB
/
aws_security_hub.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
name: AWS Security Hub
id: b02bfbf3-294f-478e-99a1-e24b8c692d7e
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
description: Data source object for AWS Security Hub
source: aws_securityhub_finding
sourcetype: aws:securityhub:finding
supported_TA:
- name: Splunk Add-on for AWS
url: https://splunkbase.splunk.com/app/1876
version: 7.9.0
fields:
- _time
- AwsAccountId
- CreatedAt
- Description
- FirstObservedAt
- GeneratorId
- Id
- LastObservedAt
- ProductArn
- ProductFields.aws/guardduty/service/action/actionType
- ProductFields.aws/guardduty/service/action/awsApiCallAction/affectedResources/AWS::S3::Bucket
- ProductFields.aws/guardduty/service/action/awsApiCallAction/api
- ProductFields.aws/guardduty/service/action/awsApiCallAction/callerType
- ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/city/cityName
- ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/country/countryName
- ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/geoLocation/lat
- ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/geoLocation/lon
- ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/ipAddressV4
- ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/organization/asn
- ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/organization/asnOrg
- ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/organization/isp
- ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/organization/org
- ProductFields.aws/guardduty/service/action/awsApiCallAction/serviceName
- ProductFields.aws/guardduty/service/additionalInfo/sample
- ProductFields.aws/guardduty/service/additionalInfo/unusual/hoursOfDay.0_
- ProductFields.aws/guardduty/service/additionalInfo/unusual/userNames.0_
- ProductFields.aws/guardduty/service/archived
- ProductFields.aws/guardduty/service/count
- ProductFields.aws/guardduty/service/detectorId
- ProductFields.aws/guardduty/service/eventFirstSeen
- ProductFields.aws/guardduty/service/eventLastSeen
- ProductFields.aws/guardduty/service/resourceRole
- ProductFields.aws/guardduty/service/serviceName
- ProductFields.aws/securityhub/CompanyName
- ProductFields.aws/securityhub/FindingId
- ProductFields.aws/securityhub/ProductName
- RecordState
- Resources{}.Details.AwsEc2Instance.IamInstanceProfileArn
- Resources{}.Details.AwsEc2Instance.ImageId
- Resources{}.Details.AwsEc2Instance.IpV4Addresses{}
- Resources{}.Details.AwsEc2Instance.LaunchedAt
- Resources{}.Details.AwsEc2Instance.SubnetId
- Resources{}.Details.AwsEc2Instance.Type
- Resources{}.Details.AwsEc2Instance.VpcId
- Resources{}.Details.AwsIamAccessKey.PrincipalId
- Resources{}.Details.AwsIamAccessKey.PrincipalName
- Resources{}.Details.AwsIamAccessKey.PrincipalType
- Resources{}.Details.AwsS3Bucket.CreatedAt
- Resources{}.Details.AwsS3Bucket.OwnerId
- Resources{}.Details.AwsS3Bucket.ServerSideEncryptionConfiguration.Rules{}.ApplyServerSideEncryptionByDefault.KMSMasterKeyID
- Resources{}.Details.AwsS3Bucket.ServerSideEncryptionConfiguration.Rules{}.ApplyServerSideEncryptionByDefault.SSEAlgorithm
- Resources{}.Id
- Resources{}.Partition
- Resources{}.Region
- Resources{}.Tags.GeneratedFindingInstaceTag1
- Resources{}.Tags.GeneratedFindingInstaceTag2
- Resources{}.Tags.GeneratedFindingInstaceTag3
- Resources{}.Tags.GeneratedFindingInstaceTag4
- Resources{}.Tags.GeneratedFindingInstaceTag5
- Resources{}.Tags.GeneratedFindingInstaceTag6
- Resources{}.Tags.GeneratedFindingInstaceTag7
- Resources{}.Tags.GeneratedFindingInstaceTag8
- Resources{}.Tags.GeneratedFindingInstaceTag9
- Resources{}.Tags.foo
- Resources{}.Type
- SchemaVersion
- Severity.Label
- Severity.Normalized
- Severity.Product
- SourceUrl
- Title
- Types{}
- UpdatedAt
- Workflow.Status
- WorkflowState
- accesskey_extract
- app
- body
- description
- dest
- dest_type
- eventtype
- host
- id
- index
- instance_extract
- linecount
- punct
- s3bucket_extract
- severity
- severity_id
- signature
- signature_id
- source
- sourcetype
- splunk_server
- subject
- tag
- tag::eventtype
- timestamp
- type
- vendor_account
- vendor_region
example_log: '{"ProductArn":"arn:aws:securityhub:us-east-1::product/aws/guardduty","Types":["Software
and Configuration Checks/Exfiltration:S3.ObjectRead.Unusual"],"SourceUrl":"https://us-east-1.console.aws.amazon.com/guardduty/home?region=us-east-1#/findings?macros=current&fId=6aba6b696aea10606e8b336f68d98819","Description":"Principal
GeneratedFindingUserName read objects from S3 bucket GeneratedFindingS3Bucket in
