diff --git a/packages/aws/changelog.yml b/packages/aws/changelog.yml index 31c28a88a877..93fc322f3df4 100644 --- a/packages/aws/changelog.yml +++ b/packages/aws/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.26.0" + changes: + - description: Improve support for CDR in securityhub_findings data stream. + type: enhancement + link: https://github.com/elastic/integrations/pull/11158 - version: "2.25.0" changes: - description: "Allow @custom pipeline access to event.original without setting preserve_original_event." diff --git a/packages/aws/data_stream/securityhub_findings/_dev/test/pipeline/test-securityhub-findings.log b/packages/aws/data_stream/securityhub_findings/_dev/test/pipeline/test-securityhub-findings.log index c45ba72f1355..8a5e52294b83 100644 --- a/packages/aws/data_stream/securityhub_findings/_dev/test/pipeline/test-securityhub-findings.log +++ b/packages/aws/data_stream/securityhub_findings/_dev/test/pipeline/test-securityhub-findings.log @@ -1,4 +1,15 @@ {"Action":{"ActionType":"PORT_PROBE","PortProbeAction":{"PortProbeDetails":[{"LocalPortDetails":{"Port":80,"PortName":"HTTP"},"LocalIpDetails":{"IpAddressV4":"1.128.0.0"},"RemoteIpDetails":{"Country":{"CountryName":"Example Country"},"City":{"CityName":"Example City"},"GeoLocation":{"Lon":0,"Lat":0},"Organization":{"AsnOrg":"ExampleASO","Org":"ExampleOrg","Isp":"ExampleISP","Asn":64496}}}],"Blocked":false}},"AwsAccountId":"111111111111","CompanyName":"AWS","Compliance":{"RelatedRequirements":["Req1","Req2"],"Status":"PASSED","StatusReasons":[{"ReasonCode":"CLOUDWATCH_ALARMS_NOT_PRESENT","Description":"CloudWatch alarms do not exist in the account"}]},"Confidence":42,"CreatedAt":"2017-03-22T13:22:13.933Z","Criticality":99,"Description":"The version of openssl found on instance i-abcd1234 is known to contain a vulnerability.","FindingProviderFields":{"Confidence":42,"Criticality":99,"RelatedFindings":[{"ProductArn":"arn:aws:securityhub:us-west-2::product/aws/guardduty","Id":"123e4567-e89b-12d3-a456-426655440000"}],"Severity":{"Label":"MEDIUM","Original":"MEDIUM"},"Types":["Software and Configuration Checks/Vulnerabilities/CVE"]},"FirstObservedAt":"2017-03-22T13:22:13.933Z","GeneratorId":"acme-vuln-9ab348","Id":"us-west-2/111111111111/98aebb2207407c87f51e89943f12b1ef","LastObservedAt":"2017-03-23T13:22:13.933Z","Malware":[{"Name":"Stringler","Type":"COIN_MINER","Path":"/usr/sbin/stringler","State":"OBSERVED"}],"Network":{"Direction":"IN","OpenPortRange":{"Begin":443,"End":443},"Protocol":"TCP","SourceIpV4":"1.128.0.0","SourceIpV6":"2a02:cf40::","SourcePort":"42","SourceDomain":"example1.com","SourceMac":"00:0d:83:b1:c0:8e","DestinationIpV4":"1.128.0.0","DestinationIpV6":"2a02:cf40::","DestinationPort":"80","DestinationDomain":"example2.com"},"NetworkPath":[{"ComponentId":"abc-01a234bc56d8901ee","ComponentType":"AWS::EC2::InternetGateway","Egress":{"Destination":{"Address":["1.128.0.0/24"],"PortRanges":[{"Begin":443,"End":443}]},"Protocol":"TCP","Source":{"Address":["175.16.199.1/24"]}},"Ingress":{"Destination":{"Address":["175.16.199.1/24"],"PortRanges":[{"Begin":443,"End":443}]},"Protocol":"TCP","Source":{"Address":["175.16.199.1/24"]}}}],"Note":{"Text":"Don't forget to check under the mat.","UpdatedBy":"jsmith","UpdatedAt":"2018-08-31T00:15:09Z"},"PatchSummary":{"Id":"pb-123456789098","InstalledCount":"100","MissingCount":"100","FailedCount":"0","InstalledOtherCount":"1023","InstalledRejectedCount":"0","InstalledPendingReboot":"0","OperationStartTime":"2018-09-27T23:37:31Z","OperationEndTime":"2018-09-27T23:39:31Z","RebootOption":"RebootIfNeeded","Operation":"Install"},"Process":{"Name":"syslogd","Path":"/usr/sbin/syslogd","Pid":12345,"ParentPid":56789,"LaunchedAt":"2018-09-27T22:37:31Z","TerminatedAt":"2018-09-27T23:37:31Z"},"ProductArn":"arn:aws:securityhub:us-east-1:111111111111:product/111111111111/default","ProductFields":{"generico/secure-pro/Count":"6","Service_Name":"cloudtrail.amazonaws.com","aws/inspector/AssessmentTemplateName":"My daily CVE assessment","aws/inspector/AssessmentTargetName":"My prod env","aws/inspector/RulesPackageName":"Common Vulnerabilities and Exposures"},"ProductName":"Security Hub","RecordState":"ACTIVE","Region":"us-east-1","RelatedFindings":[{"ProductArn":"arn:aws:securityhub:us-west-2::product/aws/guardduty","Id":"123e4567-e89b-12d3-a456-426655440000"},{"ProductArn":"arn:aws:securityhub:us-west-2::product/aws/guardduty","Id":"AcmeNerfHerder-111111111111-x189dx7824"}],"Remediation":{"Recommendation":{"Text":"Run sudo yum update and cross your fingers and toes.","Url":"http://myfp.com/recommendations/dangerous_things_and_how_to_fix_them.html"}},"Resources":[{"Type":"AwsEc2Instance","Id":"i-cafebabe","Partition":"aws","Region":"us-west-2","Tags":{"billingCode":"Lotus-1-2-3","needsPatching":"true"},"Details":{"IamInstanceProfileArn":"arn:aws:iam::123456789012:role/IamInstanceProfileArn","ImageId":"ami-79fd7eee","IpV4Addresses":["175.16.199.1"],"IpV6Addresses":["2a02:cf40::"],"KeyName":"testkey","LaunchedAt":"2018-09-29T01:25:54Z","MetadataOptions":{"HttpEndpoint":"enabled","HttpProtocolIpv6":"enabled","HttpPutResponseHopLimit":1,"HttpTokens":"optional","InstanceMetadataTags":"disabled"},"NetworkInterfaces":[{"NetworkInterfaceId":"eni-e5aa89a3"}],"SubnetId":"PublicSubnet","Type":"i3.xlarge","VirtualizationType":"hvm","VpcId":"TestVPCIpv6"}}],"Sample":true,"SchemaVersion":"2018-10-08","Severity":{"Label":"CRITICAL","Original":"8.3"},"SourceUrl":"http://threatintelweekly.org/backdoors/8888","ThreatIntelIndicators":[{"Type":"IPV4_ADDRESS","Value":"175.16.199.1","Category":"BACKDOOR","LastObservedAt":"2018-09-27T23:37:31Z","Source":"Threat Intel Weekly","SourceUrl":"http://threatintelweekly.org/backdoors/8888"}],"Threats":[{"FilePaths":[{"FileName":"b.txt","FilePath":"/tmp/b.txt","Hash":"sha256","ResourceId":"arn:aws:ec2:us-west-2:123456789012:volume/vol-032f3bdd89aee112f"}],"ItemCount":3,"Name":"Iot.linux.mirai.vwisi","Severity":"HIGH"}],"Title":"EC2.20 Both VPN tunnels for an AWS Site-to-Site VPN connection should be up","Types":["Software and Configuration Checks/Vulnerabilities/CVE"],"UpdatedAt":"2018-08-31T00:15:09Z","UserDefinedFields":{"reviewedByCio":"true","comeBackToLater":"Check this again on Monday"},"VerificationState":"UNKNOWN","Vulnerabilities":[{"Cvss":[{"BaseScore":4.7,"BaseVector":"AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","Version":"V3"},{"BaseScore":4.7,"BaseVector":"AV:L/AC:M/Au:N/C:C/I:N/A:N","Version":"V2"}],"Id":"CVE-2020-12345","ReferenceUrls":["http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12418","http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17563"],"RelatedVulnerabilities":["CVE-2020-12345"],"Vendor":{"Name":"Alas","Url":"https://alas.aws.amazon.com/ALAS-2020-1337.html","VendorCreatedAt":"2020-01-16T00:01:43Z","VendorSeverity":"Medium","VendorUpdatedAt":"2020-01-16T00:01:43Z"},"VulnerablePackages":[{"Architecture":"x86_64","Epoch":"1","Name":"openssl","Release":"16.amzn2.0.3","Version":"1.0.2k"}]}],"Workflow":{"Status":"NEW"},"WorkflowState":"NEW"} {"Action":{"ActionType":"PORT_PROBE","PortProbeAction":{"PortProbeDetails":[{"LocalPortDetails":{"Port":80,"PortName":"HTTP"},"LocalIpDetails":{"IpAddressV4":"1.128.0.0"},"RemoteIpDetails":{"Country":{"CountryName":"Example Country"},"City":{"CityName":"Example City"},"GeoLocation":{"Lon":0,"Lat":0},"Organization":{"AsnOrg":"ExampleASO","Org":"ExampleOrg","Isp":"ExampleISP","Asn":64496}}}],"Blocked":false}},"AwsAccountId":"111111111111","CompanyName":"AWS","Compliance":{"RelatedRequirements":["Req1","Req2"],"Status":"PASSED","StatusReasons":[{"ReasonCode":"CLOUDWATCH_ALARMS_NOT_PRESENT","Description":"CloudWatch alarms do not exist in the account"}]},"Confidence":42,"CreatedAt":"2017-03-22T13:22:13.933Z","Criticality":99,"Description":"The version of openssl found on instance i-abcd1234 is known to contain a vulnerability.","FindingProviderFields":{"Confidence":42,"Criticality":99,"RelatedFindings":[{"ProductArn":"arn:aws:securityhub:us-west-2::product/aws/guardduty","Id":"123e4567-e89b-12d3-a456-426655440000"}],"Severity":{"Label":"MEDIUM","Original":"MEDIUM"},"Types":["Software and Configuration Checks/Vulnerabilities/CVE"]},"FirstObservedAt":"2017-03-22T13:22:13.933Z","GeneratorId":"acme-vuln-9ab348","Id":"us-west-2/111111111111/98aebb2207407c87f51e89943f12b1ef","LastObservedAt":"2017-03-23T13:22:13.933Z","Malware":[{"Name":"Stringler","Type":"COIN_MINER","Path":"/usr/sbin/stringler","State":"OBSERVED"}],"Network":{"Direction":"IN","OpenPortRange":{"Begin":443,"End":443},"Protocol":"TCP","SourceIpV4":"1.128.0.0","SourceIpV6":"2a02:cf40::","SourcePort":"42","SourceDomain":"example1.com","SourceMac":"00:0d:83:b1:c0:8e","DestinationIpV4":"1.128.0.0","DestinationIpV6":"2a02:cf40::","DestinationPort":"80","DestinationDomain":"example2.com"},"NetworkPath":[{"ComponentId":"abc-01a234bc56d8901ee","ComponentType":"AWS::EC2::InternetGateway","Egress":{"Destination":{"Address":["1.128.0.0/24"],"PortRanges":[{"Begin":443,"End":443}]},"Protocol":"TCP","Source":{"Address":["175.16.199.1/24"]}},"Ingress":{"Destination":{"Address":["175.16.199.1/24"],"PortRanges":[{"Begin":443,"End":443}]},"Protocol":"TCP","Source":{"Address":["175.16.199.1/24"]}}}],"Note":{"Text":"Don't forget to check under the mat.","UpdatedBy":"jsmith","UpdatedAt":"2018-08-31T00:15:09Z"},"PatchSummary":{"Id":"pb-123456789098","InstalledCount":"100","MissingCount":"100","FailedCount":"0","InstalledOtherCount":"1023","InstalledRejectedCount":"0","InstalledPendingReboot":"0","OperationStartTime":"2018-09-27T23:37:31Z","OperationEndTime":"2018-09-27T23:39:31Z","RebootOption":"RebootIfNeeded","Operation":"Install"},"Process":{"Name":"syslogd","Path":"/usr/sbin/syslogd","Pid":12345,"ParentPid":56789,"LaunchedAt":"2018-09-27T22:37:31Z","TerminatedAt":"2018-09-27T23:37:31Z"},"ProductArn":"arn:aws:securityhub:us-east-1:111111111111:product/111111111111/default","ProductFields":{"generico/secure-pro/Count":"6","Service_Name":"cloudtrail.amazonaws.com","aws/inspector/AssessmentTemplateName":"My daily CVE assessment","aws/inspector/AssessmentTargetName":"My prod env","aws/inspector/RulesPackageName":"Common Vulnerabilities and Exposures"},"ProductName":"Security Hub","RecordState":"ACTIVE","Region":"us-east-1","RelatedFindings":[{"ProductArn":"arn:aws:securityhub:us-west-2::product/aws/guardduty","Id":"123e4567-e89b-12d3-a456-426655440000"},{"ProductArn":"arn:aws:securityhub:us-west-2::product/aws/guardduty","Id":"AcmeNerfHerder-111111111111-x189dx7824"}],"Remediation":{"Recommendation":{"Text":"Run sudo yum update and cross your fingers and toes.","Url":"http://myfp.com/recommendations/dangerous_things_and_how_to_fix_them.html"}},"Resources":[{"Type":"AwsEc2Instance","Id":"i-cafebabe","Partition":"aws","Region":"us-west-2","Tags":{"billingCode":"Lotus-1-2-3","needsPatching":"true"},"Details":{"IamInstanceProfileArn":"arn:aws:iam::123456789012:role/IamInstanceProfileArn","ImageId":"ami-79fd7eee","IpV4Addresses":["175.16.199.1"],"IpV6Addresses":["2a02:cf40::"],"KeyName":"testkey","LaunchedAt":"2018-09-29T01:25:54Z","MetadataOptions":{"HttpEndpoint":"enabled","HttpProtocolIpv6":"enabled","HttpPutResponseHopLimit":1,"HttpTokens":"optional","InstanceMetadataTags":"disabled"},"NetworkInterfaces":[{"NetworkInterfaceId":"eni-e5aa89a3"}],"SubnetId":"PublicSubnet","Type":"i3.xlarge","VirtualizationType":"hvm","VpcId":"TestVPCIpv6"}}],"Sample":true,"SchemaVersion":"2018-10-08","Severity":{"Label":"CRITICAL","Original":"8.3"},"SourceUrl":"http://threatintelweekly.org/backdoors/8888","ThreatIntelIndicators":[{"Type":"HASH_MD5","Value":"ae2b1fca515949e5d54fb22b8ed95575","Category":"BACKDOOR","LastObservedAt":"2018-09-27T23:37:31Z","Source":"Threat Intel Weekly","SourceUrl":"http://threatintelweekly.org/backdoors/8888"}],"Threats":[{"FilePaths":[{"FileName":"b.txt","FilePath":"/tmp/b.txt","Hash":"sha256","ResourceId":"arn:aws:ec2:us-west-2:123456789012:volume/vol-032f3bdd89aee112f"}],"ItemCount":3,"Name":"Iot.linux.mirai.vwisi","Severity":"HIGH"}],"Title":"EC2.20 Both VPN tunnels for an AWS Site-to-Site VPN connection should be up","Types":["Software and Configuration Checks/Vulnerabilities/CVE"],"UpdatedAt":"2018-08-31T00:15:09Z","UserDefinedFields":{"reviewedByCio":"true","comeBackToLater":"Check this again on Monday"},"VerificationState":"UNKNOWN","Vulnerabilities":[{"Cvss":[{"BaseScore":4.7,"BaseVector":"AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","Version":"V3"},{"BaseScore":4.7,"BaseVector":"AV:L/AC:M/Au:N/C:C/I:N/A:N","Version":"V2"}],"Id":"CVE-2020-12345","ReferenceUrls":["http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12418","http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17563"],"RelatedVulnerabilities":["CVE-2020-12345"],"Vendor":{"Name":"Alas","Url":"https://alas.aws.amazon.com/ALAS-2020-1337.html","VendorCreatedAt":"2020-01-16T00:01:43Z","VendorSeverity":"Medium","VendorUpdatedAt":"2020-01-16T00:01:43Z"},"VulnerablePackages":[{"Architecture":"x86_64","Epoch":"1","Name":"openssl","Release":"16.amzn2.0.3","Version":"1.0.2k"}]}],"Workflow":{"Status":"NEW"},"WorkflowState":"NEW"} {"ProductArn":"xxx","Types":["Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices"],"Description":"This control checks whether your Amazon Elastic Compute Cloud (Amazon EC2) instance metadata version is configured with Instance Metadata Service Version 2 (IMDSv2). The control passes if HttpTokens is set to required for IMDSv2. The control fails if HttpTokens is set to optional.","Compliance":{"Status":"FAILED"},"ProductName":"Security Hub","FirstObservedAt":"2022-06-02T16:14:34.949Z","CreatedAt":"2022-06-02T16:14:34.949Z","LastObservedAt":"2022-06-17T08:43:26.724Z","CompanyName":"AWS","FindingProviderFields":{"Types":["Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices"],"Severity":{"Normalized":70,"Label":"HIGH","Product":70,"Original":"HIGH"}},"ProductFields":{"StandardsArn":"xxx","StandardsSubscriptionArn":"xxx","ControlId":"EC2.8","RecommendationUrl":"https://example.com/","RelatedAWSResources:0/name":"xxx","RelatedAWSResources:0/type":"xxx","StandardsControlArn":"xxx","aws/securityhub/ProductName":"Security Hub","aws/securityhub/CompanyName":"AWS","Resources:0/Id":"xxx","aws/securityhub/FindingId":"xxx"},"Remediation":{"Recommendation":{"Text":"For directions on how to fix this issue, consult the AWS Security Hub Foundational Security Best Practices documentation.","Url":"https://example.com/"}},"SchemaVersion":"2018-10-08","GeneratorId":"xxx","RecordState":"ARCHIVED","Title":"EC2.8 EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)","Workflow":{"Status":"NEW"},"Severity":{"Normalized":70,"Label":"HIGH","Product":70,"Original":"HIGH"},"UpdatedAt":"2022-06-17T08:43:26.731Z","WorkflowState":"NEW","AwsAccountId":"xxx","Region":"us-east-1","Id":"xxxx","Resources":[{"Partition":"aws","Type":"AwsEc2Instance","Details":{"AwsEc2Instance":{"KeyName":"xxx","VpcId":"xxx","NetworkInterfaces":[{"NetworkInterfaceId":"xxx"}],"ImageId":"xxx","SubnetId":"xxx","LaunchedAt":"2022-06-02T16:11:39.000Z","IamInstanceProfileArn":"xxx"}},"Region":"us-east-1","Id":"xxx"}] } -{"ProductArn":"xxx","Types":["Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices"],"Description":"This AWS control checks whether the EBS volumes that are in an attached state are encrypted.","Compliance":{"Status":"NOT_AVAILABLE","StatusReasons":[{"Description":"This finding has a compliance status of NOT AVAILABLE because AWS Config sent Security Hub a finding with a compliance state of Not Applicable. The potential reasons for a Not Applicable finding from Config are that (1) a resource has been moved out of scope of the Config rule; (2) the Config rule has been deleted; (3) the resource has been deleted; or (4) the logic of the Config rule itself includes scenarios where Not Applicable is returned. The specific reason why Not Applicable is returned is not available in the Config rule evaluation.","ReasonCode":"CONFIG_RETURNS_NOT_APPLICABLE"}]},"ProductName":"Security Hub","FirstObservedAt":"2022-06-17T10:25:14.800Z","CreatedAt":"2022-06-17T10:25:14.800Z","LastObservedAt":"2022-06-17T10:25:18.568Z","CompanyName":"AWS","FindingProviderFields":{"Types":["Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices"],"Severity":{"Normalized":40,"Label":"MEDIUM","Product":40,"Original":"INFORMATIONAL"}},"ProductFields":{"StandardsArn":"xxx","StandardsSubscriptionArn":"xxx","ControlId":"EC2.3","RecommendationUrl":"https://example.com/","RelatedAWSResources:0/name":"xxx","RelatedAWSResources:0/type":"AWS::Config::ConfigRule","StandardsControlArn":"xxx","aws/securityhub/ProductName":"Security Hub","aws/securityhub/CompanyName":"AWS","aws/securityhub/annotation":"This finding has a compliance status of NOT AVAILABLE because AWS Config sent Security Hub a finding with a compliance state of Not Applicable. The potential reasons for a Not Applicable finding from Config are that (1) a resource has been moved out of scope of the Config rule; (2) the Config rule has been deleted; (3) the resource has been deleted; or (4) the logic of the Config rule itself includes scenarios where Not Applicable is returned. The specific reason why Not Applicable is returned is not available in the Config rule evaluation.","Resources:0/Id":"xxx","aws/securityhub/FindingId":"xxx"},"Remediation":{"Recommendation":{"Text":"For directions on how to fix this issue, consult the AWS Security Hub Foundational Security Best Practices documentation.","Url":"https://example.com/"}},"SchemaVersion":"2018-10-08","GeneratorId":"xxx","RecordState":"ARCHIVED","Title":"EC2.3 Attached EBS volumes should be encrypted at-rest","Workflow":{"Status":"NEW"},"Severity":{"Normalized":40,"Label":"MEDIUM","Product":40,"Original":"INFORMATIONAL"},"UpdatedAt":"2022-06-17T10:25:14.800Z","WorkflowState":"NEW","AwsAccountId":"xxx","Region":"us-east-1","Id":"xxx","Resources":[{"Partition":"aws","Type":"AwsEc2Volume","Region":"us-east-1","Id":"xxx"}] } \ No newline at end of file +{"ProductArn":"xxx","Types":["Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices"],"Description":"This AWS control checks whether the EBS volumes that are in an attached state are encrypted.","Compliance":{"Status":"NOT_AVAILABLE","StatusReasons":[{"Description":"This finding has a compliance status of NOT AVAILABLE because AWS Config sent Security Hub a finding with a compliance state of Not Applicable. The potential reasons for a Not Applicable finding from Config are that (1) a resource has been moved out of scope of the Config rule; (2) the Config rule has been deleted; (3) the resource has been deleted; or (4) the logic of the Config rule itself includes scenarios where Not Applicable is returned. The specific reason why Not Applicable is returned is not available in the Config rule evaluation.","ReasonCode":"CONFIG_RETURNS_NOT_APPLICABLE"}]},"ProductName":"Security Hub","FirstObservedAt":"2022-06-17T10:25:14.800Z","CreatedAt":"2022-06-17T10:25:14.800Z","LastObservedAt":"2022-06-17T10:25:18.568Z","CompanyName":"AWS","FindingProviderFields":{"Types":["Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices"],"Severity":{"Normalized":40,"Label":"MEDIUM","Product":40,"Original":"INFORMATIONAL"}},"ProductFields":{"StandardsArn":"xxx","StandardsSubscriptionArn":"xxx","ControlId":"EC2.3","RecommendationUrl":"https://example.com/","RelatedAWSResources:0/name":"xxx","RelatedAWSResources:0/type":"AWS::Config::ConfigRule","StandardsControlArn":"xxx","aws/securityhub/ProductName":"Security Hub","aws/securityhub/CompanyName":"AWS","aws/securityhub/annotation":"This finding has a compliance status of NOT AVAILABLE because AWS Config sent Security Hub a finding with a compliance state of Not Applicable. The potential reasons for a Not Applicable finding from Config are that (1) a resource has been moved out of scope of the Config rule; (2) the Config rule has been deleted; (3) the resource has been deleted; or (4) the logic of the Config rule itself includes scenarios where Not Applicable is returned. The specific reason why Not Applicable is returned is not available in the Config rule evaluation.","Resources:0/Id":"xxx","aws/securityhub/FindingId":"xxx"},"Remediation":{"Recommendation":{"Text":"For directions on how to fix this issue, consult the AWS Security Hub Foundational Security Best Practices documentation.","Url":"https://example.com/"}},"SchemaVersion":"2018-10-08","GeneratorId":"xxx","RecordState":"ARCHIVED","Title":"EC2.3 Attached EBS volumes should be encrypted at-rest","Workflow":{"Status":"NEW"},"Severity":{"Normalized":40,"Label":"MEDIUM","Product":40,"Original":"INFORMATIONAL"},"UpdatedAt":"2022-06-17T10:25:14.800Z","WorkflowState":"NEW","AwsAccountId":"xxx","Region":"us-east-1","Id":"xxx","Resources":[{"Partition":"aws","Type":"AwsEc2Volume","Region":"us-east-1","Id":"xxx"}] } +{"AwsAccountId":"111111111111","CompanyName":"AWS","Compliance":{"AssociatedStandards":[{"StandardsId":"standards/aws-foundational-security-best-practices/v/1.0.0"},{"StandardsId":"standards/cis-aws-foundations-benchmark/v/3.0.0"},{"StandardsId":"standards/nist-800-53/v/5.0.0"}],"RelatedRequirements":["CIS AWS Foundations Benchmark v3.0.0/5.6","NIST.800-53.r5 AC-3","NIST.800-53.r5 AC-3(15)","NIST.800-53.r5 AC-3(7)","NIST.800-53.r5 AC-6"],"SecurityControlId":"EC2.8","Status":"PASSED"},"CreatedAt":"2024-09-10T10:40:32.189Z","Description":"This control checks whether your Amazon Elastic Compute Cloud (Amazon EC2) instance metadata version is configured with Instance Metadata Service Version 2 (IMDSv2). The control passes if HttpTokens is set to required for IMDSv2. The control fails if HttpTokens is set to optional.","FindingProviderFields":{"Severity":{"Label":"INFORMATIONAL","Normalized":0,"Original":"INFORMATIONAL"},"Types":["Software and Configuration Checks/Industry and Regulatory Standards"]},"FirstObservedAt":"2024-09-10T10:40:32.189Z","GeneratorId":"security-control/EC2.8","Id":"arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.8/finding/8825ae3b-1f70-4c74-8337-baee8fcad8fd","LastObservedAt":"2024-09-11T08:00:01.828Z","ProcessedAt":"2024-09-11T08:00:03.516Z","ProductArn":"arn:aws:securityhub:ap-south-1::product/aws/securityhub","ProductFields":{"RelatedAWSResources:0/name":"securityhub-ec2-imdsv2-check-29027890","RelatedAWSResources:0/type":"AWS::Config::ConfigRule","Resources:0/Id":"arn:aws:ec2:ap-south-1:111111111111:instance/i-0e2ede89308a594d7","aws/securityhub/CompanyName":"AWS","aws/securityhub/FindingId":"arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.8/finding/8825ae3b-1f70-4c74-8337-baee8fcad8fd","aws/securityhub/ProductName":"Security Hub"},"ProductName":"Security Hub","RecordState":"ACTIVE","Region":"ap-south-1","Remediation":{"Recommendation":{"Text":"For information on how to correct this issue, consult the AWS Security Hub controls documentation.","Url":"https://docs.aws.amazon.com/console/securityhub/EC2.8/remediation"}},"Resources":[{"Details":{"AwsEc2Instance":{"IamInstanceProfileArn":"arn:aws:iam::111111111111:instance-profile/elastic-agent-instance-profile-e4f7caa0-6f61-11ef-bb07-02fe87118279","ImageId":"ami-04dffe071c46cddd4","LaunchedAt":"2024-09-10T10:39:35.000Z","MetadataOptions":{"HttpEndpoint":"enabled","HttpProtocolIpv6":"disabled","HttpPutResponseHopLimit":2,"HttpTokens":"required","InstanceMetadataTags":"disabled"},"Monitoring":{"State":"disabled"},"NetworkInterfaces":[{"NetworkInterfaceId":"eni-0de300eee88c5c7fd"}],"SubnetId":"subnet-5d15a111","VirtualizationType":"hvm","VpcId":"vpc-39017251"}},"Id":"arn:aws:ec2:ap-south-1:111111111111:instance/i-0e2ede89308a594d7","Partition":"aws","Region":"ap-south-1","Tags":{"Name":"elastic-agent-instance-e5f7caa0-6f60-11ef-bb07-02fe87118279","Task":"Cloud Security Posture Management Scanner","aws:cloudformation:logical-id":"ElasticAgentEc2Instance","aws:cloudformation:stack-id":"arn:aws:cloudformation:ap-south-1:111111111111:stack/Elastic-Cloud-Security-Posture-Management/e5f7caa0-6f60-11ef-bb07-02fe87118279","aws:cloudformation:stack-name":"Elastic-Cloud-Security-Posture-Management"},"Type":"AwsEc2Instance"}],"SchemaVersion":"2018-10-08","Severity":{"Label":"INFORMATIONAL","Normalized":0,"Original":"INFORMATIONAL"},"Title":"EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)","Types":["Software and Configuration Checks/Industry and Regulatory Standards"],"UpdatedAt":"2024-09-11T07:59:56.087Z","Workflow":{"Status":"RESOLVED"},"WorkflowState":"NEW"} +{"AwsAccountId":"111111111111","CompanyName":"AWS","Compliance":{"AssociatedStandards":[{"StandardsId":"standards/nist-800-53/v/5.0.0"}],"RelatedRequirements":["NIST.800-53.r5 SC-12(2)","NIST.800-53.r5 CM-3(6)","NIST.800-53.r5 SC-13","NIST.800-53.r5 SC-28","NIST.800-53.r5 SC-28(1)","NIST.800-53.r5 SC-7(10)","NIST.800-53.r5 CA-9(1)","NIST.800-53.r5 SI-7(6)","NIST.800-53.r5 AU-9"],"SecurityControlId":"S3.17","Status":"FAILED"},"CreatedAt":"2024-08-14T10:14:37.338Z","Description":"This control checks whether an Amazon S3 general purpose bucket is encrypted with an AWS KMS key (SSE-KMS or DSSE-KMS). The control fails if the bucket is encrypted with default encryption (SSE-S3).","FindingProviderFields":{"Severity":{"Label":"MEDIUM","Normalized":40,"Original":"MEDIUM"},"Types":["Software and Configuration Checks/Industry and Regulatory Standards"]},"FirstObservedAt":"2024-08-14T10:14:37.338Z","GeneratorId":"security-control/S3.17","Id":"arn:aws:securityhub:ap-south-1:111111111111:security-control/S3.17/finding/1d687c1f-ef1e-464f-985a-5000efa9d4a1","LastObservedAt":"2024-09-13T22:50:29.249Z","ProcessedAt":"2024-09-13T22:50:30.870Z","ProductArn":"arn:aws:securityhub:ap-south-1::product/aws/securityhub","ProductFields":{"RelatedAWSResources:0/name":"securityhub-s3-default-encryption-kms-3a38fc59","RelatedAWSResources:0/type":"AWS::Config::ConfigRule","Resources:0/Id":"arn:aws:s3:::s3-test-public-bucket","aws/securityhub/CompanyName":"AWS","aws/securityhub/FindingId":"arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/S3.17/finding/1d687c1f-ef1e-464f-985a-5000efa9d4a1","aws/securityhub/ProductName":"Security Hub","aws/securityhub/annotation":"Amazon S3 bucket is not encrypted with AWS KMS key."},"ProductName":"Security Hub","RecordState":"ACTIVE","Region":"ap-south-1","Remediation":{"Recommendation":{"Text":"For information on how to correct this issue, consult the AWS Security Hub controls documentation.","Url":"https://docs.aws.amazon.com/console/securityhub/S3.17/remediation"}},"Resources":[{"Details":{"AwsS3Bucket":{"CreatedAt":"2024-08-14T09:32:06.000Z","Name":"s3-test-public-bucket","OwnerId":"e106g9b5e13878d5133aadfac8a012130c4260091100b311ed476f9e77cdca46"}},"Id":"arn:aws:s3:::s3-test-public-bucket","Partition":"aws","Region":"ap-south-1","Type":"AwsS3Bucket"}],"SchemaVersion":"2018-10-08","Severity":{"Label":"MEDIUM","Normalized":40,"Original":"MEDIUM"},"Title":"S3 general purpose buckets should be encrypted at rest with AWS KMS keys","Types":["Software and Configuration Checks/Industry and Regulatory Standards"],"UpdatedAt":"2024-09-13T22:50:13.008Z","Workflow":{"Status":"NEW"},"WorkflowState":"NEW"} +{"AwsAccountId":"111111111111","CompanyName":"AWS","Compliance":{"AssociatedStandards":[{"StandardsId":"standards/cis-aws-foundations-benchmark/v/3.0.0"}],"RelatedRequirements":["CIS AWS Foundations Benchmark v3.0.0/5.2"],"SecurityControlId":"EC2.53","Status":"PASSED"},"CreatedAt":"2024-09-10T11:03:33.389Z","Description":"This control checks whether an Amazon EC2 security group allows ingress from 0.0.0.0/0 to remote server administration ports (ports 22 and 3389). The control fails if the security group allows ingress from 0.0.0.0/0 to port 22 or 3389.","FindingProviderFields":{"Severity":{"Label":"INFORMATIONAL","Normalized":0,"Original":"INFORMATIONAL"},"Types":["Software and Configuration Checks/Industry and Regulatory Standards"]},"FirstObservedAt":"2024-09-10T11:03:33.389Z","GeneratorId":"security-control/EC2.53","Id":"arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.53/finding/f21e28e2-1077-4062-ac39-624b2776eb23","LastObservedAt":"2024-09-11T08:00:06.960Z","ProcessedAt":"2024-09-11T08:00:08.685Z","ProductArn":"arn:aws:securityhub:ap-south-1::product/aws/securityhub","ProductFields":{"RelatedAWSResources:0/name":"securityhub-vpc-sg-port-restriction-check-8bef9db4","RelatedAWSResources:0/type":"AWS::Config::ConfigRule","Resources:0/Id":"arn:aws:ec2:ap-south-1:111111111111:security-group/sg-0dbc8c6200a0a9c51","aws/securityhub/CompanyName":"AWS","aws/securityhub/FindingId":"arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.53/finding/f21e28e2-1077-4062-ac39-624b2776eb23","aws/securityhub/ProductName":"Security Hub"},"ProductName":"Security Hub","RecordState":"ACTIVE","Region":"ap-south-1","Remediation":{"Recommendation":{"Text":"For information on how to correct this issue, consult the AWS Security Hub controls documentation.","Url":"https://docs.aws.amazon.com/console/securityhub/EC2.53/remediation"}},"Resources":[{"Details":{"AwsEc2SecurityGroup":{"GroupId":"sg-0dbc8c6200a0a9c51","GroupName":"elastic-agent-security-group-e4f7caa0-5f61-11ef-bb07-02fe87118279","IpPermissionsEgress":[{"IpProtocol":"-1","IpRanges":[{"CidrIp":"0.0.0.0/0"}]}],"OwnerId":"111111111111","VpcId":"vpc-39017251"}},"Id":"arn:aws:ec2:ap-south-1:111111111111:security-group/sg-0dbc9c6210a0a9c51","Partition":"aws","Region":"ap-south-1","Tags":{"aws:cloudformation:logical-id":"ElasticAgentSecurityGroup","aws:cloudformation:stack-id":"arn:aws:cloudformation:ap-south-1:111111111111:stack/Elastic-Cloud-Security-Posture-Management/e5f7caa0-6f60-11ef-bb07-02fe87118279","aws:cloudformation:stack-name":"Elastic-Cloud-Security-Posture-Management"},"Type":"AwsEc2SecurityGroup"}],"SchemaVersion":"2018-10-08","Severity":{"Label":"INFORMATIONAL","Normalized":0,"Original":"INFORMATIONAL"},"Title":"EC2 security groups should not allow ingress from 0.0.0.0/0 to remote server administration ports","Types":["Software and Configuration Checks/Industry and Regulatory Standards"],"UpdatedAt":"2024-09-11T07:59:56.364Z","Workflow":{"Status":"RESOLVED"},"WorkflowState":"NEW"} +{"AwsAccountId":"111111111111","CompanyName":"AWS","Compliance":{"AssociatedStandards":[{"StandardsId":"standards/aws-foundational-security-best-practices/v/1.0.0"},{"StandardsId":"standards/nist-800-53/v/5.0.0"}],"RelatedRequirements":["NIST.800-53.r5 CA-9(1)","NIST.800-53.r5 CM-3(6)","NIST.800-53.r5 SC-13","NIST.800-53.r5 SC-28","NIST.800-53.r5 SC-28(1)","NIST.800-53.r5 SC-7(10)","NIST.800-53.r5 SI-7(6)"],"SecurityControlId":"EC2.3","Status":"FAILED"},"CreatedAt":"2024-09-10T16:51:26.034Z","Description":"This AWS control checks whether the EBS volumes that are in an attached state are encrypted.","FindingProviderFields":{"Severity":{"Label":"MEDIUM","Normalized":40,"Original":"MEDIUM"},"Types":["Software and Configuration Checks/Industry and Regulatory Standards"]},"FirstObservedAt":"2024-09-10T16:50:59.623Z","GeneratorId":"security-control/EC2.3","Id":"arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.3/finding/972eddbf-43ae-4886-9416-ac9ddc2cecc0","LastObservedAt":"2024-09-10T16:50:59.623Z","ProcessedAt":"2024-09-10T16:51:39.864Z","ProductArn":"arn:aws:securityhub:ap-south-1::product/aws/securityhub","ProductFields":{"RelatedAWSResources:0/name":"securityhub-encrypted-volumes-4e81c587","RelatedAWSResources:0/type":"AWS::Config::ConfigRule","Resources:0/Id":"arn:aws:ec2:ap-south-1:111111111111:volume/vol-03822fa7de881616e","aws/securityhub/CompanyName":"AWS","aws/securityhub/FindingId":"arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.3/finding/972eddbf-43ae-4886-9416-ac9ddc2cecc0","aws/securityhub/ProductName":"Security Hub"},"ProductName":"Security Hub","RecordState":"ACTIVE","Region":"ap-south-1","Remediation":{"Recommendation":{"Text":"For information on how to correct this issue, consult the AWS Security Hub controls documentation.","Url":"https://docs.aws.amazon.com/console/securityhub/EC2.3/remediation"}},"Resources":[{"Details":{"AwsEc2Volume":{"Attachments":[{"AttachTime":"2024-09-10T10:39:36.000Z","DeleteOnTermination":true,"InstanceId":"i-0f1ede89308a584d8","Status":"attached"}],"CreateTime":"2024-09-10T10:39:36.313Z","Encrypted":false,"Size":32,"SnapshotId":"snap-07cb2350b59fa5cce","Status":"in-use"}},"Id":"arn:aws:ec2:ap-south-1:111111111111:volume/vol-03821fa7de881617e","Partition":"aws","Region":"ap-south-1","Type":"AwsEc2Volume"}],"SchemaVersion":"2018-10-08","Severity":{"Label":"MEDIUM","Normalized":40,"Original":"MEDIUM"},"Title":"Attached EBS volumes should be encrypted at-rest","Types":["Software and Configuration Checks/Industry and Regulatory Standards"],"UpdatedAt":"2024-09-10T16:51:26.034Z","Workflow":{"Status":"NEW"},"WorkflowState":"NEW"} +{"AwsAccountId":"111111111111","CompanyName":"AWS","Compliance":{"AssociatedStandards":[{"StandardsId":"standards/aws-foundational-security-best-practices/v/1.0.0"},{"StandardsId":"standards/nist-800-53/v/5.0.0"},{"StandardsId":"standards/pci-dss/v/3.2.1"}],"RelatedRequirements":["CIS AWS Foundations Benchmark v1.2.0/1.16"],"SecurityControlId":"IAM.2","Status":"FAILED"},"CreatedAt":"2024-09-10T12:40:36.785Z","Description":"This AWS control checks that none of your IAM users have policies attached. Instead, IAM users must inherit permissions from IAM groups or roles.","FindingProviderFields":{"Severity":{"Label":"LOW","Normalized":1,"Original":"LOW"},"Types":["Software and Configuration Checks/Industry and Regulatory Standards"]},"FirstObservedAt":"2024-09-10T12:40:36.785Z","GeneratorId":"security-control/SSM.1","Id":"arn:aws:iam::111111111111:user/developers/devuser@dev.dev","LastObservedAt":"2024-09-15T16:48:57.829Z","ProcessedAt":"2024-09-15T16:48:59.493Z","ProductArn":"arn:aws:securityhub:ap-south-1::product/aws/securityhub","ProductFields":{"RelatedAWSResources:0/name":"securityhub-iam-user-no-policies-check-832bb806","RelatedAWSResources:0/type":"AWS::Config::ConfigRule","Resources:0/Id":"arn:aws:iam::111111111111:user/developers/devuser@dev.dev","aws/securityhub/CompanyName":"AWS","aws/securityhub/FindingId":"arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/SSM.1/finding/12b0c84a-bba5-4fb4-bb36-3b0e62b1945c","aws/securityhub/ProductName":"Security Hub"},"ProductName":"Security Hub","RecordState":"ACTIVE","Region":"ap-south-1","Remediation":{"Recommendation":{"Text":"For information on how to correct this issue, consult the AWS Security Hub controls documentation.","Url":"https://docs.aws.amazon.com/console/securityhub/IAM.2/remediation"}},"Resources":[{"Partition":"aws","Type":"AwsIamUser","Details":{"AwsIamUser":{"Path":"/developers/","AttachedManagedPolicies":[{"PolicyArn":"arn:aws:iam::aws:policy/AWSSecurityHubFullAccess","PolicyName":"AWSSecurityHubFullAccess"}],"UserName":"Dev UserName","GroupList":["DevUsers"],"UserId":"DevUserId","CreateDate":"2023-01-10T01:07:37.000Z"}},"Region":"ap-south-1","Id":"arn:aws:iam::111111111111:user/developers/devuser@dev.dev"}],"SchemaVersion":"2018-10-08","Severity":{"Label":"LOW","Normalized":1,"Original":"LOW"},"Title":"IAM users should not have IAM policies attached","Types":["Software and Configuration Checks/Industry and Regulatory Standards"],"UpdatedAt":"2024-09-15T16:48:45.279Z","Workflow":{"Status":"NEW"},"WorkflowState":"NEW"} +{"AwsAccountId":"111111111111","CompanyName":"AWS","Compliance":{"SecurityControlId":"EKS.1","Status":"FAILED"},"CreatedAt":"2024-09-11T12:40:36.785Z","Description":"This control checks whether an Amazon EKS cluster endpoint is publicly accessible. The control fails if an EKS cluster has an endpoint that is publicly accessible.","FindingProviderFields":{"Severity":{"Label":"HIGH","Normalized":70,"Original":"HIGH"},"Types":["Software and Configuration Checks/Industry and Regulatory Standards"]},"FirstObservedAt":"2024-09-11T12:40:36.785Z","GeneratorId":"security-control/EKS.1","Id":"arn:aws:eks:ap-south-1:111111111111:cluster/democluster","LastObservedAt":"2024-09-15T16:48:57.829Z","ProcessedAt":"2024-09-15T16:48:59.493Z","ProductArn":"arn:aws:securityhub:ap-south-1::product/aws/securityhub","ProductFields":{"RelatedAWSResources:0/name":"securityhub-eks-endpoint-no-public-access-2dc35c63","RelatedAWSResources:0/type":"AWS::Config::ConfigRule","Resources:0/Id":"arn:aws:eks:ap-south-1:111111111111:cluster/democluster","aws/securityhub/CompanyName":"AWS","aws/securityhub/FindingId":"arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/SSM.1/finding/12b0c84a-bba5-4fb4-bb36-3b0e62b1945c","aws/securityhub/ProductName":"Security Hub","aws/securityhub/annotation":"Cluster Endpoint of democluster is Publicly accessible"},"ProductName":"Security Hub","RecordState":"ACTIVE","Region":"ap-south-1","Remediation":{"Recommendation":{"Text":"For information on how to correct this issue, consult the AWS Security Hub controls documentation.","Url":"https://docs.aws.amazon.com/console/securityhub/EKS.1/remediation"}},"Resources":[{"Partition":"aws","Type":"AwsEksCluster","Details":{"AwsEksCluster":{"Version":"1.27","Arn":"arn:aws:eks:ap-south-1:111111111111:cluster/democluster","ResourcesVpcConfig":{"EndpointPublicAccess":true,"SecurityGroupIds":["sg-111"],"SubnetIds":["subnet-aaa","subnet-bbb"]},"RoleArn":"arn:aws:iam::111111111111:role/EKSClusterRole","Name":"democluster"}},"Region":"ap-south-1","Id":"arn:aws:eks:ap-south-1:111111111111:cluster/democluster","Tags":{"environment":"dev","managed_by":"terraform","project":"demo","team":"dev"}}],"SchemaVersion":"2018-10-08","Severity":{"Label":"HIGH","Normalized":70,"Original":"HIGH"},"Title":"EKS cluster endpoints should not be publicly accessible","Types":["Software and Configuration Checks/Industry and Regulatory Standards"],"UpdatedAt":"2024-09-15T16:48:45.279Z","Workflow":{"Status":"NEW"},"WorkflowState":"NEW"} +{"AwsAccountId":"111111111111","CompanyName":"AWS","Compliance":{"AssociatedStandards":[{"StandardsId":"standards/cis-aws-foundations-benchmark/v/3.0.0"}],"RelatedRequirements":["CIS AWS Foundations Benchmark v3.0.0/1.22"],"SecurityControlId":"IAM.27","Status":"PASSED","StatusReasons":[{"Description":"AWS Config evaluated your resources against the rule. The rule did not apply to the AWS resources in its scope, the specified resources were deleted, or the evaluation results were deleted.","ReasonCode":"CONFIG_EVALUATIONS_EMPTY"}]},"CreatedAt":"2024-08-14T12:11:57.803Z","Description":"This control checks whether an IAM identity (user, role, or group) has the AWS managed policy AWSCloudShellFullAccess attached. The control fails if an IAM identity has the AWSCloudShellFullAccess policy attached.","FindingProviderFields":{"Severity":{"Label":"INFORMATIONAL","Normalized":0,"Original":"INFORMATIONAL"},"Types":["Software and Configuration Checks/Industry and Regulatory Standards"]},"FirstObservedAt":"2024-08-14T12:11:57.803Z","GeneratorId":"security-control/IAM.27","Id":"arn:aws:securityhub:ap-south-1:111111111111:security-control/IAM.27/finding/9ec777ec-6a92-416f-a27c-fa22b5827b6f","LastObservedAt":"2024-09-11T07:53:19.500Z","ProcessedAt":"2024-09-11T07:53:27.460Z","ProductArn":"arn:aws:securityhub:ap-south-1::product/aws/securityhub","ProductFields":{"RelatedAWSResources:0/name":"securityhub-iam-policy-blacklisted-check-0ab52b49","RelatedAWSResources:0/type":"AWS::Config::ConfigRule","Resources:0/Id":"arn:aws:iam::111111111111:root","aws/securityhub/CompanyName":"AWS","aws/securityhub/FindingId":"arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/IAM.27/finding/9ec777ec-6a92-416f-a27c-fa22b5827b6f","aws/securityhub/ProductName":"Security Hub","aws/securityhub/annotation":"AWS Config evaluated your resources against the rule. The rule did not apply to the AWS resources in its scope, the specified resources were deleted, or the evaluation results were deleted."},"ProductName":"Security Hub","RecordState":"ACTIVE","Region":"ap-south-1","Remediation":{"Recommendation":{"Text":"For information on how to correct this issue, consult the AWS Security Hub controls documentation.","Url":"https://docs.aws.amazon.com/console/securityhub/IAM.27/remediation"}},"Resources":[{"Id":"AWS::::Account:111111111111","Partition":"aws","Region":"ap-south-1","Type":"AwsAccount"}],"SchemaVersion":"2018-10-08","Severity":{"Label":"INFORMATIONAL","Normalized":0,"Original":"INFORMATIONAL"},"Title":"IAM identities should not have the AWSCloudShellFullAccess policy attached","Types":["Software and Configuration Checks/Industry and Regulatory Standards"],"UpdatedAt":"2024-09-11T07:53:19.500Z","Workflow":{"Status":"RESOLVED"},"WorkflowState":"NEW"} +{"AwsAccountId":"111111111111","CompanyName":"AWS","Compliance":{"AssociatedStandards":[{"StandardsId":"standards/aws-resource-tagging-standard/v/1.0.0"}],"SecurityControlId":"EC2.44","SecurityControlParameters":[{"Name":"requiredTagKeys","Value":[]}],"Status":"FAILED"},"CreatedAt":"2024-08-14T10:14:50.020Z","Description":"This control checks whether an Amazon EC2 subnet has tags with the specific keys defined in the parameter requiredTagKeys. The control fails if the subnet doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter requiredTagKeys. If the parameter requiredTagKeys isn't provided, the control only checks for the existence of a tag key and fails if the subnet isn't tagged with any key. System tags, which are automatically applied and begin with aws:, are ignored.","FindingProviderFields":{"Severity":{"Label":"LOW","Normalized":1,"Original":"LOW"},"Types":["Software and Configuration Checks/Industry and Regulatory Standards"]},"FirstObservedAt":"2024-08-14T10:14:50.020Z","GeneratorId":"security-control/EC2.44","Id":"arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.44/finding/0397ae8e-d2b2-4a75-964f-fde027670405","LastObservedAt":"2024-09-13T22:50:24.617Z","ProcessedAt":"2024-09-13T22:50:27.295Z","ProductArn":"arn:aws:securityhub:ap-south-1::product/aws/securityhub","ProductFields":{"RelatedAWSResources:0/name":"securityhub-tagged-ec2-subnet-4c30afd3","RelatedAWSResources:0/type":"AWS::Config::ConfigRule","Resources:0/Id":"arn:aws:ec2:ap-south-1:111111111111:subnet/subnet-c28c74b9","aws/securityhub/CompanyName":"AWS","aws/securityhub/FindingId":"arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.44/finding/0397ae8e-d2b2-4a75-964f-fde027670405","aws/securityhub/ProductName":"Security Hub","aws/securityhub/annotation":"No tags are present."},"ProductName":"Security Hub","RecordState":"ACTIVE","Region":"ap-south-1","Remediation":{"Recommendation":{"Text":"For information on how to correct this issue, consult the AWS Security Hub controls documentation.","Url":"https://docs.aws.amazon.com/console/securityhub/EC2.44/remediation"}},"Resources":[{"Details":{"AwsEc2Subnet":{"AssignIpv6AddressOnCreation":false,"AvailabilityZone":"ap-south-1c","AvailabilityZoneId":"aps1-az2","AvailableIpAddressCount":4091,"CidrBlock":"171.32.32.0/20","DefaultForAz":true,"MapPublicIpOnLaunch":true,"OwnerId":"111111111111","State":"available","SubnetArn":"arn:aws:ec2:ap-south-1:111111111111:subnet/subnet-c19c74b9","SubnetId":"subnet-c19c74b9","VpcId":"vpc-39017152"}},"Id":"arn:aws:ec2:ap-south-1:111111111111:subnet/subnet-c28c74b9","Partition":"aws","Region":"ap-south-1","Type":"AwsEc2Subnet"}],"SchemaVersion":"2018-10-08","Severity":{"Label":"LOW","Normalized":1,"Original":"LOW"},"Title":"EC2 subnets should be tagged","Types":["Software and Configuration Checks/Industry and Regulatory Standards"],"UpdatedAt":"2024-09-13T22:50:15.737Z","Workflow":{"Status":"NEW"},"WorkflowState":"NEW"} +{"AwsAccountId":"111111111111","CompanyName":"AWS","Compliance":{"SecurityControlId":"ELB.6","Status":"FAILED"},"CreatedAt":"2024-08-14T10:14:50.020Z","Description":"This control checks whether Application, Gateway, and Network Load Balancers have deletion protection enabled. The control fails if deletion protection is disabled.","FindingProviderFields":{"Severity":{"Label":"MEDIUM","Normalized":40,"Original":"MEDIUM"},"Types":["Software and Configuration Checks/Industry and Regulatory Standards"]},"FirstObservedAt":"2024-08-14T10:14:50.020Z","GeneratorId":"security-control/EC2.44","Id":"arn:aws:elasticloadbalancing:ap-south-1:111111111111:loadbalancer/net/a799f20cd3754462297d4874c25e67ae/894921ab8833ff1e","LastObservedAt":"2024-09-13T22:50:24.617Z","ProcessedAt":"2024-09-13T22:50:27.295Z","ProductArn":"arn:aws:securityhub:ap-south-1::product/aws/securityhub","ProductFields":{"RelatedAWSResources:0/name":"securityhub-tagged-ec2-subnet-4c30afd3","RelatedAWSResources:0/type":"AWS::Config::ConfigRule","Resources:0/Id":"arn:aws:elasticloadbalancing:ap-south-1:111111111111:loadbalancer/net/a799f20cd3754462297d4874c25e67ae/894921ab8833ff1e","aws/securityhub/CompanyName":"AWS","aws/securityhub/FindingId":"arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/ELB.6/finding/9e7771db-5b77-48df-a103-1370cf6d401a","aws/securityhub/ProductName":"Security Hub","aws/securityhub/annotation":"No tags are present."},"ProductName":"Security Hub","RecordState":"ACTIVE","Region":"ap-south-1","Remediation":{"Recommendation":{"Text":"For information on how to correct this issue, consult the AWS Security Hub controls documentation.","Url":"https://docs.aws.amazon.com/console/securityhub/ELB.6/remediation"}},"Resources":[{"Partition":"aws","Type":"AwsElbv2LoadBalancer","Details":{"AwsElbv2LoadBalancer":{"IpAddressType":"ipv4","Type":"network","CreatedTime":"2024-04-17T21:35:20.303Z","Scheme":"internet-facing","VpcId":"vpc-132ddf1f407252a0a","CanonicalHostedZoneId":"ZLPOA36VPKAMP","AvailabilityZones":[{"ZoneName":"ap-south-1b","SubnetId":"subnet-aaa"},{"ZoneName":"ap-south-1a","SubnetId":"subnet-bbb"}],"State":{"Code":"active"},"DNSName":"a799f20cd3754462297d4874c25e67ae-894921ab8833ff1e.elb.ap-south-1.amazonaws.com"}},"Region":"ap-south-1","Id":"arn:aws:elasticloadbalancing:ap-south-1:111111111111:loadbalancer/net/a799f20cd3754462297d4874c25e67ae/894921ab8833ff1e","Tags":{"kubernetes.io/service-name":"default/traefik","kubernetes.io/cluster/demo":"owned"}}],"SchemaVersion":"2018-10-08","Severity":{"Label":"LOW","Normalized":1,"Original":"LOW"},"Title":"EC2 subnets should be tagged","Types":["Software and Configuration Checks/Industry and Regulatory Standards"],"UpdatedAt":"2024-09-13T22:50:15.737Z","Workflow":{"Status":"NEW"},"WorkflowState":"NEW"} +{"AwsAccountId":"111111111111","CompanyName":"AWS","Compliance":{"SecurityControlId":"ELB.6","Status":"FAILED"},"CreatedAt":"2024-08-14T10:14:50.020Z","Description":"This control checks whether Application, Gateway, and Network Load Balancers have deletion protection enabled. The control fails if deletion protection is disabled.","FindingProviderFields":{"Severity":{"Label":"MEDIUM","Normalized":40,"Original":"MEDIUM"},"Types":["Software and Configuration Checks/Industry and Regulatory Standards"]},"FirstObservedAt":"2024-08-14T10:14:50.020Z","GeneratorId":"security-control/EC2.44","Id":"arn:aws:elasticloadbalancing:ap-south-1:111111111111:loadbalancer/net/a799f20cd3754462297d4874c25e67ae/894921ab8833ff1e","LastObservedAt":"2024-09-13T22:50:24.617Z","ProcessedAt":"2024-09-13T22:50:27.295Z","ProductArn":"arn:aws:securityhub:ap-south-1::product/aws/securityhub","ProductFields":{"RelatedAWSResources:0/name":"securityhub-tagged-ec2-subnet-4c30afd3","RelatedAWSResources:0/type":"AWS::Config::ConfigRule","Resources:0/Id":"arn:aws:elasticloadbalancing:ap-south-1:111111111111:loadbalancer/net/a799f20cd3754462297d4874c25e67ae/894921ab8833ff1e","aws/securityhub/CompanyName":"AWS","aws/securityhub/FindingId":"arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/ELB.6/finding/9e7771db-5b77-48df-a103-1370cf6d401a","aws/securityhub/ProductName":"Security Hub","aws/securityhub/annotation":"No tags are present."