an unusual way.","SchemaVersion":"2018-10-08","GeneratorId":"arn:aws:guardduty:us-east-1:802684071507:detector/48ba636359b884eb132865311fdeb317","FirstObservedAt":"2020-09-28T22:26:15.636Z","CreatedAt":"2020-09-28T22:26:15.636Z","RecordState":"ACTIVE","Title":"Unusual
reads of objects in S3 bucket GeneratedFindingS3Bucket.","Workflow":{"Status":"NEW"},"LastObservedAt":"2020-09-28T22:26:15.636Z","Severity":{"Normalized":20,"Label":"LOW","Product":2},"UpdatedAt":"2020-09-28T22:26:15.636Z","WorkflowState":"NEW","ProductFields":{"aws/guardduty/service/archived":"false","aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/organization/asnOrg":"GeneratedFindingASNOrg","aws/guardduty/service/additionalInfo/unusual/userNames.0_":"GeneratedFindingUserName","aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/organization/org":"GeneratedFindingORG","aws/guardduty/service/resourceRole":"TARGET","aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/organization/isp":"GeneratedFindingISP","aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/geoLocation/lat":"0","aws/guardduty/service/count":"1","aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/ipAddressV4":"198.51.100.0","aws/guardduty/service/additionalInfo/sample":"true","aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/country/countryName":"GeneratedFindingCountryName","aws/guardduty/service/action/awsApiCallAction/callerType":"Remote
IP","aws/guardduty/service/action/awsApiCallAction/serviceName":"GeneratedFindingAPIServiceName","aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/city/cityName":"GeneratedFindingCityName","aws/guardduty/service/action/awsApiCallAction/api":"GeneratedFindingAPIName","aws/guardduty/service/serviceName":"guardduty","aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/geoLocation/lon":"0","aws/guardduty/service/detectorId":"48ba636359b884eb132865311fdeb317","aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/organization/asn":"-1","aws/guardduty/service/eventFirstSeen":"2020-09-28T22:26:15.636Z","aws/guardduty/service/action/awsApiCallAction/affectedResources/AWS::S3::Bucket":"GeneratedFindingS3Bucket","aws/guardduty/service/eventLastSeen":"2020-09-28T22:26:15.636Z","aws/guardduty/service/additionalInfo/unusual/hoursOfDay.0_":"1513609200000","aws/guardduty/service/action/actionType":"AWS_API_CALL","aws/securityhub/FindingId":"arn:aws:securityhub:us-east-1::product/aws/guardduty/arn:aws:guardduty:us-east-1:802684071507:detector/48ba636359b884eb132865311fdeb317/finding/6aba6b696aea10606e8b336f68d98819","aws/securityhub/ProductName":"GuardDuty","aws/securityhub/CompanyName":"Amazon"},"AwsAccountId":"802684071507","Id":"arn:aws:guardduty:us-east-1:802684071507:detector/48ba636359b884eb132865311fdeb317/finding/6aba6b696aea10606e8b336f68d98819","Resources":[{"Partition":"aws","Type":"AwsEc2Instance","Details":{"AwsEc2Instance":{"Type":"m3.xlarge","VpcId":"GeneratedFindingVPCId","ImageId":"ami-99999999","IpV4Addresses":["10.0.0.1","198.51.100.0"],"SubnetId":"GeneratedFindingSubnetId","LaunchedAt":"2016-08-02T02:05:06Z","IamInstanceProfileArn":"arn:aws:iam::802684071507:example/instance/profile"}},"Region":"us-east-1","Id":"arn:aws:ec2:us-east-1:802684071507:instance/i-99999999","Tags":{"GeneratedFindingInstaceTag7":"GeneratedFindingInstaceTagValue7","GeneratedFindingInstaceTag8":"GeneratedFindingInstaceTagValue8","GeneratedFindingInstaceTag9":"GeneratedFindingInstaceTagValue9","GeneratedFindingInstaceTag1":"GeneratedFindingInstaceValue1","GeneratedFindingInstaceTag2":"GeneratedFindingInstaceTagValue2","GeneratedFindingInstaceTag3":"GeneratedFindingInstaceTagValue3","GeneratedFindingInstaceTag4":"GeneratedFindingInstaceTagValue4","GeneratedFindingInstaceTag5":"GeneratedFindingInstaceTagValue5","GeneratedFindingInstaceTag6":"GeneratedFindingInstaceTagValue6"}},{"Partition":"aws","Type":"AwsIamAccessKey","Details":{"AwsIamAccessKey":{"PrincipalId":"GeneratedFindingPrincipalId","PrincipalName":"GeneratedFindingUserName","PrincipalType":"IAMUser"}},"Region":"us-east-1","Id":"AWS::IAM::AccessKey:GeneratedFindingAccessKeyId"},{"Partition":"aws","Type":"AwsS3Bucket","Details":{"AwsS3Bucket":{"OwnerId":"CanonicalId
of Owner","CreatedAt":"2017-12-18T15:58:11.551Z","ServerSideEncryptionConfiguration":{"Rules":[{"ApplyServerSideEncryptionByDefault":{"SSEAlgorithm":"SSEAlgorithm","KMSMasterKeyID":"arn:aws:kms:region:123456789012:key/key-id"}}]}}},"Region":"us-east-1","Id":"arn:aws:s3:::bucketName","Tags":{"foo":"bar"}}]}'