},"ProductName":"Security Hub","RecordState":"ACTIVE","Region":"ap-south-1","Remediation":{"Recommendation":{"Text":"For information on how to correct this issue, consult the AWS Security Hub controls documentation.","Url":"https://docs.aws.amazon.com/console/securityhub/ELB.6/remediation"}},"Resources":[{"Partition":"aws","Type":"AwsElbv2LoadBalancer","Details":{"AwsElbv2LoadBalancer":{"IpAddressType":"ipv4","Type":"network","CreatedTime":"2024-04-17T21:35:20.303Z","Scheme":"internet-facing","VpcId":"vpc-132ddf1f407252a0a","CanonicalHostedZoneId":"ZLPOA36VPKAMP","AvailabilityZones":[{"ZoneName":"ap-south-1b","SubnetId":"subnet-aaa"},{"ZoneName":"ap-south-1a","SubnetId":"subnet-bbb"}],"State":{"Code":"active"},"DNSName":"a799f20cd3754462297d4874c25e67ae-894921ab8833ff1e.elb.ap-south-1.amazonaws.com"}},"Region":"ap-south-1","Id":"arn:aws:elasticloadbalancing:ap-south-1:111111111111:loadbalancer/net/a799f20cd3754462297d4874c25e67ae/894921ab8833ff1e","Tags":{"kubernetes.io/service-name":"default/traefik","kubernetes.io/cluster/demo":"owned"}},{"Partition":"aws","Type":"AwsElbv2LoadBalancer","Details":{"AwsElbv2LoadBalancer":{"IpAddressType":"ipv4","Type":"network","CreatedTime":"2024-04-18T21:35:20.303Z","Scheme":"internet-facing","VpcId":"vpc-132ddf1f407252a0a","CanonicalHostedZoneId":"ZLPOA36VPKAMP","AvailabilityZones":[{"ZoneName":"ap-south-1b","SubnetId":"subnet-aaa"},{"ZoneName":"ap-south-1a","SubnetId":"subnet-bbb"}],"State":{"Code":"active"},"DNSName":"a888f20cd3754462297d4874c25e67ae-994921ab8833ff1e.elb.ap-south-1.amazonaws.com"}},"Region":"ap-south-1","Id":"arn:aws:elasticloadbalancing:ap-south-1:111111111111:loadbalancer/net/a888f20cd3754462297d4874c25e67ae/994921ab8833ff1e","Tags":{"kubernetes.io/cluster/demo":"owned"}}],"SchemaVersion":"2018-10-08","Severity":{"Label":"LOW","Normalized":1,"Original":"LOW"},"Title":"EC2 subnets should be tagged","Types":["Software and Configuration Checks/Industry and Regulatory Standards"],"UpdatedAt":"2024-09-13T22:50:15.737Z","Workflow":{"Status":"NEW"},"WorkflowState":"NEW"} +{"AwsAccountId":"111111111111","CompanyName":"AWS","Compliance":{"AssociatedStandards":[{"StandardsId":"standards/aws-foundational-security-best-practices/v/1.0.0"},{"StandardsId":"standards/cis-aws-foundations-benchmark/v/3.0.0"},{"StandardsId":"standards/nist-800-53/v/5.0.0"}],"RelatedRequirements":["CIS AWS Foundations Benchmark v3.0.0/5.6","NIST.800-53.r5 AC-3","NIST.800-53.r5 AC-3(15)","NIST.800-53.r5 AC-3(7)","NIST.800-53.r5 AC-6"],"SecurityControlId":"EC2.8","Status":"PASSED"},"CreatedAt":"2024-09-20T10:40:32.189Z","Description":"This control checks whether your Amazon Elastic Compute Cloud (Amazon EC2) instance metadata version is configured with Instance Metadata Service Version 2 (IMDSv2). The control passes if HttpTokens is set to required for IMDSv2. The control fails if HttpTokens is set to optional.","FindingProviderFields":{"Severity":{"Label":"INFORMATIONAL","Normalized":0,"Original":"INFORMATIONAL"},"Types":["Software and Configuration Checks/Industry and Regulatory Standards"]},"FirstObservedAt":"2024-09-20T10:40:32.189Z","GeneratorId":"security-control/EC2.8","Id":"arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.8/finding/8925ae3b-1f70-4c74-8337-baee8fcad8fe","LastObservedAt":"2024-09-21T08:00:01.828Z","ProcessedAt":"2024-09-21T08:00:03.516Z","ProductArn":"arn:aws:securityhub:ap-south-1::product/aws/securityhub","ProductFields":{"RelatedAWSResources:0/name":"securityhub-ec2-imdsv2-check-29027890","RelatedAWSResources:0/type":"AWS::Config::ConfigRule","Resources:0/Id":"arn:aws:ec2:ap-south-1:111111111111:instance/i-0f2ede89308a594d8","aws/securityhub/CompanyName":"AWS","aws/securityhub/FindingId":"arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.8/finding/8925ae3b-1f70-4c74-8337-baee8fcad8fe","aws/securityhub/ProductName":"Security Hub"},"ProductName":"Security Hub","RecordState":"ACTIVE","Region":"ap-south-1","Remediation":{"Recommendation":{"Text":"For information on how to correct this issue, consult the AWS Security Hub controls documentation.","Url":"https://docs.aws.amazon.com/console/securityhub/EC2.8/remediation"}},"Resources":[{"Details":{"AwsEc2Instance":{"IamInstanceProfileArn":"arn:aws:iam::111111111111:instance-profile/elastic-agent-instance-profile-e4f7caa0-6f61-11ef-bb07-02fe87118279","ImageId":"ami-04dffe071c46cddd4","IpV4Addresses":["89.160.20.156","89.160.20.157"],"IpV6Addresses":["2a02:cf40::"],"LaunchedAt":"2024-09-20T10:39:35.000Z","MetadataOptions":{"HttpEndpoint":"enabled","HttpProtocolIpv6":"disabled","HttpPutResponseHopLimit":2,"HttpTokens":"required","InstanceMetadataTags":"disabled"},"Monitoring":{"State":"disabled"},"NetworkInterfaces":[{"NetworkInterfaceId":"eni-0de300eee88c5c7fd"}],"SubnetId":"subnet-5d15a111","VirtualizationType":"hvm","VpcId":"vpc-39017251"}},"Id":"arn:aws:ec2:ap-south-1:111111111111:instance/i-0f2ede89308a594d8","Partition":"aws","Region":"ap-south-1","Tags":{"Name":"elastic-agent-instance-e5f7caa0-6f60-11ef-bb07-02fe87118279","Task":"Cloud Security Posture Management Scanner","aws:cloudformation:logical-id":"ElasticAgentEc2Instance","aws:cloudformation:stack-id":"arn:aws:cloudformation:ap-south-1:111111111111:stack/Elastic-Cloud-Security-Posture-Management/e5f7caa0-6f60-11ef-bb07-02fe87118279","aws:cloudformation:stack-name":"Elastic-Cloud-Security-Posture-Management"},"Type":"AwsEc2Instance"}],"SchemaVersion":"2018-10-08","Severity":{"Label":"INFORMATIONAL","Normalized":0,"Original":"INFORMATIONAL"},"Title":"EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)","Types":["Software and Configuration Checks/Industry and Regulatory Standards"],"UpdatedAt":"2024-09-21T07:59:56.087Z","Workflow":{"Status":"RESOLVED"},"WorkflowState":"NEW"} \ No newline at end of file diff --git a/packages/aws/data_stream/securityhub_findings/_dev/test/pipeline/test-securityhub-findings.log-expected.json b/packages/aws/data_stream/securityhub_findings/_dev/test/pipeline/test-securityhub-findings.log-expected.json index 43af1b05bc30..207bd67cbe4e 100644 --- a/packages/aws/data_stream/securityhub_findings/_dev/test/pipeline/test-securityhub-findings.log-expected.json +++ b/packages/aws/data_stream/securityhub_findings/_dev/test/pipeline/test-securityhub-findings.log-expected.json @@ -1,7 +1,7 @@ { "expected": [ { - "@timestamp": "2017-03-22T13:22:13.933Z", + "@timestamp": "2018-08-31T00:15:09.000Z", "aws": { "securityhub_findings": { "action": { @@ -357,7 +357,13 @@ "cloud": { "account": { "id": "111111111111" - } + }, + "instance": { + "id": "i-cafebabe", + "name": "i-cafebabe" + }, + "provider": "aws", + "region": "us-east-1" }, "destination": { "domain": "example2.com", @@ -372,17 +378,27 @@ }, "event": { "action": "port_probe", + "category": [ + "configuration" + ], "id": "us-west-2/111111111111/98aebb2207407c87f51e89943f12b1ef", - "kind": "event", + "kind": "state", "original": "{\"Action\":{\"ActionType\":\"PORT_PROBE\",\"PortProbeAction\":{\"PortProbeDetails\":[{\"LocalPortDetails\":{\"Port\":80,\"PortName\":\"HTTP\"},\"LocalIpDetails\":{\"IpAddressV4\":\"1.128.0.0\"},\"RemoteIpDetails\":{\"Country\":{\"CountryName\":\"Example Country\"},\"City\":{\"CityName\":\"Example City\"},\"GeoLocation\":{\"Lon\":0,\"Lat\":0},\"Organization\":{\"AsnOrg\":\"ExampleASO\",\"Org\":\"ExampleOrg\",\"Isp\":\"ExampleISP\",\"Asn\":64496}}}],\"Blocked\":false}},\"AwsAccountId\":\"111111111111\",\"CompanyName\":\"AWS\",\"Compliance\":{\"RelatedRequirements\":[\"Req1\",\"Req2\"],\"Status\":\"PASSED\",\"StatusReasons\":[{\"ReasonCode\":\"CLOUDWATCH_ALARMS_NOT_PRESENT\",\"Description\":\"CloudWatch alarms do not exist in the account\"}]},\"Confidence\":42,\"CreatedAt\":\"2017-03-22T13:22:13.933Z\",\"Criticality\":99,\"Description\":\"The version of openssl found on instance i-abcd1234 is known to contain a vulnerability.\",\"FindingProviderFields\":{\"Confidence\":42,\"Criticality\":99,\"RelatedFindings\":[{\"ProductArn\":\"arn:aws:securityhub:us-west-2::product/aws/guardduty\",\"Id\":\"123e4567-e89b-12d3-a456-426655440000\"}],\"Severity\":{\"Label\":\"MEDIUM\",\"Original\":\"MEDIUM\"},\"Types\":[\"Software and Configuration Checks/Vulnerabilities/CVE\"]},\"FirstObservedAt\":\"2017-03-22T13:22:13.933Z\",\"GeneratorId\":\"acme-vuln-9ab348\",\"Id\":\"us-west-2/111111111111/98aebb2207407c87f51e89943f12b1ef\",\"LastObservedAt\":\"2017-03-23T13:22:13.933Z\",\"Malware\":[{\"Name\":\"Stringler\",\"Type\":\"COIN_MINER\",\"Path\":\"/usr/sbin/stringler\",\"State\":\"OBSERVED\"}],\"Network\":{\"Direction\":\"IN\",\"OpenPortRange\":{\"Begin\":443,\"End\":443},\"Protocol\":\"TCP\",\"SourceIpV4\":\"1.128.0.0\",\"SourceIpV6\":\"2a02:cf40::\",\"SourcePort\":\"42\",\"SourceDomain\":\"example1.com\",\"SourceMac\":\"00:0d:83:b1:c0:8e\",\"DestinationIpV4\":\"1.128.0.0\",\"DestinationIpV6\":\"2a02:cf40::\",\"DestinationPort\":\"80\",\"DestinationDomain\":\"example2.com\"},\"NetworkPath\":[{\"ComponentId\":\"abc-01a234bc56d8901ee\",\"ComponentType\":\"AWS::EC2::InternetGateway\",\"Egress\":{\"Destination\":{\"Address\":[\"1.128.0.0/24\"],\"PortRanges\":[{\"Begin\":443,\"End\":443}]},\"Protocol\":\"TCP\",\"Source\":{\"Address\":[\"175.16.199.1/24\"]}},\"Ingress\":{\"Destination\":{\"Address\":[\"175.16.199.1/24\"],\"PortRanges\":[{\"Begin\":443,\"End\":443}]},\"Protocol\":\"TCP\",\"Source\":{\"Address\":[\"175.16.199.1/24\"]}}}],\"Note\":{\"Text\":\"Don't forget to check under the mat.\",\"UpdatedBy\":\"jsmith\",\"UpdatedAt\":\"2018-08-31T00:15:09Z\"},\"PatchSummary\":{\"Id\":\"pb-123456789098\",\"InstalledCount\":\"100\",\"MissingCount\":\"100\",\"FailedCount\":\"0\",\"InstalledOtherCount\":\"1023\",\"InstalledRejectedCount\":\"0\",\"InstalledPendingReboot\":\"0\",\"OperationStartTime\":\"2018-09-27T23:37:31Z\",\"OperationEndTime\":\"2018-09-27T23:39:31Z\",\"RebootOption\":\"RebootIfNeeded\",\"Operation\":\"Install\"},\"Process\":{\"Name\":\"syslogd\",\"Path\":\"/usr/sbin/syslogd\",\"Pid\":12345,\"ParentPid\":56789,\"LaunchedAt\":\"2018-09-27T22:37:31Z\",\"TerminatedAt\":\"2018-09-27T23:37:31Z\"},\"ProductArn\":\"arn:aws:securityhub:us-east-1:111111111111:product/111111111111/default\",\"ProductFields\":{\"generico/secure-pro/Count\":\"6\",\"Service_Name\":\"cloudtrail.amazonaws.com\",\"aws/inspector/AssessmentTemplateName\":\"My daily CVE assessment\",\"aws/inspector/AssessmentTargetName\":\"My prod env\",\"aws/inspector/RulesPackageName\":\"Common Vulnerabilities and Exposures\"},\"ProductName\":\"Security Hub\",\"RecordState\":\"ACTIVE\",\"Region\":\"us-east-1\",\"RelatedFindings\":[{\"ProductArn\":\"arn:aws:securityhub:us-west-2::product/aws/guardduty\",\"Id\":\"123e4567-e89b-12d3-a456-426655440000\"},{\"ProductArn\":\"arn:aws:securityhub:us-west-2::product/aws/guardduty\",\"Id\":\"AcmeNerfHerder-111111111111-x189dx7824\"}],\"Remediation\":{\"Recommendation\":{\"Text\":\"Run sudo yum update and cross your fingers and toes.\",\"Url\":\"http://myfp.com/recommendations/dangerous_things_and_how_to_fix_them.html\"}},\"Resources\":[{\"Type\":\"AwsEc2Instance\",\"Id\":\"i-cafebabe\",\"Partition\":\"aws\",\"Region\":\"us-west-2\",\"Tags\":{\"billingCode\":\"Lotus-1-2-3\",\"needsPatching\":\"true\"},\"Details\":{\"IamInstanceProfileArn\":\"arn:aws:iam::123456789012:role/IamInstanceProfileArn\",\"ImageId\":\"ami-79fd7eee\",\"IpV4Addresses\":[\"175.16.199.1\"],\"IpV6Addresses\":[\"2a02:cf40::\"],\"KeyName\":\"testkey\",\"LaunchedAt\":\"2018-09-29T01:25:54Z\",\"MetadataOptions\":{\"HttpEndpoint\":\"enabled\",\"HttpProtocolIpv6\":\"enabled\",\"HttpPutResponseHopLimit\":1,\"HttpTokens\":\"optional\",\"InstanceMetadataTags\":\"disabled\"},\"NetworkInterfaces\":[{\"NetworkInterfaceId\":\"eni-e5aa89a3\"}],\"SubnetId\":\"PublicSubnet\",\"Type\":\"i3.xlarge\",\"VirtualizationType\":\"hvm\",\"VpcId\":\"TestVPCIpv6\"}}],\"Sample\":true,\"SchemaVersion\":\"2018-10-08\",\"Severity\":{\"Label\":\"CRITICAL\",\"Original\":\"8.3\"},\"SourceUrl\":\"http://threatintelweekly.org/backdoors/8888\",\"ThreatIntelIndicators\":[{\"Type\":\"IPV4_ADDRESS\",\"Value\":\"175.16.199.1\",\"Category\":\"BACKDOOR\",\"LastObservedAt\":\"2018-09-27T23:37:31Z\",\"Source\":\"Threat Intel Weekly\",\"SourceUrl\":\"http://threatintelweekly.org/backdoors/8888\"}],\"Threats\":[{\"FilePaths\":[{\"FileName\":\"b.txt\",\"FilePath\":\"/tmp/b.txt\",\"Hash\":\"sha256\",\"ResourceId\":\"arn:aws:ec2:us-west-2:123456789012:volume/vol-032f3bdd89aee112f\"}],\"ItemCount\":3,\"Name\":\"Iot.linux.mirai.vwisi\",\"Severity\":\"HIGH\"}],\"Title\":\"EC2.20 Both VPN tunnels for an AWS Site-to-Site VPN connection should be up\",\"Types\":[\"Software and Configuration Checks/Vulnerabilities/CVE\"],\"UpdatedAt\":\"2018-08-31T00:15:09Z\",\"UserDefinedFields\":{\"reviewedByCio\":\"true\",\"comeBackToLater\":\"Check this again on Monday\"},\"VerificationState\":\"UNKNOWN\",\"Vulnerabilities\":[{\"Cvss\":[{\"BaseScore\":4.7,\"BaseVector\":\"AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\",\"Version\":\"V3\"},{\"BaseScore\":4.7,\"BaseVector\":\"AV:L/AC:M/Au:N/C:C/I:N/A:N\",\"Version\":\"V2\"}],\"Id\":\"CVE-2020-12345\",\"ReferenceUrls\":[\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12418\",\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17563\"],\"RelatedVulnerabilities\":[\"CVE-2020-12345\"],\"Vendor\":{\"Name\":\"Alas\",\"Url\":\"https://alas.aws.amazon.com/ALAS-2020-1337.html\",\"VendorCreatedAt\":\"2020-01-16T00:01:43Z\",\"VendorSeverity\":\"Medium\",\"VendorUpdatedAt\":\"2020-01-16T00:01:43Z\"},\"VulnerablePackages\":[{\"Architecture\":\"x86_64\",\"Epoch\":\"1\",\"Name\":\"openssl\",\"Release\":\"16.amzn2.0.3\",\"Version\":\"1.0.2k\"}]}],\"Workflow\":{\"Status\":\"NEW\"},\"WorkflowState\":\"NEW\"}", + "outcome": "success", "type": [ "info" ] }, + "host": { + "id": "i-cafebabe" + }, "network": { "direction": "inbound", "protocol": "tcp" }, + "observer": { + "vendor": "AWS Security Hub" + }, "organization": { "name": "AWS" }, @@ -402,6 +418,26 @@ "2a02:cf40::" ] }, + "resource": { + "id": "i-cafebabe", + "name": "i-cafebabe", + "type": "AwsEc2Instance" + }, + "result": { + "evaluation": "passed" + }, + "rule": { + "description": "The version of openssl found on instance i-abcd1234 is known to contain a vulnerability.", + "id": "acme-vuln-9ab348", + "name": "EC2.20 Both VPN tunnels for an AWS Site-to-Site VPN connection should be up", + "reference": "http://myfp.com/recommendations/dangerous_things_and_how_to_fix_them.html", + "references": "http://myfp.com/recommendations/dangerous_things_and_how_to_fix_them.html", + "remediation": "Run sudo yum update and cross your fingers and toes.\r\nhttp://myfp.com/recommendations/dangerous_things_and_how_to_fix_them.html", + "ruleset": [ + "Req1", + "Req2" + ] + }, "source": { "domain": "example1.com", "ip": [ @@ -444,7 +480,7 @@ } }, { - "@timestamp": "2017-03-22T13:22:13.933Z", + "@timestamp": "2018-08-31T00:15:09.000Z", "aws": { "securityhub_findings": { "action": { @@ -800,7 +836,13 @@ "cloud": { "account": { "id": "111111111111" - } + }, + "instance": { + "id": "i-cafebabe", + "name": "i-cafebabe" + }, + "provider": "aws", + "region": "us-east-1" }, "destination": { "domain": "example2.com", @@ -815,17 +857,27 @@ }, "event": { "action": "port_probe", + "category": [ + "configuration" + ], "id": "us-west-2/111111111111/98aebb2207407c87f51e89943f12b1ef", - "kind": "event", + "kind": "state", "original": "{\"Action\":{\"ActionType\":\"PORT_PROBE\",\"PortProbeAction\":{\"PortProbeDetails\":[{\"LocalPortDetails\":{\"Port\":80,\"PortName\":\"HTTP\"},\"LocalIpDetails\":{\"IpAddressV4\":\"1.128.0.0\"},\"RemoteIpDetails\":{\"Country\":{\"CountryName\":\"Example Country\"},\"City\":{\"CityName\":\"Example City\"},\"GeoLocation\":{\"Lon\":0,\"Lat\":0},\"Organization\":{\"AsnOrg\":\"ExampleASO\",\"Org\":\"ExampleOrg\",\"Isp\":\"ExampleISP\",\"Asn\":64496}}}],\"Blocked\":false}},\"AwsAccountId\":\"111111111111\",\"CompanyName\":\"AWS\",\"Compliance\":{\"RelatedRequirements\":[\"Req1\",\"Req2\"],\"Status\":\"PASSED\",\"StatusReasons\":[{\"ReasonCode\":\"CLOUDWATCH_ALARMS_NOT_PRESENT\",\"Description\":\"CloudWatch alarms do not exist in the account\"}]},\"Confidence\":42,\"CreatedAt\":\"2017-03-22T13:22:13.933Z\",\"Criticality\":99,\"Description\":\"The version of openssl found on instance i-abcd1234 is known to contain a vulnerability.\",\"FindingProviderFields\":{\"Confidence\":42,\"Criticality\":99,\"RelatedFindings\":[{\"ProductArn\":\"arn:aws:securityhub:us-west-2::product/aws/guardduty\",\"Id\":\"123e4567-e89b-12d3-a456-426655440000\"}],\"Severity\":{\"Label\":\"MEDIUM\",\"Original\":\"MEDIUM\"},\"Types\":[\"Software and Configuration Checks/Vulnerabilities/CVE\"]},\"FirstObservedAt\":\"2017-03-22T13:22:13.933Z\",\"GeneratorId\":\"acme-vuln-9ab348\",\"Id\":\"us-west-2/111111111111/98aebb2207407c87f51e89943f12b1ef\",\"LastObservedAt\":\"2017-03-23T13:22:13.933Z\",\"Malware\":[{\"Name\":\"Stringler\",\"Type\":\"COIN_MINER\",\"Path\":\"/usr/sbin/stringler\",\"State\":\"OBSERVED\"}],\"Network\":{\"Direction\":\"IN\",\"OpenPortRange\":{\"Begin\":443,\"End\":443},\"Protocol\":\"TCP\",\"SourceIpV4\":\"1.128.0.0\",\"SourceIpV6\":\"2a02:cf40::\",\"SourcePort\":\"42\",\"SourceDomain\":\"example1.com\",\"SourceMac\":\"00:0d:83:b1:c0:8e\",\"DestinationIpV4\":\"1.128.0.0\",\"DestinationIpV6\":\"2a02:cf40::\",\"DestinationPort\":\"80\",\"DestinationDomain\":\"example2.com\"},\"NetworkPath\":[{\"ComponentId\":\"abc-01a234bc56d8901ee\",\"ComponentType\":\"AWS::EC2::InternetGateway\",\"Egress\":{\"Destination\":{\"Address\":[\"1.128.0.0/24\"],\"PortRanges\":[{\"Begin\":443,\"End\":443}]},\"Protocol\":\"TCP\",\"Source\":{\"Address\":[\"175.16.199.1/24\"]}},\"Ingress\":{\"Destination\":{\"Address\":[\"175.16.199.1/24\"],\"PortRanges\":[{\"Begin\":443,\"End\":443}]},\"Protocol\":\"TCP\",\"Source\":{\"Address\":[\"175.16.199.1/24\"]}}}],\"Note\":{\"Text\":\"Don't forget to check under the mat.\",\"UpdatedBy\":\"jsmith\",\"UpdatedAt\":\"2018-08-31T00:15:09Z\"},\"PatchSummary\":{\"Id\":\"pb-123456789098\",\"InstalledCount\":\"100\",\"MissingCount\":\"100\",\"FailedCount\":\"0\",\"InstalledOtherCount\":\"1023\",\"InstalledRejectedCount\":\"0\",\"InstalledPendingReboot\":\"0\",\"OperationStartTime\":\"2018-09-27T23:37:31Z\",\"OperationEndTime\":\"2018-09-27T23:39:31Z\",\"RebootOption\":\"RebootIfNeeded\",\"Operation\":\"Install\"},\"Process\":{\"Name\":\"syslogd\",\"Path\":\"/usr/sbin/syslogd\",\"Pid\":12345,\"ParentPid\":56789,\"LaunchedAt\":\"2018-09-27T22:37:31Z\",\"TerminatedAt\":\"2018-09-27T23:37:31Z\"},\"ProductArn\":\"arn:aws:securityhub:us-east-1:111111111111:product/111111111111/default\",\"ProductFields\":{\"generico/secure-pro/Count\":\"6\",\"Service_Name\":\"cloudtrail.amazonaws.com\",\"aws/inspector/AssessmentTemplateName\":\"My daily CVE assessment\",\"aws/inspector/AssessmentTargetName\":\"My prod env\",\"aws/inspector/RulesPackageName\":\"Common Vulnerabilities and Exposures\"},\"ProductName\":\"Security Hub\",\"RecordState\":\"ACTIVE\",\"Region\":\"us-east-1\",\"RelatedFindings\":[{\"ProductArn\":\"arn:aws:securityhub:us-west-2::product/aws/guardduty\",\"Id\":\"123e4567-e89b-12d3-a456-426655440000\"},{\"ProductArn\":\"arn:aws:securityhub:us-west-2::product/aws/guardduty\",\"Id\":\"AcmeNerfHerder-111111111111-x189dx7824\"}],\"Remediation\":{\"Recommendation\":{\"Text\":\"Run sudo yum update and cross your fingers and toes.\",\"Url\":\"http://myfp.com/recommendations/dangerous_things_and_how_to_fix_them.html\"}},\"Resources\":[{\"Type\":\"AwsEc2Instance\",\"Id\":\"i-cafebabe\",\"Partition\":\"aws\",\"Region\":\"us-west-2\",\"Tags\":{\"billingCode\":\"Lotus-1-2-3\",\"needsPatching\":\"true\"},\"Details\":{\"IamInstanceProfileArn\":\"arn:aws:iam::123456789012:role/IamInstanceProfileArn\",\"ImageId\":\"ami-79fd7eee\",\"IpV4Addresses\":[\"175.16.199.1\"],\"IpV6Addresses\":[\"2a02:cf40::\"],\"KeyName\":\"testkey\",\"LaunchedAt\":\"2018-09-29T01:25:54Z\",\"MetadataOptions\":{\"HttpEndpoint\":\"enabled\",\"HttpProtocolIpv6\":\"enabled\",\"HttpPutResponseHopLimit\":1,\"HttpTokens\":\"optional\",\"InstanceMetadataTags\":\"disabled\"},\"NetworkInterfaces\":[{\"NetworkInterfaceId\":\"eni-e5aa89a3\"}],\"SubnetId\":\"PublicSubnet\",\"Type\":\"i3.xlarge\",\"VirtualizationType\":\"hvm\",\"VpcId\":\"TestVPCIpv6\"}}],\"Sample\":true,\"SchemaVersion\":\"2018-10-08\",\"Severity\":{\"Label\":\"CRITICAL\",\"Original\":\"8.3\"},\"SourceUrl\":\"http://threatintelweekly.org/backdoors/8888\",\"ThreatIntelIndicators\":[{\"Type\":\"HASH_MD5\",\"Value\":\"ae2b1fca515949e5d54fb22b8ed95575\",\"Category\":\"BACKDOOR\",\"LastObservedAt\":\"2018-09-27T23:37:31Z\",\"Source\":\"Threat Intel Weekly\",\"SourceUrl\":\"http://threatintelweekly.org/backdoors/8888\"}],\"Threats\":[{\"FilePaths\":[{\"FileName\":\"b.txt\",\"FilePath\":\"/tmp/b.txt\",\"Hash\":\"sha256\",\"ResourceId\":\"arn:aws:ec2:us-west-2:123456789012:volume/vol-032f3bdd89aee112f\"}],\"ItemCount\":3,\"Name\":\"Iot.linux.mirai.vwisi\",\"Severity\":\"HIGH\"}],\"Title\":\"EC2.20 Both VPN tunnels for an AWS Site-to-Site VPN connection should be up\",\"Types\":[\"Software and Configuration Checks/Vulnerabilities/CVE\"],\"UpdatedAt\":\"2018-08-31T00:15:09Z\",\"UserDefinedFields\":{\"reviewedByCio\":\"true\",\"comeBackToLater\":\"Check this again on Monday\"},\"VerificationState\":\"UNKNOWN\",\"Vulnerabilities\":[{\"Cvss\":[{\"BaseScore\":4.7,\"BaseVector\":\"AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\",\"Version\":\"V3\"},{\"BaseScore\":4.7,\"BaseVector\":\"AV:L/AC:M/Au:N/C:C/I:N/A:N\",\"Version\":\"V2\"}],\"Id\":\"CVE-2020-12345\",\"ReferenceUrls\":[\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12418\",\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17563\"],\"RelatedVulnerabilities\":[\"CVE-2020-12345\"],\"Vendor\":{\"Name\":\"Alas\",\"Url\":\"https://alas.aws.amazon.com/ALAS-2020-1337.html\",\"VendorCreatedAt\":\"2020-01-16T00:01:43Z\",\"VendorSeverity\":\"Medium\",\"VendorUpdatedAt\":\"2020-01-16T00:01:43Z\"},\"VulnerablePackages\":[{\"Architecture\":\"x86_64\",\"Epoch\":\"1\",\"Name\":\"openssl\",\"Release\":\"16.amzn2.0.3\",\"Version\":\"1.0.2k\"}]}],\"Workflow\":{\"Status\":\"NEW\"},\"WorkflowState\":\"NEW\"}", + "outcome": "success", "type": [ "info" ] }, + "host": { + "id": "i-cafebabe" + }, "network": { "direction": "inbound", "protocol": "tcp" }, + "observer": { + "vendor": "AWS Security Hub" + }, "organization": { "name": "AWS" }, @@ -845,6 +897,26 @@ "2a02:cf40::" ] }, + "resource": { + "id": "i-cafebabe", + "name": "i-cafebabe", + "type": "AwsEc2Instance" + }, + "result": { + "evaluation": "passed" + }, + "rule": { + "description": "The version of openssl found on instance i-abcd1234 is known to contain a vulnerability.", + "id": "acme-vuln-9ab348", + "name": "EC2.20 Both VPN tunnels for an AWS Site-to-Site VPN connection should be up", + "reference": "http://myfp.com/recommendations/dangerous_things_and_how_to_fix_them.html", + "references": "http://myfp.com/recommendations/dangerous_things_and_how_to_fix_them.html", + "remediation": "Run sudo yum update and cross your fingers and toes.\r\nhttp://myfp.com/recommendations/dangerous_things_and_how_to_fix_them.html", + "ruleset": [ + "Req1", + "Req2" + ] + }, "source": { "domain": "example1.com", "ip": [ @@ -898,7 +970,7 @@ } }, { - "@timestamp": "2022-06-02T16:14:34.949Z", + "@timestamp": "2022-06-17T08:43:26.731Z", "aws": { "securityhub_findings": { "aws_account_id": "xxx", @@ -998,22 +1070,55 @@ "cloud": { "account": { "id": "xxx" - } + }, + "instance": { + "id": "xxx", + "name": "xxx" + }, + "provider": "aws", + "region": "us-east-1" }, "ecs": { "version": "8.11.0" }, "event": { + "category": [ + "configuration" + ], "id": "xxxx", - "kind": "event", + "kind": "state", "original": "{\"ProductArn\":\"xxx\",\"Types\":[\"Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices\"],\"Description\":\"This control checks whether your Amazon Elastic Compute Cloud (Amazon EC2) instance metadata version is configured with Instance Metadata Service Version 2 (IMDSv2). The control passes if HttpTokens is set to required for IMDSv2. The control fails if HttpTokens is set to optional.\",\"Compliance\":{\"Status\":\"FAILED\"},\"ProductName\":\"Security Hub\",\"FirstObservedAt\":\"2022-06-02T16:14:34.949Z\",\"CreatedAt\":\"2022-06-02T16:14:34.949Z\",\"LastObservedAt\":\"2022-06-17T08:43:26.724Z\",\"CompanyName\":\"AWS\",\"FindingProviderFields\":{\"Types\":[\"Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices\"],\"Severity\":{\"Normalized\":70,\"Label\":\"HIGH\",\"Product\":70,\"Original\":\"HIGH\"}},\"ProductFields\":{\"StandardsArn\":\"xxx\",\"StandardsSubscriptionArn\":\"xxx\",\"ControlId\":\"EC2.8\",\"RecommendationUrl\":\"https://example.com/\",\"RelatedAWSResources:0/name\":\"xxx\",\"RelatedAWSResources:0/type\":\"xxx\",\"StandardsControlArn\":\"xxx\",\"aws/securityhub/ProductName\":\"Security Hub\",\"aws/securityhub/CompanyName\":\"AWS\",\"Resources:0/Id\":\"xxx\",\"aws/securityhub/FindingId\":\"xxx\"},\"Remediation\":{\"Recommendation\":{\"Text\":\"For directions on how to fix this issue, consult the AWS Security Hub Foundational Security Best Practices documentation.\",\"Url\":\"https://example.com/\"}},\"SchemaVersion\":\"2018-10-08\",\"GeneratorId\":\"xxx\",\"RecordState\":\"ARCHIVED\",\"Title\":\"EC2.8 EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)\",\"Workflow\":{\"Status\":\"NEW\"},\"Severity\":{\"Normalized\":70,\"Label\":\"HIGH\",\"Product\":70,\"Original\":\"HIGH\"},\"UpdatedAt\":\"2022-06-17T08:43:26.731Z\",\"WorkflowState\":\"NEW\",\"AwsAccountId\":\"xxx\",\"Region\":\"us-east-1\",\"Id\":\"xxxx\",\"Resources\":[{\"Partition\":\"aws\",\"Type\":\"AwsEc2Instance\",\"Details\":{\"AwsEc2Instance\":{\"KeyName\":\"xxx\",\"VpcId\":\"xxx\",\"NetworkInterfaces\":[{\"NetworkInterfaceId\":\"xxx\"}],\"ImageId\":\"xxx\",\"SubnetId\":\"xxx\",\"LaunchedAt\":\"2022-06-02T16:11:39.000Z\",\"IamInstanceProfileArn\":\"xxx\"}},\"Region\":\"us-east-1\",\"Id\":\"xxx\"}] }", + "outcome": "failure", + "severity": 70, "type": [ "info" ] }, + "host": { + "id": "xxx" + }, + "observer": { + "vendor": "AWS Security Hub" + }, "organization": { "name": "AWS" }, + "resource": { + "id": "xxx", + "name": "xxx", + "type": "AwsEc2Instance" + }, + "result": { + "evaluation": "failed" + }, + "rule": { + "description": "This control checks whether your Amazon Elastic Compute Cloud (Amazon EC2) instance metadata version is configured with Instance Metadata Service Version 2 (IMDSv2). The control passes if HttpTokens is set to required for IMDSv2. The control fails if HttpTokens is set to optional.", + "id": "xxx", + "name": "EC2.8 EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)", + "reference": "https://example.com/", + "references": "https://example.com/", + "remediation": "For directions on how to fix this issue, consult the AWS Security Hub Foundational Security Best Practices documentation.\r\nhttps://example.com/" + }, "tags": [ "preserve_original_event", "preserve_duplicate_custom_fields" @@ -1112,22 +1217,1918 @@ "cloud": { "account": { "id": "xxx" - } + }, + "provider": "aws", + "region": "us-east-1" }, "ecs": { "version": "8.11.0" }, "event": { + "category": [ + "configuration" + ], "id": "xxx", - "kind": "event", + "kind": "state", "original": "{\"ProductArn\":\"xxx\",\"Types\":[\"Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices\"],\"Description\":\"This AWS control checks whether the EBS volumes that are in an attached state are encrypted.\",\"Compliance\":{\"Status\":\"NOT_AVAILABLE\",\"StatusReasons\":[{\"Description\":\"This finding has a compliance status of NOT AVAILABLE because AWS Config sent Security Hub a finding with a compliance state of Not Applicable. The potential reasons for a Not Applicable finding from Config are that (1) a resource has been moved out of scope of the Config rule; (2) the Config rule has been deleted; (3) the resource has been deleted; or (4) the logic of the Config rule itself includes scenarios where Not Applicable is returned. The specific reason why Not Applicable is returned is not available in the Config rule evaluation.\",\"ReasonCode\":\"CONFIG_RETURNS_NOT_APPLICABLE\"}]},\"ProductName\":\"Security Hub\",\"FirstObservedAt\":\"2022-06-17T10:25:14.800Z\",\"CreatedAt\":\"2022-06-17T10:25:14.800Z\",\"LastObservedAt\":\"2022-06-17T10:25:18.568Z\",\"CompanyName\":\"AWS\",\"FindingProviderFields\":{\"Types\":[\"Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices\"],\"Severity\":{\"Normalized\":40,\"Label\":\"MEDIUM\",\"Product\":40,\"Original\":\"INFORMATIONAL\"}},\"ProductFields\":{\"StandardsArn\":\"xxx\",\"StandardsSubscriptionArn\":\"xxx\",\"ControlId\":\"EC2.3\",\"RecommendationUrl\":\"https://example.com/\",\"RelatedAWSResources:0/name\":\"xxx\",\"RelatedAWSResources:0/type\":\"AWS::Config::ConfigRule\",\"StandardsControlArn\":\"xxx\",\"aws/securityhub/ProductName\":\"Security Hub\",\"aws/securityhub/CompanyName\":\"AWS\",\"aws/securityhub/annotation\":\"This finding has a compliance status of NOT AVAILABLE because AWS Config sent Security Hub a finding with a compliance state of Not Applicable. The potential reasons for a Not Applicable finding from Config are that (1) a resource has been moved out of scope of the Config rule; (2) the Config rule has been deleted; (3) the resource has been deleted; or (4) the logic of the Config rule itself includes scenarios where Not Applicable is returned. The specific reason why Not Applicable is returned is not available in the Config rule evaluation.\",\"Resources:0/Id\":\"xxx\",\"aws/securityhub/FindingId\":\"xxx\"},\"Remediation\":{\"Recommendation\":{\"Text\":\"For directions on how to fix this issue, consult the AWS Security Hub Foundational Security Best Practices documentation.\",\"Url\":\"https://example.com/\"}},\"SchemaVersion\":\"2018-10-08\",\"GeneratorId\":\"xxx\",\"RecordState\":\"ARCHIVED\",\"Title\":\"EC2.3 Attached EBS volumes should be encrypted at-rest\",\"Workflow\":{\"Status\":\"NEW\"},\"Severity\":{\"Normalized\":40,\"Label\":\"MEDIUM\",\"Product\":40,\"Original\":\"INFORMATIONAL\"},\"UpdatedAt\":\"2022-06-17T10:25:14.800Z\",\"WorkflowState\":\"NEW\",\"AwsAccountId\":\"xxx\",\"Region\":\"us-east-1\",\"Id\":\"xxx\",\"Resources\":[{\"Partition\":\"aws\",\"Type\":\"AwsEc2Volume\",\"Region\":\"us-east-1\",\"Id\":\"xxx\"}] }", + "outcome": "unknown", + "severity": 40, + "type": [ + "info" + ] + }, + "observer": { + "vendor": "AWS Security Hub" + }, + "organization": { + "name": "AWS" + }, + "resource": { + "id": "xxx", + "name": "xxx", + "type": "AwsEc2Volume" + }, + "result": { + "evaluation": "unknown" + }, + "rule": { + "description": "This AWS control checks whether the EBS volumes that are in an attached state are encrypted.", + "id": "xxx", + "name": "EC2.3 Attached EBS volumes should be encrypted at-rest", + "reference": "https://example.com/", + "references": "https://example.com/", + "remediation": "For directions on how to fix this issue, consult the AWS Security Hub Foundational Security Best Practices documentation.\r\nhttps://example.com/" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] + }, + { + "@timestamp": "2024-09-11T07:59:56.087Z", + "aws": { + "securityhub_findings": { + "aws_account_id": "111111111111", + "company": { + "name": "AWS" + }, + "compliance": { + "related_requirements": [ + "CIS AWS Foundations Benchmark v3.0.0/5.6", + "NIST.800-53.r5 AC-3", + "NIST.800-53.r5 AC-3(15)", + "NIST.800-53.r5 AC-3(7)", + "NIST.800-53.r5 AC-6" + ], + "security_control_id": "EC2.8", + "status": "PASSED" + }, + "created_at": "2024-09-10T10:40:32.189Z", + "description": "This control checks whether your Amazon Elastic Compute Cloud (Amazon EC2) instance metadata version is configured with Instance Metadata Service Version 2 (IMDSv2). The control passes if HttpTokens is set to required for IMDSv2. The control fails if HttpTokens is set to optional.", + "first_observed_at": "2024-09-10T10:40:32.189Z", + "generator": { + "id": "security-control/EC2.8" + }, + "id": "arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.8/finding/8825ae3b-1f70-4c74-8337-baee8fcad8fd", + "last_observed_at": "2024-09-11T08:00:01.828Z", + "processed_at": "2024-09-11T08:00:03.516Z", + "product": { + "arn": "arn:aws:securityhub:ap-south-1::product/aws/securityhub", + "fields": { + "RelatedAWSResources:0/name": "securityhub-ec2-imdsv2-check-29027890", + "RelatedAWSResources:0/type": "AWS::Config::ConfigRule", + "Resources:0/Id": "arn:aws:ec2:ap-south-1:111111111111:instance/i-0e2ede89308a594d7", + "aws/securityhub/CompanyName": "AWS", + "aws/securityhub/FindingId": "arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.8/finding/8825ae3b-1f70-4c74-8337-baee8fcad8fd", + "aws/securityhub/ProductName": "Security Hub" + }, + "name": "Security Hub" + }, + "provider_fields": { + "severity": { + "label": "INFORMATIONAL", + "normalized": "0", + "original": "INFORMATIONAL" + }, + "types": [ + "Software and Configuration Checks/Industry and Regulatory Standards" + ] + }, + "record_state": "ACTIVE", + "region": "ap-south-1", + "remediation": { + "recommendation": { + "text": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.", + "url": "https://docs.aws.amazon.com/console/securityhub/EC2.8/remediation" + } + }, + "resources": [ + { + "Details": { + "AwsEc2Instance": { + "IamInstanceProfileArn": "arn:aws:iam::111111111111:instance-profile/elastic-agent-instance-profile-e4f7caa0-6f61-11ef-bb07-02fe87118279", + "ImageId": "ami-04dffe071c46cddd4", + "LaunchedAt": "2024-09-10T10:39:35.000Z", + "MetadataOptions": { + "HttpEndpoint": "enabled", + "HttpProtocolIpv6": "disabled", + "HttpPutResponseHopLimit": 2, + "HttpTokens": "required", + "InstanceMetadataTags": "disabled" + }, + "Monitoring": { + "State": "disabled" + }, + "NetworkInterfaces": [ + { + "NetworkInterfaceId": "eni-0de300eee88c5c7fd" + } + ], + "SubnetId": "subnet-5d15a111", + "VirtualizationType": "hvm", + "VpcId": "vpc-39017251" + } + }, + "Id": "arn:aws:ec2:ap-south-1:111111111111:instance/i-0e2ede89308a594d7", + "Partition": "aws", + "Region": "ap-south-1", + "Tags": { + "Name": "elastic-agent-instance-e5f7caa0-6f60-11ef-bb07-02fe87118279", + "Task": "Cloud Security Posture Management Scanner", + "aws:cloudformation:logical-id": "ElasticAgentEc2Instance", + "aws:cloudformation:stack-id": "arn:aws:cloudformation:ap-south-1:111111111111:stack/Elastic-Cloud-Security-Posture-Management/e5f7caa0-6f60-11ef-bb07-02fe87118279", + "aws:cloudformation:stack-name": "Elastic-Cloud-Security-Posture-Management" + }, + "Type": "AwsEc2Instance" + } + ], + "schema": { + "version": "2018-10-08" + }, + "severity": { + "label": "INFORMATIONAL", + "normalized": "0", + "original": "INFORMATIONAL" + }, + "title": "EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)", + "types": [ + "Software and Configuration Checks/Industry and Regulatory Standards" + ], + "updated_at": "2024-09-11T07:59:56.087Z", + "workflow": { + "state": "NEW", + "status": "RESOLVED" + } + } + }, + "cloud": { + "account": { + "id": "111111111111" + }, + "instance": { + "id": "arn:aws:ec2:ap-south-1:111111111111:instance/i-0e2ede89308a594d7", + "name": "instance/i-0e2ede89308a594d7" + }, + "provider": "aws", + "region": "ap-south-1", + "service": { + "name": "ec2" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "configuration" + ], + "created": "2024-09-11T08:00:03.516Z", + "id": "arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.8/finding/8825ae3b-1f70-4c74-8337-baee8fcad8fd", + "kind": "state", + "original": "{\"AwsAccountId\":\"111111111111\",\"CompanyName\":\"AWS\",\"Compliance\":{\"AssociatedStandards\":[{\"StandardsId\":\"standards/aws-foundational-security-best-practices/v/1.0.0\"},{\"StandardsId\":\"standards/cis-aws-foundations-benchmark/v/3.0.0\"},{\"StandardsId\":\"standards/nist-800-53/v/5.0.0\"}],\"RelatedRequirements\":[\"CIS AWS Foundations Benchmark v3.0.0/5.6\",\"NIST.800-53.r5 AC-3\",\"NIST.800-53.r5 AC-3(15)\",\"NIST.800-53.r5 AC-3(7)\",\"NIST.800-53.r5 AC-6\"],\"SecurityControlId\":\"EC2.8\",\"Status\":\"PASSED\"},\"CreatedAt\":\"2024-09-10T10:40:32.189Z\",\"Description\":\"This control checks whether your Amazon Elastic Compute Cloud (Amazon EC2) instance metadata version is configured with Instance Metadata Service Version 2 (IMDSv2). The control passes if HttpTokens is set to required for IMDSv2. The control fails if HttpTokens is set to optional.\",\"FindingProviderFields\":{\"Severity\":{\"Label\":\"INFORMATIONAL\",\"Normalized\":0,\"Original\":\"INFORMATIONAL\"},\"Types\":[\"Software and Configuration Checks/Industry and Regulatory Standards\"]},\"FirstObservedAt\":\"2024-09-10T10:40:32.189Z\",\"GeneratorId\":\"security-control/EC2.8\",\"Id\":\"arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.8/finding/8825ae3b-1f70-4c74-8337-baee8fcad8fd\",\"LastObservedAt\":\"2024-09-11T08:00:01.828Z\",\"ProcessedAt\":\"2024-09-11T08:00:03.516Z\",\"ProductArn\":\"arn:aws:securityhub:ap-south-1::product/aws/securityhub\",\"ProductFields\":{\"RelatedAWSResources:0/name\":\"securityhub-ec2-imdsv2-check-29027890\",\"RelatedAWSResources:0/type\":\"AWS::Config::ConfigRule\",\"Resources:0/Id\":\"arn:aws:ec2:ap-south-1:111111111111:instance/i-0e2ede89308a594d7\",\"aws/securityhub/CompanyName\":\"AWS\",\"aws/securityhub/FindingId\":\"arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.8/finding/8825ae3b-1f70-4c74-8337-baee8fcad8fd\",\"aws/securityhub/ProductName\":\"Security Hub\"},\"ProductName\":\"Security Hub\",\"RecordState\":\"ACTIVE\",\"Region\":\"ap-south-1\",\"Remediation\":{\"Recommendation\":{\"Text\":\"For information on how to correct this issue, consult the AWS Security Hub controls documentation.\",\"Url\":\"https://docs.aws.amazon.com/console/securityhub/EC2.8/remediation\"}},\"Resources\":[{\"Details\":{\"AwsEc2Instance\":{\"IamInstanceProfileArn\":\"arn:aws:iam::111111111111:instance-profile/elastic-agent-instance-profile-e4f7caa0-6f61-11ef-bb07-02fe87118279\",\"ImageId\":\"ami-04dffe071c46cddd4\",\"LaunchedAt\":\"2024-09-10T10:39:35.000Z\",\"MetadataOptions\":{\"HttpEndpoint\":\"enabled\",\"HttpProtocolIpv6\":\"disabled\",\"HttpPutResponseHopLimit\":2,\"HttpTokens\":\"required\",\"InstanceMetadataTags\":\"disabled\"},\"Monitoring\":{\"State\":\"disabled\"},\"NetworkInterfaces\":[{\"NetworkInterfaceId\":\"eni-0de300eee88c5c7fd\"}],\"SubnetId\":\"subnet-5d15a111\",\"VirtualizationType\":\"hvm\",\"VpcId\":\"vpc-39017251\"}},\"Id\":\"arn:aws:ec2:ap-south-1:111111111111:instance/i-0e2ede89308a594d7\",\"Partition\":\"aws\",\"Region\":\"ap-south-1\",\"Tags\":{\"Name\":\"elastic-agent-instance-e5f7caa0-6f60-11ef-bb07-02fe87118279\",\"Task\":\"Cloud Security Posture Management Scanner\",\"aws:cloudformation:logical-id\":\"ElasticAgentEc2Instance\",\"aws:cloudformation:stack-id\":\"arn:aws:cloudformation:ap-south-1:111111111111:stack/Elastic-Cloud-Security-Posture-Management/e5f7caa0-6f60-11ef-bb07-02fe87118279\",\"aws:cloudformation:stack-name\":\"Elastic-Cloud-Security-Posture-Management\"},\"Type\":\"AwsEc2Instance\"}],\"SchemaVersion\":\"2018-10-08\",\"Severity\":{\"Label\":\"INFORMATIONAL\",\"Normalized\":0,\"Original\":\"INFORMATIONAL\"},\"Title\":\"EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)\",\"Types\":[\"Software and Configuration Checks/Industry and Regulatory Standards\"],\"UpdatedAt\":\"2024-09-11T07:59:56.087Z\",\"Workflow\":{\"Status\":\"RESOLVED\"},\"WorkflowState\":\"NEW\"}", + "outcome": "success", + "severity": 0, "type": [ "info" ] }, + "host": { + "id": "arn:aws:ec2:ap-south-1:111111111111:instance/i-0e2ede89308a594d7" + }, + "observer": { + "vendor": "AWS Security Hub" + }, + "organization": { + "name": "AWS" + }, + "resource": { + "id": "arn:aws:ec2:ap-south-1:111111111111:instance/i-0e2ede89308a594d7", + "name": "instance/i-0e2ede89308a594d7", + "type": "AwsEc2Instance" + }, + "result": { + "evaluation": "passed" + }, + "rule": { + "description": "This control checks whether your Amazon Elastic Compute Cloud (Amazon EC2) instance metadata version is configured with Instance Metadata Service Version 2 (IMDSv2). The control passes if HttpTokens is set to required for IMDSv2. The control fails if HttpTokens is set to optional.", + "id": "security-control/EC2.8", + "name": "EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)", + "reference": "https://docs.aws.amazon.com/console/securityhub/EC2.8/remediation", + "references": "https://docs.aws.amazon.com/console/securityhub/EC2.8/remediation", + "remediation": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.\r\nhttps://docs.aws.amazon.com/console/securityhub/EC2.8/remediation", + "ruleset": [ + "CIS AWS Foundations Benchmark v3.0.0/5.6", + "NIST.800-53.r5 AC-3", + "NIST.800-53.r5 AC-3(15)", + "NIST.800-53.r5 AC-3(7)", + "NIST.800-53.r5 AC-6" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] + }, + { + "@timestamp": "2024-09-13T22:50:13.008Z", + "aws": { + "securityhub_findings": { + "aws_account_id": "111111111111", + "company": { + "name": "AWS" + }, + "compliance": { + "related_requirements": [ + "NIST.800-53.r5 SC-12(2)", + "NIST.800-53.r5 CM-3(6)", + "NIST.800-53.r5 SC-13", + "NIST.800-53.r5 SC-28", + "NIST.800-53.r5 SC-28(1)", + "NIST.800-53.r5 SC-7(10)", + "NIST.800-53.r5 CA-9(1)", + "NIST.800-53.r5 SI-7(6)", + "NIST.800-53.r5 AU-9" + ], + "security_control_id": "S3.17", + "status": "FAILED" + }, + "created_at": "2024-08-14T10:14:37.338Z", + "description": "This control checks whether an Amazon S3 general purpose bucket is encrypted with an AWS KMS key (SSE-KMS or DSSE-KMS). The control fails if the bucket is encrypted with default encryption (SSE-S3).", + "first_observed_at": "2024-08-14T10:14:37.338Z", + "generator": { + "id": "security-control/S3.17" + }, + "id": "arn:aws:securityhub:ap-south-1:111111111111:security-control/S3.17/finding/1d687c1f-ef1e-464f-985a-5000efa9d4a1", + "last_observed_at": "2024-09-13T22:50:29.249Z", + "processed_at": "2024-09-13T22:50:30.870Z", + "product": { + "arn": "arn:aws:securityhub:ap-south-1::product/aws/securityhub", + "fields": { + "RelatedAWSResources:0/name": "securityhub-s3-default-encryption-kms-3a38fc59", + "RelatedAWSResources:0/type": "AWS::Config::ConfigRule", + "Resources:0/Id": "arn:aws:s3:::s3-test-public-bucket", + "aws/securityhub/CompanyName": "AWS", + "aws/securityhub/FindingId": "arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/S3.17/finding/1d687c1f-ef1e-464f-985a-5000efa9d4a1", + "aws/securityhub/ProductName": "Security Hub", + "aws/securityhub/annotation": "Amazon S3 bucket is not encrypted with AWS KMS key." + }, + "name": "Security Hub" + }, + "provider_fields": { + "severity": { + "label": "MEDIUM", + "normalized": "40", + "original": "MEDIUM" + }, + "types": [ + "Software and Configuration Checks/Industry and Regulatory Standards" + ] + }, + "record_state": "ACTIVE", + "region": "ap-south-1", + "remediation": { + "recommendation": { + "text": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.", + "url": "https://docs.aws.amazon.com/console/securityhub/S3.17/remediation" + } + }, + "resources": [ + { + "Details": { + "AwsS3Bucket": { + "CreatedAt": "2024-08-14T09:32:06.000Z", + "Name": "s3-test-public-bucket", + "OwnerId": "e106g9b5e13878d5133aadfac8a012130c4260091100b311ed476f9e77cdca46" + } + }, + "Id": "arn:aws:s3:::s3-test-public-bucket", + "Partition": "aws", + "Region": "ap-south-1", + "Type": "AwsS3Bucket" + } + ], + "schema": { + "version": "2018-10-08" + }, + "severity": { + "label": "MEDIUM", + "normalized": "40", + "original": "MEDIUM" + }, + "title": "S3 general purpose buckets should be encrypted at rest with AWS KMS keys", + "types": [ + "Software and Configuration Checks/Industry and Regulatory Standards" + ], + "updated_at": "2024-09-13T22:50:13.008Z", + "workflow": { + "state": "NEW", + "status": "NEW" + } + } + }, + "cloud": { + "account": { + "id": "111111111111" + }, + "provider": "aws", + "region": "ap-south-1", + "service": { + "name": "s3" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "configuration" + ], + "created": "2024-09-13T22:50:30.870Z", + "id": "arn:aws:securityhub:ap-south-1:111111111111:security-control/S3.17/finding/1d687c1f-ef1e-464f-985a-5000efa9d4a1", + "kind": "state", + "original": "{\"AwsAccountId\":\"111111111111\",\"CompanyName\":\"AWS\",\"Compliance\":{\"AssociatedStandards\":[{\"StandardsId\":\"standards/nist-800-53/v/5.0.0\"}],\"RelatedRequirements\":[\"NIST.800-53.r5 SC-12(2)\",\"NIST.800-53.r5 CM-3(6)\",\"NIST.800-53.r5 SC-13\",\"NIST.800-53.r5 SC-28\",\"NIST.800-53.r5 SC-28(1)\",\"NIST.800-53.r5 SC-7(10)\",\"NIST.800-53.r5 CA-9(1)\",\"NIST.800-53.r5 SI-7(6)\",\"NIST.800-53.r5 AU-9\"],\"SecurityControlId\":\"S3.17\",\"Status\":\"FAILED\"},\"CreatedAt\":\"2024-08-14T10:14:37.338Z\",\"Description\":\"This control checks whether an Amazon S3 general purpose bucket is encrypted with an AWS KMS key (SSE-KMS or DSSE-KMS). The control fails if the bucket is encrypted with default encryption (SSE-S3).\",\"FindingProviderFields\":{\"Severity\":{\"Label\":\"MEDIUM\",\"Normalized\":40,\"Original\":\"MEDIUM\"},\"Types\":[\"Software and Configuration Checks/Industry and Regulatory Standards\"]},\"FirstObservedAt\":\"2024-08-14T10:14:37.338Z\",\"GeneratorId\":\"security-control/S3.17\",\"Id\":\"arn:aws:securityhub:ap-south-1:111111111111:security-control/S3.17/finding/1d687c1f-ef1e-464f-985a-5000efa9d4a1\",\"LastObservedAt\":\"2024-09-13T22:50:29.249Z\",\"ProcessedAt\":\"2024-09-13T22:50:30.870Z\",\"ProductArn\":\"arn:aws:securityhub:ap-south-1::product/aws/securityhub\",\"ProductFields\":{\"RelatedAWSResources:0/name\":\"securityhub-s3-default-encryption-kms-3a38fc59\",\"RelatedAWSResources:0/type\":\"AWS::Config::ConfigRule\",\"Resources:0/Id\":\"arn:aws:s3:::s3-test-public-bucket\",\"aws/securityhub/CompanyName\":\"AWS\",\"aws/securityhub/FindingId\":\"arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/S3.17/finding/1d687c1f-ef1e-464f-985a-5000efa9d4a1\",\"aws/securityhub/ProductName\":\"Security Hub\",\"aws/securityhub/annotation\":\"Amazon S3 bucket is not encrypted with AWS KMS key.\"},\"ProductName\":\"Security Hub\",\"RecordState\":\"ACTIVE\",\"Region\":\"ap-south-1\",\"Remediation\":{\"Recommendation\":{\"Text\":\"For information on how to correct this issue, consult the AWS Security Hub controls documentation.\",\"Url\":\"https://docs.aws.amazon.com/console/securityhub/S3.17/remediation\"}},\"Resources\":[{\"Details\":{\"AwsS3Bucket\":{\"CreatedAt\":\"2024-08-14T09:32:06.000Z\",\"Name\":\"s3-test-public-bucket\",\"OwnerId\":\"e106g9b5e13878d5133aadfac8a012130c4260091100b311ed476f9e77cdca46\"}},\"Id\":\"arn:aws:s3:::s3-test-public-bucket\",\"Partition\":\"aws\",\"Region\":\"ap-south-1\",\"Type\":\"AwsS3Bucket\"}],\"SchemaVersion\":\"2018-10-08\",\"Severity\":{\"Label\":\"MEDIUM\",\"Normalized\":40,\"Original\":\"MEDIUM\"},\"Title\":\"S3 general purpose buckets should be encrypted at rest with AWS KMS keys\",\"Types\":[\"Software and Configuration Checks/Industry and Regulatory Standards\"],\"UpdatedAt\":\"2024-09-13T22:50:13.008Z\",\"Workflow\":{\"Status\":\"NEW\"},\"WorkflowState\":\"NEW\"}", + "outcome": "failure", + "severity": 40, + "type": [ + "info" + ] + }, + "observer": { + "vendor": "AWS Security Hub" + }, "organization": { "name": "AWS" }, + "resource": { + "id": "arn:aws:s3:::s3-test-public-bucket", + "name": "s3-test-public-bucket", + "type": "AwsS3Bucket" + }, + "result": { + "evaluation": "failed" + }, + "rule": { + "description": "This control checks whether an Amazon S3 general purpose bucket is encrypted with an AWS KMS key (SSE-KMS or DSSE-KMS). The control fails if the bucket is encrypted with default encryption (SSE-S3).", + "id": "security-control/S3.17", + "name": "S3 general purpose buckets should be encrypted at rest with AWS KMS keys", + "reference": "https://docs.aws.amazon.com/console/securityhub/S3.17/remediation", + "references": "https://docs.aws.amazon.com/console/securityhub/S3.17/remediation", + "remediation": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.\r\nhttps://docs.aws.amazon.com/console/securityhub/S3.17/remediation", + "ruleset": [ + "NIST.800-53.r5 SC-12(2)", + "NIST.800-53.r5 CM-3(6)", + "NIST.800-53.r5 SC-13", + "NIST.800-53.r5 SC-28", + "NIST.800-53.r5 SC-28(1)", + "NIST.800-53.r5 SC-7(10)", + "NIST.800-53.r5 CA-9(1)", + "NIST.800-53.r5 SI-7(6)", + "NIST.800-53.r5 AU-9" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "user": { + "id": "e106g9b5e13878d5133aadfac8a012130c4260091100b311ed476f9e77cdca46" + } + }, + { + "@timestamp": "2024-09-11T07:59:56.364Z", + "aws": { + "securityhub_findings": { + "aws_account_id": "111111111111", + "company": { + "name": "AWS" + }, + "compliance": { + "related_requirements": [ + "CIS AWS Foundations Benchmark v3.0.0/5.2" + ], + "security_control_id": "EC2.53", + "status": "PASSED" + }, + "created_at": "2024-09-10T11:03:33.389Z", + "description": "This control checks whether an Amazon EC2 security group allows ingress from 0.0.0.0/0 to remote server administration ports (ports 22 and 3389). The control fails if the security group allows ingress from 0.0.0.0/0 to port 22 or 3389.", + "first_observed_at": "2024-09-10T11:03:33.389Z", + "generator": { + "id": "security-control/EC2.53" + }, + "id": "arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.53/finding/f21e28e2-1077-4062-ac39-624b2776eb23", + "last_observed_at": "2024-09-11T08:00:06.960Z", + "processed_at": "2024-09-11T08:00:08.685Z", + "product": { + "arn": "arn:aws:securityhub:ap-south-1::product/aws/securityhub", + "fields": { + "RelatedAWSResources:0/name": "securityhub-vpc-sg-port-restriction-check-8bef9db4", + "RelatedAWSResources:0/type": "AWS::Config::ConfigRule", + "Resources:0/Id": "arn:aws:ec2:ap-south-1:111111111111:security-group/sg-0dbc8c6200a0a9c51", + "aws/securityhub/CompanyName": "AWS", + "aws/securityhub/FindingId": "arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.53/finding/f21e28e2-1077-4062-ac39-624b2776eb23", + "aws/securityhub/ProductName": "Security Hub" + }, + "name": "Security Hub" + }, + "provider_fields": { + "severity": { + "label": "INFORMATIONAL", + "normalized": "0", + "original": "INFORMATIONAL" + }, + "types": [ + "Software and Configuration Checks/Industry and Regulatory Standards" + ] + }, + "record_state": "ACTIVE", + "region": "ap-south-1", + "remediation": { + "recommendation": { + "text": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.", + "url": "https://docs.aws.amazon.com/console/securityhub/EC2.53/remediation" + } + }, + "resources": [ + { + "Details": { + "AwsEc2SecurityGroup": { + "GroupId": "sg-0dbc8c6200a0a9c51", + "GroupName": "elastic-agent-security-group-e4f7caa0-5f61-11ef-bb07-02fe87118279", + "IpPermissionsEgress": [ + { + "IpProtocol": "-1", + "IpRanges": [ + { + "CidrIp": "0.0.0.0/0" + } + ] + } + ], + "OwnerId": "111111111111", + "VpcId": "vpc-39017251" + } + }, + "Id": "arn:aws:ec2:ap-south-1:111111111111:security-group/sg-0dbc9c6210a0a9c51", + "Partition": "aws", + "Region": "ap-south-1", + "Tags": { + "aws:cloudformation:logical-id": "ElasticAgentSecurityGroup", + "aws:cloudformation:stack-id": "arn:aws:cloudformation:ap-south-1:111111111111:stack/Elastic-Cloud-Security-Posture-Management/e5f7caa0-6f60-11ef-bb07-02fe87118279", + "aws:cloudformation:stack-name": "Elastic-Cloud-Security-Posture-Management" + }, + "Type": "AwsEc2SecurityGroup" + } + ], + "schema": { + "version": "2018-10-08" + }, + "severity": { + "label": "INFORMATIONAL", + "normalized": "0", + "original": "INFORMATIONAL" + }, + "title": "EC2 security groups should not allow ingress from 0.0.0.0/0 to remote server administration ports", + "types": [ + "Software and Configuration Checks/Industry and Regulatory Standards" + ], + "updated_at": "2024-09-11T07:59:56.364Z", + "workflow": { + "state": "NEW", + "status": "RESOLVED" + } + } + }, + "cloud": { + "account": { + "id": "111111111111" + }, + "provider": "aws", + "region": "ap-south-1", + "service": { + "name": "ec2" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "configuration" + ], + "created": "2024-09-11T08:00:08.685Z", + "id": "arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.53/finding/f21e28e2-1077-4062-ac39-624b2776eb23", + "kind": "state", + "original": "{\"AwsAccountId\":\"111111111111\",\"CompanyName\":\"AWS\",\"Compliance\":{\"AssociatedStandards\":[{\"StandardsId\":\"standards/cis-aws-foundations-benchmark/v/3.0.0\"}],\"RelatedRequirements\":[\"CIS AWS Foundations Benchmark v3.0.0/5.2\"],\"SecurityControlId\":\"EC2.53\",\"Status\":\"PASSED\"},\"CreatedAt\":\"2024-09-10T11:03:33.389Z\",\"Description\":\"This control checks whether an Amazon EC2 security group allows ingress from 0.0.0.0/0 to remote server administration ports (ports 22 and 3389). The control fails if the security group allows ingress from 0.0.0.0/0 to port 22 or 3389.\",\"FindingProviderFields\":{\"Severity\":{\"Label\":\"INFORMATIONAL\",\"Normalized\":0,\"Original\":\"INFORMATIONAL\"},\"Types\":[\"Software and Configuration Checks/Industry and Regulatory Standards\"]},\"FirstObservedAt\":\"2024-09-10T11:03:33.389Z\",\"GeneratorId\":\"security-control/EC2.53\",\"Id\":\"arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.53/finding/f21e28e2-1077-4062-ac39-624b2776eb23\",\"LastObservedAt\":\"2024-09-11T08:00:06.960Z\",\"ProcessedAt\":\"2024-09-11T08:00:08.685Z\",\"ProductArn\":\"arn:aws:securityhub:ap-south-1::product/aws/securityhub\",\"ProductFields\":{\"RelatedAWSResources:0/name\":\"securityhub-vpc-sg-port-restriction-check-8bef9db4\",\"RelatedAWSResources:0/type\":\"AWS::Config::ConfigRule\",\"Resources:0/Id\":\"arn:aws:ec2:ap-south-1:111111111111:security-group/sg-0dbc8c6200a0a9c51\",\"aws/securityhub/CompanyName\":\"AWS\",\"aws/securityhub/FindingId\":\"arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.53/finding/f21e28e2-1077-4062-ac39-624b2776eb23\",\"aws/securityhub/ProductName\":\"Security Hub\"},\"ProductName\":\"Security Hub\",\"RecordState\":\"ACTIVE\",\"Region\":\"ap-south-1\",\"Remediation\":{\"Recommendation\":{\"Text\":\"For information on how to correct this issue, consult the AWS Security Hub controls documentation.\",\"Url\":\"https://docs.aws.amazon.com/console/securityhub/EC2.53/remediation\"}},\"Resources\":[{\"Details\":{\"AwsEc2SecurityGroup\":{\"GroupId\":\"sg-0dbc8c6200a0a9c51\",\"GroupName\":\"elastic-agent-security-group-e4f7caa0-5f61-11ef-bb07-02fe87118279\",\"IpPermissionsEgress\":[{\"IpProtocol\":\"-1\",\"IpRanges\":[{\"CidrIp\":\"0.0.0.0/0\"}]}],\"OwnerId\":\"111111111111\",\"VpcId\":\"vpc-39017251\"}},\"Id\":\"arn:aws:ec2:ap-south-1:111111111111:security-group/sg-0dbc9c6210a0a9c51\",\"Partition\":\"aws\",\"Region\":\"ap-south-1\",\"Tags\":{\"aws:cloudformation:logical-id\":\"ElasticAgentSecurityGroup\",\"aws:cloudformation:stack-id\":\"arn:aws:cloudformation:ap-south-1:111111111111:stack/Elastic-Cloud-Security-Posture-Management/e5f7caa0-6f60-11ef-bb07-02fe87118279\",\"aws:cloudformation:stack-name\":\"Elastic-Cloud-Security-Posture-Management\"},\"Type\":\"AwsEc2SecurityGroup\"}],\"SchemaVersion\":\"2018-10-08\",\"Severity\":{\"Label\":\"INFORMATIONAL\",\"Normalized\":0,\"Original\":\"INFORMATIONAL\"},\"Title\":\"EC2 security groups should not allow ingress from 0.0.0.0/0 to remote server administration ports\",\"Types\":[\"Software and Configuration Checks/Industry and Regulatory Standards\"],\"UpdatedAt\":\"2024-09-11T07:59:56.364Z\",\"Workflow\":{\"Status\":\"RESOLVED\"},\"WorkflowState\":\"NEW\"}", + "outcome": "success", + "severity": 0, + "type": [ + "info" + ] + }, + "observer": { + "vendor": "AWS Security Hub" + }, + "organization": { + "name": "AWS" + }, + "resource": { + "id": "arn:aws:ec2:ap-south-1:111111111111:security-group/sg-0dbc9c6210a0a9c51", + "name": "security-group/sg-0dbc9c6210a0a9c51", + "type": "AwsEc2SecurityGroup" + }, + "result": { + "evaluation": "passed" + }, + "rule": { + "description": "This control checks whether an Amazon EC2 security group allows ingress from 0.0.0.0/0 to remote server administration ports (ports 22 and 3389). The control fails if the security group allows ingress from 0.0.0.0/0 to port 22 or 3389.", + "id": "security-control/EC2.53", + "name": "EC2 security groups should not allow ingress from 0.0.0.0/0 to remote server administration ports", + "reference": "https://docs.aws.amazon.com/console/securityhub/EC2.53/remediation", + "references": "https://docs.aws.amazon.com/console/securityhub/EC2.53/remediation", + "remediation": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.\r\nhttps://docs.aws.amazon.com/console/securityhub/EC2.53/remediation", + "ruleset": [ + "CIS AWS Foundations Benchmark v3.0.0/5.2" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] + }, + { + "@timestamp": "2024-09-10T16:51:26.034Z", + "aws": { + "securityhub_findings": { + "aws_account_id": "111111111111", + "company": { + "name": "AWS" + }, + "compliance": { + "related_requirements": [ + "NIST.800-53.r5 CA-9(1)", + "NIST.800-53.r5 CM-3(6)", + "NIST.800-53.r5 SC-13", + "NIST.800-53.r5 SC-28", + "NIST.800-53.r5 SC-28(1)", + "NIST.800-53.r5 SC-7(10)", + "NIST.800-53.r5 SI-7(6)" + ], + "security_control_id": "EC2.3", + "status": "FAILED" + }, + "created_at": "2024-09-10T16:51:26.034Z", + "description": "This AWS control checks whether the EBS volumes that are in an attached state are encrypted.", + "first_observed_at": "2024-09-10T16:50:59.623Z", + "generator": { + "id": "security-control/EC2.3" + }, + "id": "arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.3/finding/972eddbf-43ae-4886-9416-ac9ddc2cecc0", + "last_observed_at": "2024-09-10T16:50:59.623Z", + "processed_at": "2024-09-10T16:51:39.864Z", + "product": { + "arn": "arn:aws:securityhub:ap-south-1::product/aws/securityhub", + "fields": { + "RelatedAWSResources:0/name": "securityhub-encrypted-volumes-4e81c587", + "RelatedAWSResources:0/type": "AWS::Config::ConfigRule", + "Resources:0/Id": "arn:aws:ec2:ap-south-1:111111111111:volume/vol-03822fa7de881616e", + "aws/securityhub/CompanyName": "AWS", + "aws/securityhub/FindingId": "arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.3/finding/972eddbf-43ae-4886-9416-ac9ddc2cecc0", + "aws/securityhub/ProductName": "Security Hub" + }, + "name": "Security Hub" + }, + "provider_fields": { + "severity": { + "label": "MEDIUM", + "normalized": "40", + "original": "MEDIUM" + }, + "types": [ + "Software and Configuration Checks/Industry and Regulatory Standards" + ] + }, + "record_state": "ACTIVE", + "region": "ap-south-1", + "remediation": { + "recommendation": { + "text": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.", + "url": "https://docs.aws.amazon.com/console/securityhub/EC2.3/remediation" + } + }, + "resources": [ + { + "Details": { + "AwsEc2Volume": { + "Attachments": [ + { + "AttachTime": "2024-09-10T10:39:36.000Z", + "DeleteOnTermination": true, + "InstanceId": "i-0f1ede89308a584d8", + "Status": "attached" + } + ], + "CreateTime": "2024-09-10T10:39:36.313Z", + "Encrypted": false, + "Size": 32, + "SnapshotId": "snap-07cb2350b59fa5cce", + "Status": "in-use" + } + }, + "Id": "arn:aws:ec2:ap-south-1:111111111111:volume/vol-03821fa7de881617e", + "Partition": "aws", + "Region": "ap-south-1", + "Type": "AwsEc2Volume" + } + ], + "schema": { + "version": "2018-10-08" + }, + "severity": { + "label": "MEDIUM", + "normalized": "40", + "original": "MEDIUM" + }, + "title": "Attached EBS volumes should be encrypted at-rest", + "types": [ + "Software and Configuration Checks/Industry and Regulatory Standards" + ], + "updated_at": "2024-09-10T16:51:26.034Z", + "workflow": { + "state": "NEW", + "status": "NEW" + } + } + }, + "cloud": { + "account": { + "id": "111111111111" + }, + "provider": "aws", + "region": "ap-south-1", + "service": { + "name": "ec2" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "configuration" + ], + "created": "2024-09-10T16:51:39.864Z", + "id": "arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.3/finding/972eddbf-43ae-4886-9416-ac9ddc2cecc0", + "kind": "state", + "original": "{\"AwsAccountId\":\"111111111111\",\"CompanyName\":\"AWS\",\"Compliance\":{\"AssociatedStandards\":[{\"StandardsId\":\"standards/aws-foundational-security-best-practices/v/1.0.0\"},{\"StandardsId\":\"standards/nist-800-53/v/5.0.0\"}],\"RelatedRequirements\":[\"NIST.800-53.r5 CA-9(1)\",\"NIST.800-53.r5 CM-3(6)\",\"NIST.800-53.r5 SC-13\",\"NIST.800-53.r5 SC-28\",\"NIST.800-53.r5 SC-28(1)\",\"NIST.800-53.r5 SC-7(10)\",\"NIST.800-53.r5 SI-7(6)\"],\"SecurityControlId\":\"EC2.3\",\"Status\":\"FAILED\"},\"CreatedAt\":\"2024-09-10T16:51:26.034Z\",\"Description\":\"This AWS control checks whether the EBS volumes that are in an attached state are encrypted.\",\"FindingProviderFields\":{\"Severity\":{\"Label\":\"MEDIUM\",\"Normalized\":40,\"Original\":\"MEDIUM\"},\"Types\":[\"Software and Configuration Checks/Industry and Regulatory Standards\"]},\"FirstObservedAt\":\"2024-09-10T16:50:59.623Z\",\"GeneratorId\":\"security-control/EC2.3\",\"Id\":\"arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.3/finding/972eddbf-43ae-4886-9416-ac9ddc2cecc0\",\"LastObservedAt\":\"2024-09-10T16:50:59.623Z\",\"ProcessedAt\":\"2024-09-10T16:51:39.864Z\",\"ProductArn\":\"arn:aws:securityhub:ap-south-1::product/aws/securityhub\",\"ProductFields\":{\"RelatedAWSResources:0/name\":\"securityhub-encrypted-volumes-4e81c587\",\"RelatedAWSResources:0/type\":\"AWS::Config::ConfigRule\",\"Resources:0/Id\":\"arn:aws:ec2:ap-south-1:111111111111:volume/vol-03822fa7de881616e\",\"aws/securityhub/CompanyName\":\"AWS\",\"aws/securityhub/FindingId\":\"arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.3/finding/972eddbf-43ae-4886-9416-ac9ddc2cecc0\",\"aws/securityhub/ProductName\":\"Security Hub\"},\"ProductName\":\"Security Hub\",\"RecordState\":\"ACTIVE\",\"Region\":\"ap-south-1\",\"Remediation\":{\"Recommendation\":{\"Text\":\"For information on how to correct this issue, consult the AWS Security Hub controls documentation.\",\"Url\":\"https://docs.aws.amazon.com/console/securityhub/EC2.3/remediation\"}},\"Resources\":[{\"Details\":{\"AwsEc2Volume\":{\"Attachments\":[{\"AttachTime\":\"2024-09-10T10:39:36.000Z\",\"DeleteOnTermination\":true,\"InstanceId\":\"i-0f1ede89308a584d8\",\"Status\":\"attached\"}],\"CreateTime\":\"2024-09-10T10:39:36.313Z\",\"Encrypted\":false,\"Size\":32,\"SnapshotId\":\"snap-07cb2350b59fa5cce\",\"Status\":\"in-use\"}},\"Id\":\"arn:aws:ec2:ap-south-1:111111111111:volume/vol-03821fa7de881617e\",\"Partition\":\"aws\",\"Region\":\"ap-south-1\",\"Type\":\"AwsEc2Volume\"}],\"SchemaVersion\":\"2018-10-08\",\"Severity\":{\"Label\":\"MEDIUM\",\"Normalized\":40,\"Original\":\"MEDIUM\"},\"Title\":\"Attached EBS volumes should be encrypted at-rest\",\"Types\":[\"Software and Configuration Checks/Industry and Regulatory Standards\"],\"UpdatedAt\":\"2024-09-10T16:51:26.034Z\",\"Workflow\":{\"Status\":\"NEW\"},\"WorkflowState\":\"NEW\"}", + "outcome": "failure", + "severity": 40, + "type": [ + "info" + ] + }, + "observer": { + "vendor": "AWS Security Hub" + }, + "organization": { + "name": "AWS" + }, + "resource": { + "id": "arn:aws:ec2:ap-south-1:111111111111:volume/vol-03821fa7de881617e", + "name": "volume/vol-03821fa7de881617e", + "type": "AwsEc2Volume" + }, + "result": { + "evaluation": "failed" + }, + "rule": { + "description": "This AWS control checks whether the EBS volumes that are in an attached state are encrypted.", + "id": "security-control/EC2.3", + "name": "Attached EBS volumes should be encrypted at-rest", + "reference": "https://docs.aws.amazon.com/console/securityhub/EC2.3/remediation", + "references": "https://docs.aws.amazon.com/console/securityhub/EC2.3/remediation", + "remediation": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.\r\nhttps://docs.aws.amazon.com/console/securityhub/EC2.3/remediation", + "ruleset": [ + "NIST.800-53.r5 CA-9(1)", + "NIST.800-53.r5 CM-3(6)", + "NIST.800-53.r5 SC-13", + "NIST.800-53.r5 SC-28", + "NIST.800-53.r5 SC-28(1)", + "NIST.800-53.r5 SC-7(10)", + "NIST.800-53.r5 SI-7(6)" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] + }, + { + "@timestamp": "2024-09-15T16:48:45.279Z", + "aws": { + "securityhub_findings": { + "aws_account_id": "111111111111", + "company": { + "name": "AWS" + }, + "compliance": { + "related_requirements": [ + "CIS AWS Foundations Benchmark v1.2.0/1.16" + ], + "security_control_id": "IAM.2", + "status": "FAILED" + }, + "created_at": "2024-09-10T12:40:36.785Z", + "description": "This AWS control checks that none of your IAM users have policies attached. Instead, IAM users must inherit permissions from IAM groups or roles.", + "first_observed_at": "2024-09-10T12:40:36.785Z", + "generator": { + "id": "security-control/SSM.1" + }, + "id": "arn:aws:iam::111111111111:user/developers/devuser@dev.dev", + "last_observed_at": "2024-09-15T16:48:57.829Z", + "processed_at": "2024-09-15T16:48:59.493Z", + "product": { + "arn": "arn:aws:securityhub:ap-south-1::product/aws/securityhub", + "fields": { + "RelatedAWSResources:0/name": "securityhub-iam-user-no-policies-check-832bb806", + "RelatedAWSResources:0/type": "AWS::Config::ConfigRule", + "Resources:0/Id": "arn:aws:iam::111111111111:user/developers/devuser@dev.dev", + "aws/securityhub/CompanyName": "AWS", + "aws/securityhub/FindingId": "arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/SSM.1/finding/12b0c84a-bba5-4fb4-bb36-3b0e62b1945c", + "aws/securityhub/ProductName": "Security Hub" + }, + "name": "Security Hub" + }, + "provider_fields": { + "severity": { + "label": "LOW", + "normalized": "1", + "original": "LOW" + }, + "types": [ + "Software and Configuration Checks/Industry and Regulatory Standards" + ] + }, + "record_state": "ACTIVE", + "region": "ap-south-1", + "remediation": { + "recommendation": { + "text": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.", + "url": "https://docs.aws.amazon.com/console/securityhub/IAM.2/remediation" + } + }, + "resources": [ + { + "Details": { + "AwsIamUser": { + "AttachedManagedPolicies": [ + { + "PolicyArn": "arn:aws:iam::aws:policy/AWSSecurityHubFullAccess", + "PolicyName": "AWSSecurityHubFullAccess" + } + ], + "CreateDate": "2023-01-10T01:07:37.000Z", + "GroupList": [ + "DevUsers" + ], + "Path": "/developers/", + "UserId": "DevUserId", + "UserName": "Dev UserName" + } + }, + "Id": "arn:aws:iam::111111111111:user/developers/devuser@dev.dev", + "Partition": "aws", + "Region": "ap-south-1", + "Type": "AwsIamUser" + } + ], + "schema": { + "version": "2018-10-08" + }, + "severity": { + "label": "LOW", + "normalized": "1", + "original": "LOW" + }, + "title": "IAM users should not have IAM policies attached", + "types": [ + "Software and Configuration Checks/Industry and Regulatory Standards" + ], + "updated_at": "2024-09-15T16:48:45.279Z", + "workflow": { + "state": "NEW", + "status": "NEW" + } + } + }, + "cloud": { + "account": { + "id": "111111111111" + }, + "provider": "aws", + "region": "ap-south-1", + "service": { + "name": "iam" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "configuration" + ], + "created": "2024-09-15T16:48:59.493Z", + "id": "arn:aws:iam::111111111111:user/developers/devuser@dev.dev", + "kind": "state", + "original": "{\"AwsAccountId\":\"111111111111\",\"CompanyName\":\"AWS\",\"Compliance\":{\"AssociatedStandards\":[{\"StandardsId\":\"standards/aws-foundational-security-best-practices/v/1.0.0\"},{\"StandardsId\":\"standards/nist-800-53/v/5.0.0\"},{\"StandardsId\":\"standards/pci-dss/v/3.2.1\"}],\"RelatedRequirements\":[\"CIS AWS Foundations Benchmark v1.2.0/1.16\"],\"SecurityControlId\":\"IAM.2\",\"Status\":\"FAILED\"},\"CreatedAt\":\"2024-09-10T12:40:36.785Z\",\"Description\":\"This AWS control checks that none of your IAM users have policies attached. Instead, IAM users must inherit permissions from IAM groups or roles.\",\"FindingProviderFields\":{\"Severity\":{\"Label\":\"LOW\",\"Normalized\":1,\"Original\":\"LOW\"},\"Types\":[\"Software and Configuration Checks/Industry and Regulatory Standards\"]},\"FirstObservedAt\":\"2024-09-10T12:40:36.785Z\",\"GeneratorId\":\"security-control/SSM.1\",\"Id\":\"arn:aws:iam::111111111111:user/developers/devuser@dev.dev\",\"LastObservedAt\":\"2024-09-15T16:48:57.829Z\",\"ProcessedAt\":\"2024-09-15T16:48:59.493Z\",\"ProductArn\":\"arn:aws:securityhub:ap-south-1::product/aws/securityhub\",\"ProductFields\":{\"RelatedAWSResources:0/name\":\"securityhub-iam-user-no-policies-check-832bb806\",\"RelatedAWSResources:0/type\":\"AWS::Config::ConfigRule\",\"Resources:0/Id\":\"arn:aws:iam::111111111111:user/developers/devuser@dev.dev\",\"aws/securityhub/CompanyName\":\"AWS\",\"aws/securityhub/FindingId\":\"arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/SSM.1/finding/12b0c84a-bba5-4fb4-bb36-3b0e62b1945c\",\"aws/securityhub/ProductName\":\"Security Hub\"},\"ProductName\":\"Security Hub\",\"RecordState\":\"ACTIVE\",\"Region\":\"ap-south-1\",\"Remediation\":{\"Recommendation\":{\"Text\":\"For information on how to correct this issue, consult the AWS Security Hub controls documentation.\",\"Url\":\"https://docs.aws.amazon.com/console/securityhub/IAM.2/remediation\"}},\"Resources\":[{\"Partition\":\"aws\",\"Type\":\"AwsIamUser\",\"Details\":{\"AwsIamUser\":{\"Path\":\"/developers/\",\"AttachedManagedPolicies\":[{\"PolicyArn\":\"arn:aws:iam::aws:policy/AWSSecurityHubFullAccess\",\"PolicyName\":\"AWSSecurityHubFullAccess\"}],\"UserName\":\"Dev UserName\",\"GroupList\":[\"DevUsers\"],\"UserId\":\"DevUserId\",\"CreateDate\":\"2023-01-10T01:07:37.000Z\"}},\"Region\":\"ap-south-1\",\"Id\":\"arn:aws:iam::111111111111:user/developers/devuser@dev.dev\"}],\"SchemaVersion\":\"2018-10-08\",\"Severity\":{\"Label\":\"LOW\",\"Normalized\":1,\"Original\":\"LOW\"},\"Title\":\"IAM users should not have IAM policies attached\",\"Types\":[\"Software and Configuration Checks/Industry and Regulatory Standards\"],\"UpdatedAt\":\"2024-09-15T16:48:45.279Z\",\"Workflow\":{\"Status\":\"NEW\"},\"WorkflowState\":\"NEW\"}", + "outcome": "failure", + "severity": 1, + "type": [ + "info" + ] + }, + "observer": { + "vendor": "AWS Security Hub" + }, + "organization": { + "name": "AWS" + }, + "resource": { + "id": "arn:aws:iam::111111111111:user/developers/devuser@dev.dev", + "name": "user/developers/devuser@dev.dev", + "type": "AwsIamUser" + }, + "result": { + "evaluation": "failed" + }, + "rule": { + "description": "This AWS control checks that none of your IAM users have policies attached. Instead, IAM users must inherit permissions from IAM groups or roles.", + "id": "security-control/SSM.1", + "name": "IAM users should not have IAM policies attached", + "reference": "https://docs.aws.amazon.com/console/securityhub/IAM.2/remediation", + "references": "https://docs.aws.amazon.com/console/securityhub/IAM.2/remediation", + "remediation": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.\r\nhttps://docs.aws.amazon.com/console/securityhub/IAM.2/remediation", + "ruleset": [ + "CIS AWS Foundations Benchmark v1.2.0/1.16" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "user": { + "id": "DevUserId", + "name": "Dev UserName" + } + }, + { + "@timestamp": "2024-09-15T16:48:45.279Z", + "aws": { + "securityhub_findings": { + "aws_account_id": "111111111111", + "company": { + "name": "AWS" + }, + "compliance": { + "security_control_id": "EKS.1", + "status": "FAILED" + }, + "created_at": "2024-09-11T12:40:36.785Z", + "description": "This control checks whether an Amazon EKS cluster endpoint is publicly accessible. The control fails if an EKS cluster has an endpoint that is publicly accessible.", + "first_observed_at": "2024-09-11T12:40:36.785Z", + "generator": { + "id": "security-control/EKS.1" + }, + "id": "arn:aws:eks:ap-south-1:111111111111:cluster/democluster", + "last_observed_at": "2024-09-15T16:48:57.829Z", + "processed_at": "2024-09-15T16:48:59.493Z", + "product": { + "arn": "arn:aws:securityhub:ap-south-1::product/aws/securityhub", + "fields": { + "RelatedAWSResources:0/name": "securityhub-eks-endpoint-no-public-access-2dc35c63", + "RelatedAWSResources:0/type": "AWS::Config::ConfigRule", + "Resources:0/Id": "arn:aws:eks:ap-south-1:111111111111:cluster/democluster", + "aws/securityhub/CompanyName": "AWS", + "aws/securityhub/FindingId": "arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/SSM.1/finding/12b0c84a-bba5-4fb4-bb36-3b0e62b1945c", + "aws/securityhub/ProductName": "Security Hub", + "aws/securityhub/annotation": "Cluster Endpoint of democluster is Publicly accessible" + }, + "name": "Security Hub" + }, + "provider_fields": { + "severity": { + "label": "HIGH", + "normalized": "70", + "original": "HIGH" + }, + "types": [ + "Software and Configuration Checks/Industry and Regulatory Standards" + ] + }, + "record_state": "ACTIVE", + "region": "ap-south-1", + "remediation": { + "recommendation": { + "text": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.", + "url": "https://docs.aws.amazon.com/console/securityhub/EKS.1/remediation" + } + }, + "resources": [ + { + "Details": { + "AwsEksCluster": { + "Arn": "arn:aws:eks:ap-south-1:111111111111:cluster/democluster", + "Name": "democluster", + "ResourcesVpcConfig": { + "EndpointPublicAccess": true, + "SecurityGroupIds": [ + "sg-111" + ], + "SubnetIds": [ + "subnet-aaa", + "subnet-bbb" + ] + }, + "RoleArn": "arn:aws:iam::111111111111:role/EKSClusterRole", + "Version": "1.27" + } + }, + "Id": "arn:aws:eks:ap-south-1:111111111111:cluster/democluster", + "Partition": "aws", + "Region": "ap-south-1", + "Tags": { + "environment": "dev", + "managed_by": "terraform", + "project": "demo", + "team": "dev" + }, + "Type": "AwsEksCluster" + } + ], + "schema": { + "version": "2018-10-08" + }, + "severity": { + "label": "HIGH", + "normalized": "70", + "original": "HIGH" + }, + "title": "EKS cluster endpoints should not be publicly accessible", + "types": [ + "Software and Configuration Checks/Industry and Regulatory Standards" + ], + "updated_at": "2024-09-15T16:48:45.279Z", + "workflow": { + "state": "NEW", + "status": "NEW" + } + } + }, + "cloud": { + "account": { + "id": "111111111111" + }, + "provider": "aws", + "region": "ap-south-1", + "service": { + "name": "eks" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "configuration" + ], + "created": "2024-09-15T16:48:59.493Z", + "id": "arn:aws:eks:ap-south-1:111111111111:cluster/democluster", + "kind": "state", + "original": "{\"AwsAccountId\":\"111111111111\",\"CompanyName\":\"AWS\",\"Compliance\":{\"SecurityControlId\":\"EKS.1\",\"Status\":\"FAILED\"},\"CreatedAt\":\"2024-09-11T12:40:36.785Z\",\"Description\":\"This control checks whether an Amazon EKS cluster endpoint is publicly accessible. The control fails if an EKS cluster has an endpoint that is publicly accessible.\",\"FindingProviderFields\":{\"Severity\":{\"Label\":\"HIGH\",\"Normalized\":70,\"Original\":\"HIGH\"},\"Types\":[\"Software and Configuration Checks/Industry and Regulatory Standards\"]},\"FirstObservedAt\":\"2024-09-11T12:40:36.785Z\",\"GeneratorId\":\"security-control/EKS.1\",\"Id\":\"arn:aws:eks:ap-south-1:111111111111:cluster/democluster\",\"LastObservedAt\":\"2024-09-15T16:48:57.829Z\",\"ProcessedAt\":\"2024-09-15T16:48:59.493Z\",\"ProductArn\":\"arn:aws:securityhub:ap-south-1::product/aws/securityhub\",\"ProductFields\":{\"RelatedAWSResources:0/name\":\"securityhub-eks-endpoint-no-public-access-2dc35c63\",\"RelatedAWSResources:0/type\":\"AWS::Config::ConfigRule\",\"Resources:0/Id\":\"arn:aws:eks:ap-south-1:111111111111:cluster/democluster\",\"aws/securityhub/CompanyName\":\"AWS\",\"aws/securityhub/FindingId\":\"arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/SSM.1/finding/12b0c84a-bba5-4fb4-bb36-3b0e62b1945c\",\"aws/securityhub/ProductName\":\"Security Hub\",\"aws/securityhub/annotation\":\"Cluster Endpoint of democluster is Publicly accessible\"},\"ProductName\":\"Security Hub\",\"RecordState\":\"ACTIVE\",\"Region\":\"ap-south-1\",\"Remediation\":{\"Recommendation\":{\"Text\":\"For information on how to correct this issue, consult the AWS Security Hub controls documentation.\",\"Url\":\"https://docs.aws.amazon.com/console/securityhub/EKS.1/remediation\"}},\"Resources\":[{\"Partition\":\"aws\",\"Type\":\"AwsEksCluster\",\"Details\":{\"AwsEksCluster\":{\"Version\":\"1.27\",\"Arn\":\"arn:aws:eks:ap-south-1:111111111111:cluster/democluster\",\"ResourcesVpcConfig\":{\"EndpointPublicAccess\":true,\"SecurityGroupIds\":[\"sg-111\"],\"SubnetIds\":[\"subnet-aaa\",\"subnet-bbb\"]},\"RoleArn\":\"arn:aws:iam::111111111111:role/EKSClusterRole\",\"Name\":\"democluster\"}},\"Region\":\"ap-south-1\",\"Id\":\"arn:aws:eks:ap-south-1:111111111111:cluster/democluster\",\"Tags\":{\"environment\":\"dev\",\"managed_by\":\"terraform\",\"project\":\"demo\",\"team\":\"dev\"}}],\"SchemaVersion\":\"2018-10-08\",\"Severity\":{\"Label\":\"HIGH\",\"Normalized\":70,\"Original\":\"HIGH\"},\"Title\":\"EKS cluster endpoints should not be publicly accessible\",\"Types\":[\"Software and Configuration Checks/Industry and Regulatory Standards\"],\"UpdatedAt\":\"2024-09-15T16:48:45.279Z\",\"Workflow\":{\"Status\":\"NEW\"},\"WorkflowState\":\"NEW\"}", + "outcome": "failure", + "severity": 70, + "type": [ + "info" + ] + }, + "observer": { + "vendor": "AWS Security Hub" + }, + "orchestrator": { + "cluster": { + "id": "arn:aws:eks:ap-south-1:111111111111:cluster/democluster", + "name": "democluster", + "version": "1.27" + }, + "resource": { + "id": "arn:aws:eks:ap-south-1:111111111111:cluster/democluster", + "name": "democluster", + "type": "AwsEksCluster" + }, + "type": "kubernetes" + }, + "organization": { + "name": "AWS" + }, + "resource": { + "id": "arn:aws:eks:ap-south-1:111111111111:cluster/democluster", + "name": "democluster", + "type": "AwsEksCluster" + }, + "result": { + "evaluation": "failed" + }, + "rule": { + "description": "This control checks whether an Amazon EKS cluster endpoint is publicly accessible. The control fails if an EKS cluster has an endpoint that is publicly accessible.", + "id": "security-control/EKS.1", + "name": "EKS cluster endpoints should not be publicly accessible", + "reference": "https://docs.aws.amazon.com/console/securityhub/EKS.1/remediation", + "references": "https://docs.aws.amazon.com/console/securityhub/EKS.1/remediation", + "remediation": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.\r\nhttps://docs.aws.amazon.com/console/securityhub/EKS.1/remediation" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] + }, + { + "@timestamp": "2024-09-11T07:53:19.500Z", + "aws": { + "securityhub_findings": { + "aws_account_id": "111111111111", + "company": { + "name": "AWS" + }, + "compliance": { + "related_requirements": [ + "CIS AWS Foundations Benchmark v3.0.0/1.22" + ], + "security_control_id": "IAM.27", + "status": "PASSED", + "status_reasons": [ + { + "description": "AWS Config evaluated your resources against the rule. The rule did not apply to the AWS resources in its scope, the specified resources were deleted, or the evaluation results were deleted.", + "reason_code": "CONFIG_EVALUATIONS_EMPTY" + } + ] + }, + "created_at": "2024-08-14T12:11:57.803Z", + "description": "This control checks whether an IAM identity (user, role, or group) has the AWS managed policy AWSCloudShellFullAccess attached. The control fails if an IAM identity has the AWSCloudShellFullAccess policy attached.", + "first_observed_at": "2024-08-14T12:11:57.803Z", + "generator": { + "id": "security-control/IAM.27" + }, + "id": "arn:aws:securityhub:ap-south-1:111111111111:security-control/IAM.27/finding/9ec777ec-6a92-416f-a27c-fa22b5827b6f", + "last_observed_at": "2024-09-11T07:53:19.500Z", + "processed_at": "2024-09-11T07:53:27.460Z", + "product": { + "arn": "arn:aws:securityhub:ap-south-1::product/aws/securityhub", + "fields": { + "RelatedAWSResources:0/name": "securityhub-iam-policy-blacklisted-check-0ab52b49", + "RelatedAWSResources:0/type": "AWS::Config::ConfigRule", + "Resources:0/Id": "arn:aws:iam::111111111111:root", + "aws/securityhub/CompanyName": "AWS", + "aws/securityhub/FindingId": "arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/IAM.27/finding/9ec777ec-6a92-416f-a27c-fa22b5827b6f", + "aws/securityhub/ProductName": "Security Hub", + "aws/securityhub/annotation": "AWS Config evaluated your resources against the rule. The rule did not apply to the AWS resources in its scope, the specified resources were deleted, or the evaluation results were deleted." + }, + "name": "Security Hub" + }, + "provider_fields": { + "severity": { + "label": "INFORMATIONAL", + "normalized": "0", + "original": "INFORMATIONAL" + }, + "types": [ + "Software and Configuration Checks/Industry and Regulatory Standards" + ] + }, + "record_state": "ACTIVE", + "region": "ap-south-1", + "remediation": { + "recommendation": { + "text": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.", + "url": "https://docs.aws.amazon.com/console/securityhub/IAM.27/remediation" + } + }, + "resources": [ + { + "Id": "AWS::::Account:111111111111", + "Partition": "aws", + "Region": "ap-south-1", + "Type": "AwsAccount" + } + ], + "schema": { + "version": "2018-10-08" + }, + "severity": { + "label": "INFORMATIONAL", + "normalized": "0", + "original": "INFORMATIONAL" + }, + "title": "IAM identities should not have the AWSCloudShellFullAccess policy attached", + "types": [ + "Software and Configuration Checks/Industry and Regulatory Standards" + ], + "updated_at": "2024-09-11T07:53:19.500Z", + "workflow": { + "state": "NEW", + "status": "RESOLVED" + } + } + }, + "cloud": { + "account": { + "id": "111111111111" + }, + "provider": "aws", + "region": "ap-south-1" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "configuration" + ], + "created": "2024-09-11T07:53:27.460Z", + "id": "arn:aws:securityhub:ap-south-1:111111111111:security-control/IAM.27/finding/9ec777ec-6a92-416f-a27c-fa22b5827b6f", + "kind": "state", + "original": "{\"AwsAccountId\":\"111111111111\",\"CompanyName\":\"AWS\",\"Compliance\":{\"AssociatedStandards\":[{\"StandardsId\":\"standards/cis-aws-foundations-benchmark/v/3.0.0\"}],\"RelatedRequirements\":[\"CIS AWS Foundations Benchmark v3.0.0/1.22\"],\"SecurityControlId\":\"IAM.27\",\"Status\":\"PASSED\",\"StatusReasons\":[{\"Description\":\"AWS Config evaluated your resources against the rule. The rule did not apply to the AWS resources in its scope, the specified resources were deleted, or the evaluation results were deleted.\",\"ReasonCode\":\"CONFIG_EVALUATIONS_EMPTY\"}]},\"CreatedAt\":\"2024-08-14T12:11:57.803Z\",\"Description\":\"This control checks whether an IAM identity (user, role, or group) has the AWS managed policy AWSCloudShellFullAccess attached. The control fails if an IAM identity has the AWSCloudShellFullAccess policy attached.\",\"FindingProviderFields\":{\"Severity\":{\"Label\":\"INFORMATIONAL\",\"Normalized\":0,\"Original\":\"INFORMATIONAL\"},\"Types\":[\"Software and Configuration Checks/Industry and Regulatory Standards\"]},\"FirstObservedAt\":\"2024-08-14T12:11:57.803Z\",\"GeneratorId\":\"security-control/IAM.27\",\"Id\":\"arn:aws:securityhub:ap-south-1:111111111111:security-control/IAM.27/finding/9ec777ec-6a92-416f-a27c-fa22b5827b6f\",\"LastObservedAt\":\"2024-09-11T07:53:19.500Z\",\"ProcessedAt\":\"2024-09-11T07:53:27.460Z\",\"ProductArn\":\"arn:aws:securityhub:ap-south-1::product/aws/securityhub\",\"ProductFields\":{\"RelatedAWSResources:0/name\":\"securityhub-iam-policy-blacklisted-check-0ab52b49\",\"RelatedAWSResources:0/type\":\"AWS::Config::ConfigRule\",\"Resources:0/Id\":\"arn:aws:iam::111111111111:root\",\"aws/securityhub/CompanyName\":\"AWS\",\"aws/securityhub/FindingId\":\"arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/IAM.27/finding/9ec777ec-6a92-416f-a27c-fa22b5827b6f\",\"aws/securityhub/ProductName\":\"Security Hub\",\"aws/securityhub/annotation\":\"AWS Config evaluated your resources against the rule. The rule did not apply to the AWS resources in its scope, the specified resources were deleted, or the evaluation results were deleted.\"},\"ProductName\":\"Security Hub\",\"RecordState\":\"ACTIVE\",\"Region\":\"ap-south-1\",\"Remediation\":{\"Recommendation\":{\"Text\":\"For information on how to correct this issue, consult the AWS Security Hub controls documentation.\",\"Url\":\"https://docs.aws.amazon.com/console/securityhub/IAM.27/remediation\"}},\"Resources\":[{\"Id\":\"AWS::::Account:111111111111\",\"Partition\":\"aws\",\"Region\":\"ap-south-1\",\"Type\":\"AwsAccount\"}],\"SchemaVersion\":\"2018-10-08\",\"Severity\":{\"Label\":\"INFORMATIONAL\",\"Normalized\":0,\"Original\":\"INFORMATIONAL\"},\"Title\":\"IAM identities should not have the AWSCloudShellFullAccess policy attached\",\"Types\":[\"Software and Configuration Checks/Industry and Regulatory Standards\"],\"UpdatedAt\":\"2024-09-11T07:53:19.500Z\",\"Workflow\":{\"Status\":\"RESOLVED\"},\"WorkflowState\":\"NEW\"}", + "outcome": "success", + "severity": 0, + "type": [ + "info" + ] + }, + "observer": { + "vendor": "AWS Security Hub" + }, + "organization": { + "name": "AWS" + }, + "resource": { + "id": "AWS::::Account:111111111111", + "name": "111111111111", + "type": "AwsAccount" + }, + "result": { + "evaluation": "passed" + }, + "rule": { + "description": "This control checks whether an IAM identity (user, role, or group) has the AWS managed policy AWSCloudShellFullAccess attached. The control fails if an IAM identity has the AWSCloudShellFullAccess policy attached.", + "id": "security-control/IAM.27", + "name": "IAM identities should not have the AWSCloudShellFullAccess policy attached", + "reference": "https://docs.aws.amazon.com/console/securityhub/IAM.27/remediation", + "references": "https://docs.aws.amazon.com/console/securityhub/IAM.27/remediation", + "remediation": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.\r\nhttps://docs.aws.amazon.com/console/securityhub/IAM.27/remediation", + "ruleset": [ + "CIS AWS Foundations Benchmark v3.0.0/1.22" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] + }, + { + "@timestamp": "2024-09-13T22:50:15.737Z", + "aws": { + "securityhub_findings": { + "aws_account_id": "111111111111", + "company": { + "name": "AWS" + }, + "compliance": { + "security_control_id": "EC2.44", + "status": "FAILED" + }, + "created_at": "2024-08-14T10:14:50.020Z", + "description": "This control checks whether an Amazon EC2 subnet has tags with the specific keys defined in the parameter requiredTagKeys. The control fails if the subnet doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter requiredTagKeys. If the parameter requiredTagKeys isn't provided, the control only checks for the existence of a tag key and fails if the subnet isn't tagged with any key. System tags, which are automatically applied and begin with aws:, are ignored.", + "first_observed_at": "2024-08-14T10:14:50.020Z", + "generator": { + "id": "security-control/EC2.44" + }, + "id": "arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.44/finding/0397ae8e-d2b2-4a75-964f-fde027670405", + "last_observed_at": "2024-09-13T22:50:24.617Z", + "processed_at": "2024-09-13T22:50:27.295Z", + "product": { + "arn": "arn:aws:securityhub:ap-south-1::product/aws/securityhub", + "fields": { + "RelatedAWSResources:0/name": "securityhub-tagged-ec2-subnet-4c30afd3", + "RelatedAWSResources:0/type": "AWS::Config::ConfigRule", + "Resources:0/Id": "arn:aws:ec2:ap-south-1:111111111111:subnet/subnet-c28c74b9", + "aws/securityhub/CompanyName": "AWS", + "aws/securityhub/FindingId": "arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.44/finding/0397ae8e-d2b2-4a75-964f-fde027670405", + "aws/securityhub/ProductName": "Security Hub", + "aws/securityhub/annotation": "No tags are present." + }, + "name": "Security Hub" + }, + "provider_fields": { + "severity": { + "label": "LOW", + "normalized": "1", + "original": "LOW" + }, + "types": [ + "Software and Configuration Checks/Industry and Regulatory Standards" + ] + }, + "record_state": "ACTIVE", + "region": "ap-south-1", + "remediation": { + "recommendation": { + "text": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.", + "url": "https://docs.aws.amazon.com/console/securityhub/EC2.44/remediation" + } + }, + "resources": [ + { + "Details": { + "AwsEc2Subnet": { + "AssignIpv6AddressOnCreation": false, + "AvailabilityZone": "ap-south-1c", + "AvailabilityZoneId": "aps1-az2", + "AvailableIpAddressCount": 4091, + "CidrBlock": "171.32.32.0/20", + "DefaultForAz": true, + "MapPublicIpOnLaunch": true, + "OwnerId": "111111111111", + "State": "available", + "SubnetArn": "arn:aws:ec2:ap-south-1:111111111111:subnet/subnet-c19c74b9", + "SubnetId": "subnet-c19c74b9", + "VpcId": "vpc-39017152" + } + }, + "Id": "arn:aws:ec2:ap-south-1:111111111111:subnet/subnet-c28c74b9", + "Partition": "aws", + "Region": "ap-south-1", + "Type": "AwsEc2Subnet" + } + ], + "schema": { + "version": "2018-10-08" + }, + "severity": { + "label": "LOW", + "normalized": "1", + "original": "LOW" + }, + "title": "EC2 subnets should be tagged", + "types": [ + "Software and Configuration Checks/Industry and Regulatory Standards" + ], + "updated_at": "2024-09-13T22:50:15.737Z", + "workflow": { + "state": "NEW", + "status": "NEW" + } + } + }, + "cloud": { + "account": { + "id": "111111111111" + }, + "availability_zone": "ap-south-1c", + "provider": "aws", + "region": "ap-south-1", + "service": { + "name": "ec2" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "configuration" + ], + "created": "2024-09-13T22:50:27.295Z", + "id": "arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.44/finding/0397ae8e-d2b2-4a75-964f-fde027670405", + "kind": "state", + "original": "{\"AwsAccountId\":\"111111111111\",\"CompanyName\":\"AWS\",\"Compliance\":{\"AssociatedStandards\":[{\"StandardsId\":\"standards/aws-resource-tagging-standard/v/1.0.0\"}],\"SecurityControlId\":\"EC2.44\",\"SecurityControlParameters\":[{\"Name\":\"requiredTagKeys\",\"Value\":[]}],\"Status\":\"FAILED\"},\"CreatedAt\":\"2024-08-14T10:14:50.020Z\",\"Description\":\"This control checks whether an Amazon EC2 subnet has tags with the specific keys defined in the parameter requiredTagKeys. The control fails if the subnet doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter requiredTagKeys. If the parameter requiredTagKeys isn't provided, the control only checks for the existence of a tag key and fails if the subnet isn't tagged with any key. System tags, which are automatically applied and begin with aws:, are ignored.\",\"FindingProviderFields\":{\"Severity\":{\"Label\":\"LOW\",\"Normalized\":1,\"Original\":\"LOW\"},\"Types\":[\"Software and Configuration Checks/Industry and Regulatory Standards\"]},\"FirstObservedAt\":\"2024-08-14T10:14:50.020Z\",\"GeneratorId\":\"security-control/EC2.44\",\"Id\":\"arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.44/finding/0397ae8e-d2b2-4a75-964f-fde027670405\",\"LastObservedAt\":\"2024-09-13T22:50:24.617Z\",\"ProcessedAt\":\"2024-09-13T22:50:27.295Z\",\"ProductArn\":\"arn:aws:securityhub:ap-south-1::product/aws/securityhub\",\"ProductFields\":{\"RelatedAWSResources:0/name\":\"securityhub-tagged-ec2-subnet-4c30afd3\",\"RelatedAWSResources:0/type\":\"AWS::Config::ConfigRule\",\"Resources:0/Id\":\"arn:aws:ec2:ap-south-1:111111111111:subnet/subnet-c28c74b9\",\"aws/securityhub/CompanyName\":\"AWS\",\"aws/securityhub/FindingId\":\"arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.44/finding/0397ae8e-d2b2-4a75-964f-fde027670405\",\"aws/securityhub/ProductName\":\"Security Hub\",\"aws/securityhub/annotation\":\"No tags are present.\"},\"ProductName\":\"Security Hub\",\"RecordState\":\"ACTIVE\",\"Region\":\"ap-south-1\",\"Remediation\":{\"Recommendation\":{\"Text\":\"For information on how to correct this issue, consult the AWS Security Hub controls documentation.\",\"Url\":\"https://docs.aws.amazon.com/console/securityhub/EC2.44/remediation\"}},\"Resources\":[{\"Details\":{\"AwsEc2Subnet\":{\"AssignIpv6AddressOnCreation\":false,\"AvailabilityZone\":\"ap-south-1c\",\"AvailabilityZoneId\":\"aps1-az2\",\"AvailableIpAddressCount\":4091,\"CidrBlock\":\"171.32.32.0/20\",\"DefaultForAz\":true,\"MapPublicIpOnLaunch\":true,\"OwnerId\":\"111111111111\",\"State\":\"available\",\"SubnetArn\":\"arn:aws:ec2:ap-south-1:111111111111:subnet/subnet-c19c74b9\",\"SubnetId\":\"subnet-c19c74b9\",\"VpcId\":\"vpc-39017152\"}},\"Id\":\"arn:aws:ec2:ap-south-1:111111111111:subnet/subnet-c28c74b9\",\"Partition\":\"aws\",\"Region\":\"ap-south-1\",\"Type\":\"AwsEc2Subnet\"}],\"SchemaVersion\":\"2018-10-08\",\"Severity\":{\"Label\":\"LOW\",\"Normalized\":1,\"Original\":\"LOW\"},\"Title\":\"EC2 subnets should be tagged\",\"Types\":[\"Software and Configuration Checks/Industry and Regulatory Standards\"],\"UpdatedAt\":\"2024-09-13T22:50:15.737Z\",\"Workflow\":{\"Status\":\"NEW\"},\"WorkflowState\":\"NEW\"}", + "outcome": "failure", + "severity": 1, + "type": [ + "info" + ] + }, + "observer": { + "vendor": "AWS Security Hub" + }, + "organization": { + "name": "AWS" + }, + "resource": { + "id": "arn:aws:ec2:ap-south-1:111111111111:subnet/subnet-c28c74b9", + "name": "subnet/subnet-c28c74b9", + "type": "AwsEc2Subnet" + }, + "result": { + "evaluation": "failed" + }, + "rule": { + "description": "This control checks whether an Amazon EC2 subnet has tags with the specific keys defined in the parameter requiredTagKeys. The control fails if the subnet doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter requiredTagKeys. If the parameter requiredTagKeys isn't provided, the control only checks for the existence of a tag key and fails if the subnet isn't tagged with any key. System tags, which are automatically applied and begin with aws:, are ignored.", + "id": "security-control/EC2.44", + "name": "EC2 subnets should be tagged", + "reference": "https://docs.aws.amazon.com/console/securityhub/EC2.44/remediation", + "references": "https://docs.aws.amazon.com/console/securityhub/EC2.44/remediation", + "remediation": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.\r\nhttps://docs.aws.amazon.com/console/securityhub/EC2.44/remediation" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] + }, + { + "@timestamp": "2024-09-13T22:50:15.737Z", + "aws": { + "securityhub_findings": { + "aws_account_id": "111111111111", + "company": { + "name": "AWS" + }, + "compliance": { + "security_control_id": "ELB.6", + "status": "FAILED" + }, + "created_at": "2024-08-14T10:14:50.020Z", + "description": "This control checks whether Application, Gateway, and Network Load Balancers have deletion protection enabled. The control fails if deletion protection is disabled.", + "first_observed_at": "2024-08-14T10:14:50.020Z", + "generator": { + "id": "security-control/EC2.44" + }, + "id": "arn:aws:elasticloadbalancing:ap-south-1:111111111111:loadbalancer/net/a799f20cd3754462297d4874c25e67ae/894921ab8833ff1e", + "last_observed_at": "2024-09-13T22:50:24.617Z", + "processed_at": "2024-09-13T22:50:27.295Z", + "product": { + "arn": "arn:aws:securityhub:ap-south-1::product/aws/securityhub", + "fields": { + "RelatedAWSResources:0/name": "securityhub-tagged-ec2-subnet-4c30afd3", + "RelatedAWSResources:0/type": "AWS::Config::ConfigRule", + "Resources:0/Id": "arn:aws:elasticloadbalancing:ap-south-1:111111111111:loadbalancer/net/a799f20cd3754462297d4874c25e67ae/894921ab8833ff1e", + "aws/securityhub/CompanyName": "AWS", + "aws/securityhub/FindingId": "arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/ELB.6/finding/9e7771db-5b77-48df-a103-1370cf6d401a", + "aws/securityhub/ProductName": "Security Hub", + "aws/securityhub/annotation": "No tags are present." + }, + "name": "Security Hub" + }, + "provider_fields": { + "severity": { + "label": "MEDIUM", + "normalized": "40", + "original": "MEDIUM" + }, + "types": [ + "Software and Configuration Checks/Industry and Regulatory Standards" + ] + }, + "record_state": "ACTIVE", + "region": "ap-south-1", + "remediation": { + "recommendation": { + "text": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.", + "url": "https://docs.aws.amazon.com/console/securityhub/ELB.6/remediation" + } + }, + "resources": [ + { + "Details": { + "AwsElbv2LoadBalancer": { + "AvailabilityZones": [ + { + "SubnetId": "subnet-aaa", + "ZoneName": "ap-south-1b" + }, + { + "SubnetId": "subnet-bbb", + "ZoneName": "ap-south-1a" + } + ], + "CanonicalHostedZoneId": "ZLPOA36VPKAMP", + "CreatedTime": "2024-04-17T21:35:20.303Z", + "DNSName": "a799f20cd3754462297d4874c25e67ae-894921ab8833ff1e.elb.ap-south-1.amazonaws.com", + "IpAddressType": "ipv4", + "Scheme": "internet-facing", + "State": { + "Code": "active" + }, + "Type": "network", + "VpcId": "vpc-132ddf1f407252a0a" + } + }, + "Id": "arn:aws:elasticloadbalancing:ap-south-1:111111111111:loadbalancer/net/a799f20cd3754462297d4874c25e67ae/894921ab8833ff1e", + "Partition": "aws", + "Region": "ap-south-1", + "Tags": { + "kubernetes.io/cluster/demo": "owned", + "kubernetes.io/service-name": "default/traefik" + }, + "Type": "AwsElbv2LoadBalancer" + } + ], + "schema": { + "version": "2018-10-08" + }, + "severity": { + "label": "LOW", + "normalized": "1", + "original": "LOW" + }, + "title": "EC2 subnets should be tagged", + "types": [ + "Software and Configuration Checks/Industry and Regulatory Standards" + ], + "updated_at": "2024-09-13T22:50:15.737Z", + "workflow": { + "state": "NEW", + "status": "NEW" + } + } + }, + "cloud": { + "account": { + "id": "111111111111" + }, + "availability_zone": "ap-south-1a", + "provider": "aws", + "region": "ap-south-1", + "service": { + "name": "elasticloadbalancing" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "configuration" + ], + "created": "2024-09-13T22:50:27.295Z", + "id": "arn:aws:elasticloadbalancing:ap-south-1:111111111111:loadbalancer/net/a799f20cd3754462297d4874c25e67ae/894921ab8833ff1e", + "kind": "state", + "original": "{\"AwsAccountId\":\"111111111111\",\"CompanyName\":\"AWS\",\"Compliance\":{\"SecurityControlId\":\"ELB.6\",\"Status\":\"FAILED\"},\"CreatedAt\":\"2024-08-14T10:14:50.020Z\",\"Description\":\"This control checks whether Application, Gateway, and Network Load Balancers have deletion protection enabled. The control fails if deletion protection is disabled.\",\"FindingProviderFields\":{\"Severity\":{\"Label\":\"MEDIUM\",\"Normalized\":40,\"Original\":\"MEDIUM\"},\"Types\":[\"Software and Configuration Checks/Industry and Regulatory Standards\"]},\"FirstObservedAt\":\"2024-08-14T10:14:50.020Z\",\"GeneratorId\":\"security-control/EC2.44\",\"Id\":\"arn:aws:elasticloadbalancing:ap-south-1:111111111111:loadbalancer/net/a799f20cd3754462297d4874c25e67ae/894921ab8833ff1e\",\"LastObservedAt\":\"2024-09-13T22:50:24.617Z\",\"ProcessedAt\":\"2024-09-13T22:50:27.295Z\",\"ProductArn\":\"arn:aws:securityhub:ap-south-1::product/aws/securityhub\",\"ProductFields\":{\"RelatedAWSResources:0/name\":\"securityhub-tagged-ec2-subnet-4c30afd3\",\"RelatedAWSResources:0/type\":\"AWS::Config::ConfigRule\",\"Resources:0/Id\":\"arn:aws:elasticloadbalancing:ap-south-1:111111111111:loadbalancer/net/a799f20cd3754462297d4874c25e67ae/894921ab8833ff1e\",\"aws/securityhub/CompanyName\":\"AWS\",\"aws/securityhub/FindingId\":\"arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/ELB.6/finding/9e7771db-5b77-48df-a103-1370cf6d401a\",\"aws/securityhub/ProductName\":\"Security Hub\",\"aws/securityhub/annotation\":\"No tags are present.\"},\"ProductName\":\"Security Hub\",\"RecordState\":\"ACTIVE\",\"Region\":\"ap-south-1\",\"Remediation\":{\"Recommendation\":{\"Text\":\"For information on how to correct this issue, consult the AWS Security Hub controls documentation.\",\"Url\":\"https://docs.aws.amazon.com/console/securityhub/ELB.6/remediation\"}},\"Resources\":[{\"Partition\":\"aws\",\"Type\":\"AwsElbv2LoadBalancer\",\"Details\":{\"AwsElbv2LoadBalancer\":{\"IpAddressType\":\"ipv4\",\"Type\":\"network\",\"CreatedTime\":\"2024-04-17T21:35:20.303Z\",\"Scheme\":\"internet-facing\",\"VpcId\":\"vpc-132ddf1f407252a0a\",\"CanonicalHostedZoneId\":\"ZLPOA36VPKAMP\",\"AvailabilityZones\":[{\"ZoneName\":\"ap-south-1b\",\"SubnetId\":\"subnet-aaa\"},{\"ZoneName\":\"ap-south-1a\",\"SubnetId\":\"subnet-bbb\"}],\"State\":{\"Code\":\"active\"},\"DNSName\":\"a799f20cd3754462297d4874c25e67ae-894921ab8833ff1e.elb.ap-south-1.amazonaws.com\"}},\"Region\":\"ap-south-1\",\"Id\":\"arn:aws:elasticloadbalancing:ap-south-1:111111111111:loadbalancer/net/a799f20cd3754462297d4874c25e67ae/894921ab8833ff1e\",\"Tags\":{\"kubernetes.io/service-name\":\"default/traefik\",\"kubernetes.io/cluster/demo\":\"owned\"}}],\"SchemaVersion\":\"2018-10-08\",\"Severity\":{\"Label\":\"LOW\",\"Normalized\":1,\"Original\":\"LOW\"},\"Title\":\"EC2 subnets should be tagged\",\"Types\":[\"Software and Configuration Checks/Industry and Regulatory Standards\"],\"UpdatedAt\":\"2024-09-13T22:50:15.737Z\",\"Workflow\":{\"Status\":\"NEW\"},\"WorkflowState\":\"NEW\"}", + "outcome": "failure", + "severity": 1, + "type": [ + "info" + ] + }, + "observer": { + "vendor": "AWS Security Hub" + }, + "organization": { + "name": "AWS" + }, + "resource": { + "id": "arn:aws:elasticloadbalancing:ap-south-1:111111111111:loadbalancer/net/a799f20cd3754462297d4874c25e67ae/894921ab8833ff1e", + "name": "loadbalancer/net/a799f20cd3754462297d4874c25e67ae/894921ab8833ff1e", + "type": "AwsElbv2LoadBalancer" + }, + "result": { + "evaluation": "failed" + }, + "rule": { + "description": "This control checks whether Application, Gateway, and Network Load Balancers have deletion protection enabled. The control fails if deletion protection is disabled.", + "id": "security-control/EC2.44", + "name": "EC2 subnets should be tagged", + "reference": "https://docs.aws.amazon.com/console/securityhub/ELB.6/remediation", + "references": "https://docs.aws.amazon.com/console/securityhub/ELB.6/remediation", + "remediation": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.\r\nhttps://docs.aws.amazon.com/console/securityhub/ELB.6/remediation" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] + }, + { + "@timestamp": "2024-09-13T22:50:15.737Z", + "aws": { + "securityhub_findings": { + "aws_account_id": "111111111111", + "company": { + "name": "AWS" + }, + "compliance": { + "security_control_id": "ELB.6", + "status": "FAILED" + }, + "created_at": "2024-08-14T10:14:50.020Z", + "description": "This control checks whether Application, Gateway, and Network Load Balancers have deletion protection enabled. The control fails if deletion protection is disabled.", + "first_observed_at": "2024-08-14T10:14:50.020Z", + "generator": { + "id": "security-control/EC2.44" + }, + "id": "arn:aws:elasticloadbalancing:ap-south-1:111111111111:loadbalancer/net/a799f20cd3754462297d4874c25e67ae/894921ab8833ff1e", + "last_observed_at": "2024-09-13T22:50:24.617Z", + "processed_at": "2024-09-13T22:50:27.295Z", + "product": { + "arn": "arn:aws:securityhub:ap-south-1::product/aws/securityhub", + "fields": { + "RelatedAWSResources:0/name": "securityhub-tagged-ec2-subnet-4c30afd3", + "RelatedAWSResources:0/type": "AWS::Config::ConfigRule", + "Resources:0/Id": "arn:aws:elasticloadbalancing:ap-south-1:111111111111:loadbalancer/net/a799f20cd3754462297d4874c25e67ae/894921ab8833ff1e", + "aws/securityhub/CompanyName": "AWS", + "aws/securityhub/FindingId": "arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/ELB.6/finding/9e7771db-5b77-48df-a103-1370cf6d401a", + "aws/securityhub/ProductName": "Security Hub", + "aws/securityhub/annotation": "No tags are present." + }, + "name": "Security Hub" + }, + "provider_fields": { + "severity": { + "label": "MEDIUM", + "normalized": "40", + "original": "MEDIUM" + }, + "types": [ + "Software and Configuration Checks/Industry and Regulatory Standards" + ] + }, + "record_state": "ACTIVE", + "region": "ap-south-1", + "remediation": { + "recommendation": { + "text": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.", + "url": "https://docs.aws.amazon.com/console/securityhub/ELB.6/remediation" + } + }, + "resources": [ + { + "Details": { + "AwsElbv2LoadBalancer": { + "AvailabilityZones": [ + { + "SubnetId": "subnet-aaa", + "ZoneName": "ap-south-1b" + }, + { + "SubnetId": "subnet-bbb", + "ZoneName": "ap-south-1a" + } + ], + "CanonicalHostedZoneId": "ZLPOA36VPKAMP", + "CreatedTime": "2024-04-17T21:35:20.303Z", + "DNSName": "a799f20cd3754462297d4874c25e67ae-894921ab8833ff1e.elb.ap-south-1.amazonaws.com", + "IpAddressType": "ipv4", + "Scheme": "internet-facing", + "State": { + "Code": "active" + }, + "Type": "network", + "VpcId": "vpc-132ddf1f407252a0a" + } + }, + "Id": "arn:aws:elasticloadbalancing:ap-south-1:111111111111:loadbalancer/net/a799f20cd3754462297d4874c25e67ae/894921ab8833ff1e", + "Partition": "aws", + "Region": "ap-south-1", + "Tags": { + "kubernetes.io/cluster/demo": "owned", + "kubernetes.io/service-name": "default/traefik" + }, + "Type": "AwsElbv2LoadBalancer" + }, + { + "Details": { + "AwsElbv2LoadBalancer": { + "AvailabilityZones": [ + { + "SubnetId": "subnet-aaa", + "ZoneName": "ap-south-1b" + }, + { + "SubnetId": "subnet-bbb", + "ZoneName": "ap-south-1a" + } + ], + "CanonicalHostedZoneId": "ZLPOA36VPKAMP", + "CreatedTime": "2024-04-18T21:35:20.303Z", + "DNSName": "a888f20cd3754462297d4874c25e67ae-994921ab8833ff1e.elb.ap-south-1.amazonaws.com", + "IpAddressType": "ipv4", + "Scheme": "internet-facing", + "State": { + "Code": "active" + }, + "Type": "network", + "VpcId": "vpc-132ddf1f407252a0a" + } + }, + "Id": "arn:aws:elasticloadbalancing:ap-south-1:111111111111:loadbalancer/net/a888f20cd3754462297d4874c25e67ae/994921ab8833ff1e", + "Partition": "aws", + "Region": "ap-south-1", + "Tags": { + "kubernetes.io/cluster/demo": "owned" + }, + "Type": "AwsElbv2LoadBalancer" + } + ], + "schema": { + "version": "2018-10-08" + }, + "severity": { + "label": "LOW", + "normalized": "1", + "original": "LOW" + }, + "title": "EC2 subnets should be tagged", + "types": [ + "Software and Configuration Checks/Industry and Regulatory Standards" + ], + "updated_at": "2024-09-13T22:50:15.737Z", + "workflow": { + "state": "NEW", + "status": "NEW" + } + } + }, + "cloud": { + "account": { + "id": "111111111111" + }, + "availability_zone": [ + "ap-south-1b", + "ap-south-1a", + "ap-south-1b", + "ap-south-1a" + ], + "provider": "aws", + "region": "ap-south-1", + "service": { + "name": [ + "elasticloadbalancing", + "elasticloadbalancing" + ] + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "configuration" + ], + "created": "2024-09-13T22:50:27.295Z", + "id": "arn:aws:elasticloadbalancing:ap-south-1:111111111111:loadbalancer/net/a799f20cd3754462297d4874c25e67ae/894921ab8833ff1e", + "kind": "state", + "original": "{\"AwsAccountId\":\"111111111111\",\"CompanyName\":\"AWS\",\"Compliance\":{\"SecurityControlId\":\"ELB.6\",\"Status\":\"FAILED\"},\"CreatedAt\":\"2024-08-14T10:14:50.020Z\",\"Description\":\"This control checks whether Application, Gateway, and Network Load Balancers have deletion protection enabled. The control fails if deletion protection is disabled.\",\"FindingProviderFields\":{\"Severity\":{\"Label\":\"MEDIUM\",\"Normalized\":40,\"Original\":\"MEDIUM\"},\"Types\":[\"Software and Configuration Checks/Industry and Regulatory Standards\"]},\"FirstObservedAt\":\"2024-08-14T10:14:50.020Z\",\"GeneratorId\":\"security-control/EC2.44\",\"Id\":\"arn:aws:elasticloadbalancing:ap-south-1:111111111111:loadbalancer/net/a799f20cd3754462297d4874c25e67ae/894921ab8833ff1e\",\"LastObservedAt\":\"2024-09-13T22:50:24.617Z\",\"ProcessedAt\":\"2024-09-13T22:50:27.295Z\",\"ProductArn\":\"arn:aws:securityhub:ap-south-1::product/aws/securityhub\",\"ProductFields\":{\"RelatedAWSResources:0/name\":\"securityhub-tagged-ec2-subnet-4c30afd3\",\"RelatedAWSResources:0/type\":\"AWS::Config::ConfigRule\",\"Resources:0/Id\":\"arn:aws:elasticloadbalancing:ap-south-1:111111111111:loadbalancer/net/a799f20cd3754462297d4874c25e67ae/894921ab8833ff1e\",\"aws/securityhub/CompanyName\":\"AWS\",\"aws/securityhub/FindingId\":\"arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/ELB.6/finding/9e7771db-5b77-48df-a103-1370cf6d401a\",\"aws/securityhub/ProductName\":\"Security Hub\",\"aws/securityhub/annotation\":\"No tags are present.\"},\"ProductName\":\"Security Hub\",\"RecordState\":\"ACTIVE\",\"Region\":\"ap-south-1\",\"Remediation\":{\"Recommendation\":{\"Text\":\"For information on how to correct this issue, consult the AWS Security Hub controls documentation.\",\"Url\":\"https://docs.aws.amazon.com/console/securityhub/ELB.6/remediation\"}},\"Resources\":[{\"Partition\":\"aws\",\"Type\":\"AwsElbv2LoadBalancer\",\"Details\":{\"AwsElbv2LoadBalancer\":{\"IpAddressType\":\"ipv4\",\"Type\":\"network\",\"CreatedTime\":\"2024-04-17T21:35:20.303Z\",\"Scheme\":\"internet-facing\",\"VpcId\":\"vpc-132ddf1f407252a0a\",\"CanonicalHostedZoneId\":\"ZLPOA36VPKAMP\",\"AvailabilityZones\":[{\"ZoneName\":\"ap-south-1b\",\"SubnetId\":\"subnet-aaa\"},{\"ZoneName\":\"ap-south-1a\",\"SubnetId\":\"subnet-bbb\"}],\"State\":{\"Code\":\"active\"},\"DNSName\":\"a799f20cd3754462297d4874c25e67ae-894921ab8833ff1e.elb.ap-south-1.amazonaws.com\"}},\"Region\":\"ap-south-1\",\"Id\":\"arn:aws:elasticloadbalancing:ap-south-1:111111111111:loadbalancer/net/a799f20cd3754462297d4874c25e67ae/894921ab8833ff1e\",\"Tags\":{\"kubernetes.io/service-name\":\"default/traefik\",\"kubernetes.io/cluster/demo\":\"owned\"}},{\"Partition\":\"aws\",\"Type\":\"AwsElbv2LoadBalancer\",\"Details\":{\"AwsElbv2LoadBalancer\":{\"IpAddressType\":\"ipv4\",\"Type\":\"network\",\"CreatedTime\":\"2024-04-18T21:35:20.303Z\",\"Scheme\":\"internet-facing\",\"VpcId\":\"vpc-132ddf1f407252a0a\",\"CanonicalHostedZoneId\":\"ZLPOA36VPKAMP\",\"AvailabilityZones\":[{\"ZoneName\":\"ap-south-1b\",\"SubnetId\":\"subnet-aaa\"},{\"ZoneName\":\"ap-south-1a\",\"SubnetId\":\"subnet-bbb\"}],\"State\":{\"Code\":\"active\"},\"DNSName\":\"a888f20cd3754462297d4874c25e67ae-994921ab8833ff1e.elb.ap-south-1.amazonaws.com\"}},\"Region\":\"ap-south-1\",\"Id\":\"arn:aws:elasticloadbalancing:ap-south-1:111111111111:loadbalancer/net/a888f20cd3754462297d4874c25e67ae/994921ab8833ff1e\",\"Tags\":{\"kubernetes.io/cluster/demo\":\"owned\"}}],\"SchemaVersion\":\"2018-10-08\",\"Severity\":{\"Label\":\"LOW\",\"Normalized\":1,\"Original\":\"LOW\"},\"Title\":\"EC2 subnets should be tagged\",\"Types\":[\"Software and Configuration Checks/Industry and Regulatory Standards\"],\"UpdatedAt\":\"2024-09-13T22:50:15.737Z\",\"Workflow\":{\"Status\":\"NEW\"},\"WorkflowState\":\"NEW\"}", + "outcome": "failure", + "severity": 1, + "type": [ + "info" + ] + }, + "observer": { + "vendor": "AWS Security Hub" + }, + "organization": { + "name": "AWS" + }, + "resource": { + "id": [ + "arn:aws:elasticloadbalancing:ap-south-1:111111111111:loadbalancer/net/a799f20cd3754462297d4874c25e67ae/894921ab8833ff1e", + "arn:aws:elasticloadbalancing:ap-south-1:111111111111:loadbalancer/net/a888f20cd3754462297d4874c25e67ae/994921ab8833ff1e" + ], + "name": [ + "loadbalancer/net/a799f20cd3754462297d4874c25e67ae/894921ab8833ff1e", + "loadbalancer/net/a888f20cd3754462297d4874c25e67ae/994921ab8833ff1e" + ], + "type": [ + "AwsElbv2LoadBalancer", + "AwsElbv2LoadBalancer" + ] + }, + "result": { + "evaluation": "failed" + }, + "rule": { + "description": "This control checks whether Application, Gateway, and Network Load Balancers have deletion protection enabled. The control fails if deletion protection is disabled.", + "id": "security-control/EC2.44", + "name": "EC2 subnets should be tagged", + "reference": "https://docs.aws.amazon.com/console/securityhub/ELB.6/remediation", + "references": "https://docs.aws.amazon.com/console/securityhub/ELB.6/remediation", + "remediation": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.\r\nhttps://docs.aws.amazon.com/console/securityhub/ELB.6/remediation" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] + }, + { + "@timestamp": "2024-09-21T07:59:56.087Z", + "aws": { + "securityhub_findings": { + "aws_account_id": "111111111111", + "company": { + "name": "AWS" + }, + "compliance": { + "related_requirements": [ + "CIS AWS Foundations Benchmark v3.0.0/5.6", + "NIST.800-53.r5 AC-3", + "NIST.800-53.r5 AC-3(15)", + "NIST.800-53.r5 AC-3(7)", + "NIST.800-53.r5 AC-6" + ], + "security_control_id": "EC2.8", + "status": "PASSED" + }, + "created_at": "2024-09-20T10:40:32.189Z", + "description": "This control checks whether your Amazon Elastic Compute Cloud (Amazon EC2) instance metadata version is configured with Instance Metadata Service Version 2 (IMDSv2). The control passes if HttpTokens is set to required for IMDSv2. The control fails if HttpTokens is set to optional.", + "first_observed_at": "2024-09-20T10:40:32.189Z", + "generator": { + "id": "security-control/EC2.8" + }, + "id": "arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.8/finding/8925ae3b-1f70-4c74-8337-baee8fcad8fe", + "last_observed_at": "2024-09-21T08:00:01.828Z", + "processed_at": "2024-09-21T08:00:03.516Z", + "product": { + "arn": "arn:aws:securityhub:ap-south-1::product/aws/securityhub", + "fields": { + "RelatedAWSResources:0/name": "securityhub-ec2-imdsv2-check-29027890", + "RelatedAWSResources:0/type": "AWS::Config::ConfigRule", + "Resources:0/Id": "arn:aws:ec2:ap-south-1:111111111111:instance/i-0f2ede89308a594d8", + "aws/securityhub/CompanyName": "AWS", + "aws/securityhub/FindingId": "arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.8/finding/8925ae3b-1f70-4c74-8337-baee8fcad8fe", + "aws/securityhub/ProductName": "Security Hub" + }, + "name": "Security Hub" + }, + "provider_fields": { + "severity": { + "label": "INFORMATIONAL", + "normalized": "0", + "original": "INFORMATIONAL" + }, + "types": [ + "Software and Configuration Checks/Industry and Regulatory Standards" + ] + }, + "record_state": "ACTIVE", + "region": "ap-south-1", + "remediation": { + "recommendation": { + "text": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.", + "url": "https://docs.aws.amazon.com/console/securityhub/EC2.8/remediation" + } + }, + "resources": [ + { + "Details": { + "AwsEc2Instance": { + "IamInstanceProfileArn": "arn:aws:iam::111111111111:instance-profile/elastic-agent-instance-profile-e4f7caa0-6f61-11ef-bb07-02fe87118279", + "ImageId": "ami-04dffe071c46cddd4", + "IpV4Addresses": [ + "89.160.20.156", + "89.160.20.157" + ], + "IpV6Addresses": [ + "2a02:cf40::" + ], + "LaunchedAt": "2024-09-20T10:39:35.000Z", + "MetadataOptions": { + "HttpEndpoint": "enabled", + "HttpProtocolIpv6": "disabled", + "HttpPutResponseHopLimit": 2, + "HttpTokens": "required", + "InstanceMetadataTags": "disabled" + }, + "Monitoring": { + "State": "disabled" + }, + "NetworkInterfaces": [ + { + "NetworkInterfaceId": "eni-0de300eee88c5c7fd" + } + ], + "SubnetId": "subnet-5d15a111", + "VirtualizationType": "hvm", + "VpcId": "vpc-39017251" + } + }, + "Id": "arn:aws:ec2:ap-south-1:111111111111:instance/i-0f2ede89308a594d8", + "Partition": "aws", + "Region": "ap-south-1", + "Tags": { + "Name": "elastic-agent-instance-e5f7caa0-6f60-11ef-bb07-02fe87118279", + "Task": "Cloud Security Posture Management Scanner", + "aws:cloudformation:logical-id": "ElasticAgentEc2Instance", + "aws:cloudformation:stack-id": "arn:aws:cloudformation:ap-south-1:111111111111:stack/Elastic-Cloud-Security-Posture-Management/e5f7caa0-6f60-11ef-bb07-02fe87118279", + "aws:cloudformation:stack-name": "Elastic-Cloud-Security-Posture-Management" + }, + "Type": "AwsEc2Instance" + } + ], + "schema": { + "version": "2018-10-08" + }, + "severity": { + "label": "INFORMATIONAL", + "normalized": "0", + "original": "INFORMATIONAL" + }, + "title": "EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)", + "types": [ + "Software and Configuration Checks/Industry and Regulatory Standards" + ], + "updated_at": "2024-09-21T07:59:56.087Z", + "workflow": { + "state": "NEW", + "status": "RESOLVED" + } + } + }, + "cloud": { + "account": { + "id": "111111111111" + }, + "instance": { + "id": "arn:aws:ec2:ap-south-1:111111111111:instance/i-0f2ede89308a594d8", + "name": "instance/i-0f2ede89308a594d8" + }, + "provider": "aws", + "region": "ap-south-1", + "service": { + "name": "ec2" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "configuration" + ], + "created": "2024-09-21T08:00:03.516Z", + "id": "arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.8/finding/8925ae3b-1f70-4c74-8337-baee8fcad8fe", + "kind": "state", + "original": "{\"AwsAccountId\":\"111111111111\",\"CompanyName\":\"AWS\",\"Compliance\":{\"AssociatedStandards\":[{\"StandardsId\":\"standards/aws-foundational-security-best-practices/v/1.0.0\"},{\"StandardsId\":\"standards/cis-aws-foundations-benchmark/v/3.0.0\"},{\"StandardsId\":\"standards/nist-800-53/v/5.0.0\"}],\"RelatedRequirements\":[\"CIS AWS Foundations Benchmark v3.0.0/5.6\",\"NIST.800-53.r5 AC-3\",\"NIST.800-53.r5 AC-3(15)\",\"NIST.800-53.r5 AC-3(7)\",\"NIST.800-53.r5 AC-6\"],\"SecurityControlId\":\"EC2.8\",\"Status\":\"PASSED\"},\"CreatedAt\":\"2024-09-20T10:40:32.189Z\",\"Description\":\"This control checks whether your Amazon Elastic Compute Cloud (Amazon EC2) instance metadata version is configured with Instance Metadata Service Version 2 (IMDSv2). The control passes if HttpTokens is set to required for IMDSv2. The control fails if HttpTokens is set to optional.\",\"FindingProviderFields\":{\"Severity\":{\"Label\":\"INFORMATIONAL\",\"Normalized\":0,\"Original\":\"INFORMATIONAL\"},\"Types\":[\"Software and Configuration Checks/Industry and Regulatory Standards\"]},\"FirstObservedAt\":\"2024-09-20T10:40:32.189Z\",\"GeneratorId\":\"security-control/EC2.8\",\"Id\":\"arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.8/finding/8925ae3b-1f70-4c74-8337-baee8fcad8fe\",\"LastObservedAt\":\"2024-09-21T08:00:01.828Z\",\"ProcessedAt\":\"2024-09-21T08:00:03.516Z\",\"ProductArn\":\"arn:aws:securityhub:ap-south-1::product/aws/securityhub\",\"ProductFields\":{\"RelatedAWSResources:0/name\":\"securityhub-ec2-imdsv2-check-29027890\",\"RelatedAWSResources:0/type\":\"AWS::Config::ConfigRule\",\"Resources:0/Id\":\"arn:aws:ec2:ap-south-1:111111111111:instance/i-0f2ede89308a594d8\",\"aws/securityhub/CompanyName\":\"AWS\",\"aws/securityhub/FindingId\":\"arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.8/finding/8925ae3b-1f70-4c74-8337-baee8fcad8fe\",\"aws/securityhub/ProductName\":\"Security Hub\"},\"ProductName\":\"Security Hub\",\"RecordState\":\"ACTIVE\",\"Region\":\"ap-south-1\",\"Remediation\":{\"Recommendation\":{\"Text\":\"For information on how to correct this issue, consult the AWS Security Hub controls documentation.\",\"Url\":\"https://docs.aws.amazon.com/console/securityhub/EC2.8/remediation\"}},\"Resources\":[{\"Details\":{\"AwsEc2Instance\":{\"IamInstanceProfileArn\":\"arn:aws:iam::111111111111:instance-profile/elastic-agent-instance-profile-e4f7caa0-6f61-11ef-bb07-02fe87118279\",\"ImageId\":\"ami-04dffe071c46cddd4\",\"IpV4Addresses\":[\"89.160.20.156\",\"89.160.20.157\"],\"IpV6Addresses\":[\"2a02:cf40::\"],\"LaunchedAt\":\"2024-09-20T10:39:35.000Z\",\"MetadataOptions\":{\"HttpEndpoint\":\"enabled\",\"HttpProtocolIpv6\":\"disabled\",\"HttpPutResponseHopLimit\":2,\"HttpTokens\":\"required\",\"InstanceMetadataTags\":\"disabled\"},\"Monitoring\":{\"State\":\"disabled\"},\"NetworkInterfaces\":[{\"NetworkInterfaceId\":\"eni-0de300eee88c5c7fd\"}],\"SubnetId\":\"subnet-5d15a111\",\"VirtualizationType\":\"hvm\",\"VpcId\":\"vpc-39017251\"}},\"Id\":\"arn:aws:ec2:ap-south-1:111111111111:instance/i-0f2ede89308a594d8\",\"Partition\":\"aws\",\"Region\":\"ap-south-1\",\"Tags\":{\"Name\":\"elastic-agent-instance-e5f7caa0-6f60-11ef-bb07-02fe87118279\",\"Task\":\"Cloud Security Posture Management Scanner\",\"aws:cloudformation:logical-id\":\"ElasticAgentEc2Instance\",\"aws:cloudformation:stack-id\":\"arn:aws:cloudformation:ap-south-1:111111111111:stack/Elastic-Cloud-Security-Posture-Management/e5f7caa0-6f60-11ef-bb07-02fe87118279\",\"aws:cloudformation:stack-name\":\"Elastic-Cloud-Security-Posture-Management\"},\"Type\":\"AwsEc2Instance\"}],\"SchemaVersion\":\"2018-10-08\",\"Severity\":{\"Label\":\"INFORMATIONAL\",\"Normalized\":0,\"Original\":\"INFORMATIONAL\"},\"Title\":\"EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)\",\"Types\":[\"Software and Configuration Checks/Industry and Regulatory Standards\"],\"UpdatedAt\":\"2024-09-21T07:59:56.087Z\",\"Workflow\":{\"Status\":\"RESOLVED\"},\"WorkflowState\":\"NEW\"}", + "outcome": "success", + "severity": 0, + "type": [ + "info" + ] + }, + "host": { + "id": "arn:aws:ec2:ap-south-1:111111111111:instance/i-0f2ede89308a594d8", + "ip": [ + "89.160.20.156", + "89.160.20.157", + "2a02:cf40::" + ] + }, + "observer": { + "vendor": "AWS Security Hub" + }, + "organization": { + "name": "AWS" + }, + "resource": { + "id": "arn:aws:ec2:ap-south-1:111111111111:instance/i-0f2ede89308a594d8", + "name": "instance/i-0f2ede89308a594d8", + "type": "AwsEc2Instance" + }, + "result": { + "evaluation": "passed" + }, + "rule": { + "description": "This control checks whether your Amazon Elastic Compute Cloud (Amazon EC2) instance metadata version is configured with Instance Metadata Service Version 2 (IMDSv2). The control passes if HttpTokens is set to required for IMDSv2. The control fails if HttpTokens is set to optional.", + "id": "security-control/EC2.8", + "name": "EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)", + "reference": "https://docs.aws.amazon.com/console/securityhub/EC2.8/remediation", + "references": "https://docs.aws.amazon.com/console/securityhub/EC2.8/remediation", + "remediation": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.\r\nhttps://docs.aws.amazon.com/console/securityhub/EC2.8/remediation", + "ruleset": [ + "CIS AWS Foundations Benchmark v3.0.0/5.6", + "NIST.800-53.r5 AC-3", + "NIST.800-53.r5 AC-3(15)", + "NIST.800-53.r5 AC-3(7)", + "NIST.800-53.r5 AC-6" + ] + }, "tags": [ "preserve_original_event", "preserve_duplicate_custom_fields" diff --git a/packages/aws/data_stream/securityhub_findings/elasticsearch/ingest_pipeline/default.yml b/packages/aws/data_stream/securityhub_findings/elasticsearch/ingest_pipeline/default.yml index 844b5524e55c..5e98f75565c3 100644 --- a/packages/aws/data_stream/securityhub_findings/elasticsearch/ingest_pipeline/default.yml +++ b/packages/aws/data_stream/securityhub_findings/elasticsearch/ingest_pipeline/default.yml @@ -6,10 +6,17 @@ processors: value: '8.11.0' - set: field: event.kind - value: event - - set: + value: state + - append: field: event.type - value: [info] + value: info + tag: set_event_tiype + allow_duplicates: false + - append: + field: event.category + value: configuration + tag: append_event_category + allow_duplicates: false - rename: field: message target_field: event.original @@ -26,6 +33,14 @@ processors: - json.CreatedAt target_field: _id ignore_missing: true + - set: + field: observer.vendor + value: AWS Security Hub + tag: set_observer_vendor + - set: + field: cloud.provider + value: aws + tag: set_cloud_provider - rename: field: json.Action.ActionType target_field: aws.securityhub_findings.action.type @@ -463,10 +478,56 @@ processors: field: json.Compliance.RelatedRequirements target_field: aws.securityhub_findings.compliance.related_requirements ignore_missing: true + - foreach: + field: aws.securityhub_findings.compliance.related_requirements + if: ctx.aws?.securityhub_findings?.compliance?.related_requirements instanceof List + tag: foreach_compliance_related_requirements + processor: + append: + field: rule.ruleset + value: '{{{_ingest._value}}}' + tag: append_related_requirements_rule_ruleset + allow_duplicates: false - rename: field: json.Compliance.Status target_field: aws.securityhub_findings.compliance.status ignore_missing: true + - set: + field: result.evaluation + tag: set_result_evaluation_passed + value: passed + if: ctx.aws?.securityhub_findings?.compliance?.status == 'PASSED' + ignore_empty_value: true + - set: + field: result.evaluation + tag: set_result_evaluation_failed + value: failed + if: ctx.aws?.securityhub_findings?.compliance?.status == 'FAILED' + ignore_empty_value: true + - set: + field: result.evaluation + tag: set_result_evaluation_unknown + value: unknown + if: ctx.result?.evaluation == null + ignore_empty_value: true + - set: + field: event.outcome + tag: set_event_outcome_success + value: success + if: ctx.aws?.securityhub_findings?.compliance?.status == 'PASSED' + ignore_empty_value: true + - set: + field: event.outcome + tag: set_event_outcome_failure + value: failure + if: ctx.aws?.securityhub_findings?.compliance?.status == 'FAILED' + ignore_empty_value: true + - set: + field: event.outcome + tag: set_event_outcome_unknown + value: unknown + if: ctx.event?.outcome == null + ignore_empty_value: true - foreach: field: json.Compliance.StatusReasons processor: @@ -510,10 +571,22 @@ processors: - append: field: error.message value: '{{{_ingest.on_failure_message}}}' + - date: + field: json.UpdatedAt + if: ctx.json?.UpdatedAt != null && ctx.json.UpdatedAt != '' + target_field: aws.securityhub_findings.updated_at + formats: + - ISO8601 + - yyyy-MM-dd'T'HH:mm:ss.SSS'Z' + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' - set: field: '@timestamp' - copy_from : aws.securityhub_findings.created_at - ignore_failure: true + copy_from: aws.securityhub_findings.updated_at + tag: set_timestamp + ignore_empty_value: true - convert: field: json.Criticality target_field: aws.securityhub_findings.criticality @@ -528,6 +601,11 @@ processors: field: json.Description target_field: aws.securityhub_findings.description ignore_missing: true + - set: + field: rule.description + tag: set_rule_description + copy_from: aws.securityhub_findings.description + ignore_empty_value: true - convert: field: json.FindingProviderFields.Confidence target_field: aws.securityhub_findings.provider_fields.confidence @@ -617,6 +695,21 @@ processors: field: json.GeneratorId target_field: aws.securityhub_findings.generator.id ignore_missing: true + - set: + field: rule.id + tag: set_rule_id_from_generator_id + copy_from: aws.securityhub_findings.generator.id + ignore_empty_value: true + - rename: + field: json.Compliance.SecurityControlId + target_field: aws.securityhub_findings.compliance.security_control_id + ignore_missing: true + - set: + field: rule.id + tag: set_rule_id_from_security_control_id + copy_from: aws.securityhub_findings.compliance.security_control_id + if: ctx.rule?.id == null + ignore_empty_value: true - rename: field: json.Id target_field: aws.securityhub_findings.id @@ -636,6 +729,23 @@ processors: - append: field: error.message value: '{{{_ingest.on_failure_message}}}' + - date: + field: json.ProcessedAt + if: ctx.json?.ProcessedAt != null && ctx.json.ProcessedAt != '' + target_field: aws.securityhub_findings.processed_at + tag: date_processed_at + formats: + - ISO8601 + - yyyy-MM-dd'T'HH:mm:ss.SSS'Z' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: event.created + tag: set_event_created + copy_from: aws.securityhub_findings.processed_at + ignore_empty_value: true - foreach: field: json.Malware processor: @@ -1375,6 +1485,11 @@ processors: field: json.Region target_field: aws.securityhub_findings.region ignore_missing: true + - set: + field: cloud.region + tag: set_cloud_region + copy_from: aws.securityhub_findings.region + ignore_empty_value: true - foreach: field: json.RelatedFindings processor: @@ -1405,10 +1520,383 @@ processors: field: json.Remediation.Recommendation.Url target_field: aws.securityhub_findings.remediation.recommendation.url ignore_missing: true + - set: + field: rule.reference + tag: set_rule_reference + copy_from: aws.securityhub_findings.remediation.recommendation.url + ignore_empty_value: true + - set: + field: rule.references + tag: set_rule_references + copy_from: aws.securityhub_findings.remediation.recommendation.url + ignore_empty_value: true + - set: + field: rule.remediation + tag: set_rule_remediation + value: "{{{aws.securityhub_findings.remediation.recommendation.text}}}\r\n{{{aws.securityhub_findings.remediation.recommendation.url}}}" + if: ctx.aws?.securityhub_findings?.remediation?.recommendation?.url != null && ctx.aws.securityhub_findings.remediation.recommendation.text != null + ignore_empty_value: true - rename: field: json.Resources target_field: aws.securityhub_findings.resources ignore_missing: true + - script: + description: Extract fields from aws.securityhub_findings.resources with single resource. + tag: script_extract_fields_from_single_resource + lang: painless + if: ctx.aws?.securityhub_findings?.resources instanceof List && ctx.aws.securityhub_findings.resources.size() > 0 + source: |- + // Arrays won't work in general in current UI of Cloud Security Posture workflow. In AWS SecurityHub, a finding may contain multiple resources, but rarely. + // When a finding has single-resource, we extract fields as single-value so that the Findings UI behaves as expected for almost all cases. + // But in the rare multi-resource case, we extract fields into an array to not miss any affected resources for a finding. + // This trade-off is okay as not many findings will be affected. When our UI natively supports multi-resources, the single-value resource extraction must be removed. + + def resources = ctx.aws.securityhub_findings.resources; + + // Define fields to be extracted. + if (ctx.resource == null) { + ctx.resource = new HashMap(); + } + if (ctx.user == null) { + ctx.user = new HashMap(); + } + if (ctx.host == null) { + ctx.host = new HashMap(); + } + if (ctx.host.ip == null) { + ctx.host.ip = new ArrayList(); + } + if (ctx.orchestrator == null) { + ctx.orchestrator = new HashMap(); + } + if (ctx.orchestrator.cluster == null) { + ctx.orchestrator.cluster = new HashMap(); + } + if (ctx.orchestrator.resource == null) { + ctx.orchestrator.resource = new HashMap(); + } + if (ctx.cloud == null) { + ctx.cloud = new HashMap(); + } + if (ctx.cloud.instance == null) { + ctx.cloud.instance = new HashMap(); + } + if (ctx.cloud.service == null) { + ctx.cloud.service = new HashMap(); + } + + // This extraction logic is only for single resource case. Multiple resources are extracted inside script - script_extract_fields_from_multiple_resources. + if (resources.size() == 1){ + def res = resources[0]; + + // Extract resource field + ctx.resource.type = res.Type; + ctx.resource.id = res.Id; + def res_name; + String[] tokenList = res.Id.splitOnToken(":"); + if (res.Details != null && res.Details[res.Type]?.Name != null) { + res_name = res.Details[res.Type].Name; + } else { + res_name = tokenList[tokenList.length - 1]; + } + ctx.resource.name = res_name; + + // Extract ECS fields from res.Details + if (res.Details != null) { + // Extract ECS user field from res.Details + if (res.Type == 'AwsIamUser' && res.Details.AwsIamUser?.UserName != null) { + ctx.user.name = res.Details.AwsIamUser.UserName; + } + if (res.Type == 'AwsIamAccessKey' && res.Details.AwsIamAccessKey?.UserName != null) { + ctx.user.name = res.Details.AwsIamAccessKey.UserName; + } + if (res.Type == 'AwsS3Bucket' && res.Details.AwsS3Bucket?.OwnerName != null) { + ctx.user.name = res.Details.AwsS3Bucket.OwnerName; + } + if (res.Type == 'AwsIamUser' && res.Details.AwsIamUser?.UserId != null) { + ctx.user.id = res.Details.AwsIamUser.UserId; + } + if (res.Type == 'AwsS3Bucket' && res.Details.AwsS3Bucket?.OwnerId != null) { + ctx.user.id = res.Details.AwsS3Bucket.OwnerId; + } + + // Extract ECS host field from res.Details + if (res.Type == 'AwsEcsContainer' && res.Details.AwsEcsContainer?.Name != null) { + ctx.host.name = res.Details.AwsEcsContainer.Name; + } + if (res.Type == 'AwsEc2Instance' && (res.Details.AwsEc2Instance?.IpV4Addresses != null || res.Details.AwsEc2Instance?.IpV6Addresses != null)) { + for (def ipv4 : res.Details.AwsEc2Instance.IpV4Addresses) { + if (ipv4 instanceof String) { + ctx.host.ip.add(ipv4); + } + } + for (def ipv6 : res.Details.AwsEc2Instance.IpV6Addresses) { + if (ipv6 instanceof String) { + ctx.host.ip.add(ipv6); + } + } + } + + // Extract ECS orchestrator field from res.Details + if (['AwsEcsCluster', 'AwsEcsTask'].contains(res.Type) && res.Details.AwsEcsCluster?.ClusterArn != null) { + ctx.orchestrator.cluster.id = res.Details.AwsEcsCluster.ClusterArn; + } + if (res.Type == 'AwsEksCluster' && res.Details.AwsEksCluster?.Arn != null) { + ctx.orchestrator.cluster.id = res.Details.AwsEksCluster.Arn; + } + if (res.Type == 'AwsEcsCluster' && res.Details.AwsEcsCluster?.ClusterName != null) { + ctx.orchestrator.cluster.name = res.Details.AwsEcsCluster.ClusterName; + } + if (res.Type == 'AwsEksCluster' && res.Details.AwsEksCluster?.Name != null) { + ctx.orchestrator.cluster.name = res.Details.AwsEksCluster.Name; + } + if (res.Type == 'AwsEksCluster' && res.Details.AwsEksCluster?.Version != null) { + ctx.orchestrator.cluster.version = res.Details.AwsEksCluster.Version; + } + if (res.Type == 'AwsEksCluster' && res.Details.AwsEksCluster?.Endpoint != null) { + ctx.orchestrator.cluster.url = res.Details.AwsEksCluster.Endpoint; + } + + // Extract ECS cloud field from res.Details + if (['AwsEc2Subnet', 'AwsRedshiftCluster', 'AwsDmsReplicationInstance'].contains(res.Type) && res.Details[res.Type]?.AvailabilityZone != null) { + ctx.cloud.availability_zone = res.Details[res.Type].AvailabilityZone; + } + if ((['AwsEc2VpcEndpointService', 'AwsElbLoadBalancer', 'AwsRdsDbCluster'].contains(res.Type)) && res.Details[res.Type]?.AvailabilityZones != null) { + for (def az: res.Details[res.Type].AvailabilityZones){ + ctx.cloud.availability_zone = az; + } + } + if (res.Type == 'AwsAutoScalingAutoScalingGroup' && res.Details.AwsAutoScalingAutoScalingGroup?.AvailabilityZones != null) { + for (def az: res.Details.AwsAutoScalingAutoScalingGroup.AvailabilityZones){ + ctx.cloud.availability_zone = az.Value; + } + } + if (res.Type == 'AwsEc2LaunchTemplate' && res.Details.AwsEc2LaunchTemplate?.LaunchTemplateData?.Placement?.AvailabilityZone != null) { + ctx.cloud.availability_zone = res.Details.AwsEc2LaunchTemplate.LaunchTemplateData.Placement.AvailabilityZone; + } + if (res.Type == 'AwsElbv2LoadBalancer' && res.Details.AwsElbv2LoadBalancer?.AvailabilityZones != null) { + for (def az: res.Details.AwsElbv2LoadBalancer.AvailabilityZones){ + ctx.cloud.availability_zone = az.ZoneName; + } + } + } + + // Extract ECS host field not in res.Details + if (res.Type == 'AwsEc2Instance' && res.Id != null) { + ctx.host.id = res.Id; + } + + // Extract ECS orchestrator field not in res.Details + if (res.Type.startsWith('AwsEks') || res.Type.startsWith('AwsEcs')) { + ctx.orchestrator.resource.id = res.Id; + ctx.orchestrator.resource.name = res_name; + ctx.orchestrator.resource.type = res.Type; + if (res.Type.startsWith('AwsEks')) { + ctx.orchestrator.type = 'kubernetes'; + } else { + ctx.orchestrator.type = 'ecs'; + } + } + + // Extract ECS cloud field not in res.Details + if (res.Type == 'AwsEc2Instance') { + ctx.cloud.instance.id = res.Id; + ctx.cloud.instance.name = res_name; + } + if (tokenList.length > 2) { + ctx.cloud.service.name = tokenList[2]; + } + } + - script: + description: Extract fields from aws.securityhub_findings.resources. + tag: script_extract_fields_from_multiple_resources + lang: painless + if: ctx.aws?.securityhub_findings?.resources instanceof List && ctx.aws.securityhub_findings.resources.size() > 1 + source: |- + def resources = ctx.aws.securityhub_findings.resources; + + // Define fields to be extracted. + if (ctx.resource.type == null) { + ctx.resource.type = new ArrayList(); + } + if (ctx.resource.id == null) { + ctx.resource.id = new ArrayList(); + } + if (ctx.resource.name == null) { + ctx.resource.name = new ArrayList(); + } + + if (ctx.user.name == null) { + ctx.user.name = new ArrayList(); + } + if (ctx.user.id == null) { + ctx.user.id = new ArrayList(); + } + + if (ctx.host.id == null) { + ctx.host.id = new ArrayList(); + } + if (ctx.host.ip == null) { + ctx.host.ip = new ArrayList(); + } + if (ctx.host.name == null) { + ctx.host.name = new ArrayList(); + } + + if (ctx.orchestrator.type == null) { + ctx.orchestrator.type = new ArrayList(); + } + if (ctx.orchestrator.cluster.id == null) { + ctx.orchestrator.cluster.id = new ArrayList(); + } + if (ctx.orchestrator.cluster.name == null) { + ctx.orchestrator.cluster.name = new ArrayList(); + } + if (ctx.orchestrator.cluster.version == null) { + ctx.orchestrator.cluster.version = new ArrayList(); + } + if (ctx.orchestrator.resource.id == null) { + ctx.orchestrator.resource.id = new ArrayList(); + } + if (ctx.orchestrator.resource.name == null) { + ctx.orchestrator.resource.name = new ArrayList(); + } + if (ctx.orchestrator.resource.type == null) { + ctx.orchestrator.resource.type = new ArrayList(); + } + + if (ctx.cloud.instance.id == null) { + ctx.cloud.instance.id = new ArrayList(); + } + if (ctx.cloud.instance.name == null) { + ctx.cloud.instance.name = new ArrayList(); + } + if (ctx.cloud.service.name == null) { + ctx.cloud.service.name = new ArrayList(); + } + if (ctx.cloud.availability_zone == null) { + ctx.cloud.availability_zone = new ArrayList(); + } + + for (res in resources) { + // Extract resource field + ctx.resource.type.add(res.Type); + ctx.resource.id.add(res.Id); + def res_name; + String[] tokenList = res.Id.splitOnToken(":"); + if (res.Details != null && res.Details[res.Type]?.Name != null) { + res_name = res.Details[res.Type].Name; + } else { + res_name = tokenList[tokenList.length - 1]; + } + ctx.resource.name.add(res_name); + + // Extract ECS fields from res.Details + if (res.Details != null) { + // Extract ECS user field from res.Details + if (res.Type == 'AwsIamUser' && res.Details.AwsIamUser?.UserName != null) { + ctx.user.name.add(res.Details.AwsIamUser.UserName); + } + if (res.Type == 'AwsIamAccessKey' && res.Details.AwsIamAccessKey?.UserName != null) { + ctx.user.name.add(res.Details.AwsIamAccessKey.UserName); + } + if (res.Type == 'AwsS3Bucket' && res.Details.AwsS3Bucket?.OwnerName != null) { + ctx.user.name.add(res.Details.AwsS3Bucket.OwnerName); + } + if (res.Type == 'AwsIamUser' && res.Details.AwsIamUser?.UserId != null) { + ctx.user.id.add(res.Details.AwsIamUser.UserId); + } + if (res.Type == 'AwsS3Bucket' && res.Details.AwsS3Bucket?.OwnerId != null) { + ctx.user.id.add(res.Details.AwsS3Bucket.OwnerId); + } + + // Extract ECS host field from res.Details + if (res.Type == 'AwsEcsContainer' && res.Details.AwsEcsContainer?.Name != null) { + ctx.host.name.add(res.Details.AwsEcsContainer.Name); + } + if (res.Type == 'AwsEc2Instance' && (res.Details.AwsEc2Instance?.IpV4Addresses != null || res.Details.AwsEc2Instance?.IpV6Addresses != null)) { + for (def ipv4 : res.Details.AwsEc2Instance.IpV4Addresses) { + if (ipv4 instanceof String) { + ctx.host.ip.add(ipv4); + } + } + for (def ipv6 : res.Details.AwsEc2Instance.IpV6Addresses) { + if (ipv6 instanceof String) { + ctx.host.ip.add(ipv6); + } + } + } + + // Extract ECS orchestrator field from res.Details + if (['AwsEcsCluster', 'AwsEcsTask'].contains(res.Type) && res.Details.AwsEcsCluster?.ClusterArn != null) { + ctx.orchestrator.cluster.id.add(res.Details.AwsEcsCluster.ClusterArn); + } + if (res.Type == 'AwsEksCluster' && res.Details.AwsEksCluster?.Arn != null) { + ctx.orchestrator.cluster.id.add(res.Details.AwsEksCluster.Arn); + } + if (res.Type == 'AwsEcsCluster' && res.Details.AwsEcsCluster?.ClusterName != null) { + ctx.orchestrator.cluster.name.add(res.Details.AwsEcsCluster.ClusterName); + } + if (res.Type == 'AwsEksCluster' && res.Details.AwsEksCluster?.Name != null) { + ctx.orchestrator.cluster.name.add(res.Details.AwsEksCluster.Name); + } + if (res.Type == 'AwsEksCluster' && res.Details.AwsEksCluster?.Version != null) { + ctx.orchestrator.cluster.version.add(res.Details.AwsEksCluster.Version); + } + if (res.Type == 'AwsEksCluster' && res.Details.AwsEksCluster?.Endpoint != null) { + ctx.orchestrator.cluster.url.add(res.Details.AwsEksCluster.Endpoint); + } + + // Extract ECS cloud field from res.Details + if (['AwsEc2Subnet', 'AwsRedshiftCluster', 'AwsDmsReplicationInstance'].contains(res.Type) && res.Details[res.Type]?.AvailabilityZone != null) { + ctx.cloud.availability_zone.add(res.Details[res.Type].AvailabilityZone); + } + if ((['AwsEc2VpcEndpointService', 'AwsElbLoadBalancer', 'AwsRdsDbCluster'].contains(res.Type)) && res.Details[res.Type]?.AvailabilityZones != null) { + for (def az: res.Details[res.Type].AvailabilityZones){ + ctx.cloud.availability_zone.add(az); + } + } + if (res.Type == 'AwsAutoScalingAutoScalingGroup' && res.Details.AwsAutoScalingAutoScalingGroup?.AvailabilityZones != null) { + for (def az: res.Details.AwsAutoScalingAutoScalingGroup.AvailabilityZones){ + ctx.cloud.availability_zone.add(az.Value); + } + } + if (res.Type == 'AwsEc2LaunchTemplate' && res.Details.AwsEc2LaunchTemplate?.LaunchTemplateData?.Placement?.AvailabilityZone != null) { + ctx.cloud.availability_zone.add(res.Details.AwsEc2LaunchTemplate.LaunchTemplateData.Placement.AvailabilityZone); + } + if (res.Type == 'AwsElbv2LoadBalancer' && res.Details.AwsElbv2LoadBalancer?.AvailabilityZones != null) { + for (def az: res.Details.AwsElbv2LoadBalancer.AvailabilityZones){ + ctx.cloud.availability_zone.add(az.ZoneName); + } + } + } + + // Extract ECS host field not in res.Details + if (res.Type == 'AwsEc2Instance' && res.Id != null) { + ctx.host.id.add(res.Id); + } + + // Extract ECS orchestrator field not in res.Details + if (res.Type.startsWith('AwsEks') || res.Type.startsWith('AwsEcs')) { + ctx.orchestrator.resource.id.add(res.Id); + ctx.orchestrator.resource.name.add(res_name); + ctx.orchestrator.resource.type.add(res.Type); + if (res.Type.startsWith('AwsEks')) { + ctx.orchestrator.type.add('kubernetes'); + } else { + ctx.orchestrator.type.add('ecs'); + } + } + + // Extract ECS cloud field not in res.Details + if (res.Type == 'AwsEc2Instance') { + ctx.cloud.instance.id.add(res.Id); + ctx.cloud.instance.name.add(res_name); + } + if (tokenList.length > 2) { + ctx.cloud.service.name.add(tokenList[2]); + } + } - convert: field: json.Sample target_field: aws.securityhub_findings.sample @@ -1437,6 +1925,16 @@ processors: - append: field: error.message value: '{{{_ingest.on_failure_message}}}' + - convert: + field: aws.securityhub_findings.severity.normalized + tag: convert_severity_normalized + target_field: event.severity + if: ctx.aws?.securityhub_findings?.severity?.normalized != null + type: long + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - rename: field: json.Severity.Original target_field: aws.securityhub_findings.severity.original @@ -1592,21 +2090,15 @@ processors: field: json.Title target_field: aws.securityhub_findings.title ignore_missing: true + - set: + field: rule.name + tag: set_rule_name + copy_from: aws.securityhub_findings.title + ignore_empty_value: true - rename: field: json.Types target_field: aws.securityhub_findings.types ignore_missing: true - - date: - field: json.UpdatedAt - if: ctx.json?.UpdatedAt != null && ctx.json?.UpdatedAt != '' - target_field: aws.securityhub_findings.updated_at - formats: - - ISO8601 - - yyyy-MM-dd'T'HH:mm:ss.SSS'Z' - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - rename: field: json.UserDefinedFields target_field: aws.securityhub_findings.user_defined_fields diff --git a/packages/aws/data_stream/securityhub_findings/fields/ecs.yml b/packages/aws/data_stream/securityhub_findings/fields/ecs.yml new file mode 100644 index 000000000000..73c6b27cb582 --- /dev/null +++ b/packages/aws/data_stream/securityhub_findings/fields/ecs.yml @@ -0,0 +1,6 @@ +- name: event.kind + type: constant_keyword +- name: observer.vendor + type: constant_keyword +- name: cloud.provider + type: constant_keyword diff --git a/packages/aws/data_stream/securityhub_findings/fields/fields.yml b/packages/aws/data_stream/securityhub_findings/fields/fields.yml index 0d4765d4a2f1..03f083a3e5d0 100644 --- a/packages/aws/data_stream/securityhub_findings/fields/fields.yml +++ b/packages/aws/data_stream/securityhub_findings/fields/fields.yml @@ -271,6 +271,9 @@ - name: compliance type: group fields: + - name: security_control_id + type: keyword + description: Unique identifier of a control across standards. - name: related_requirements type: keyword description: For a control, the industry or regulatory framework requirements that are related to the control. @@ -289,6 +292,9 @@ - name: confidence type: long description: A finding's confidence. Confidence is defined as the likelihood that a finding accurately identifies the behavior or issue that it was intended to identify. + - name: processed_at + type: date + description: Indicates when AWS Security Hub received a finding and begins to process it. - name: created_at type: date description: Indicates when the security-findings provider created the potential security issue that a finding captured. diff --git a/packages/aws/data_stream/securityhub_findings/fields/resource.yml b/packages/aws/data_stream/securityhub_findings/fields/resource.yml new file mode 100644 index 000000000000..c093c2990328 --- /dev/null +++ b/packages/aws/data_stream/securityhub_findings/fields/resource.yml @@ -0,0 +1,11 @@ +- name: resource + type: group + fields: + - name: id + type: keyword + - name: name + type: keyword + - name: type + type: keyword + - name: sub_type + type: keyword diff --git a/packages/aws/data_stream/securityhub_findings/fields/result.yml b/packages/aws/data_stream/securityhub_findings/fields/result.yml new file mode 100644 index 000000000000..c465d18bc64f --- /dev/null +++ b/packages/aws/data_stream/securityhub_findings/fields/result.yml @@ -0,0 +1,16 @@ +- name: result + type: group + fields: + - name: evaluation + type: keyword + - name: evidence + type: group + fields: + - name: current_value + type: text + - name: expected_value + type: text + - name: configuration_path + type: text + - name: cloud_configuration_link + type: text diff --git a/packages/aws/data_stream/securityhub_findings/fields/rule.yml b/packages/aws/data_stream/securityhub_findings/fields/rule.yml new file mode 100644 index 000000000000..b9d505b971fe --- /dev/null +++ b/packages/aws/data_stream/securityhub_findings/fields/rule.yml @@ -0,0 +1,17 @@ +- name: rule + type: group + fields: + - name: uuid + type: keyword + - name: id + type: keyword + - name: name + type: keyword + - name: description + type: text + - name: remediation + type: text + - name: references + type: text + - name: reference + type: text diff --git a/packages/aws/docs/securityhub.md b/packages/aws/docs/securityhub.md index fa46ef193254..dbb9d2dfb2e3 100644 --- a/packages/aws/docs/securityhub.md +++ b/packages/aws/docs/securityhub.md @@ -526,6 +526,7 @@ Please refer to the following [document](https://www.elastic.co/guide/en/ecs/cur | aws.securityhub_findings.aws_account_id | The Amazon Web Services account ID that a finding is generated in. | keyword | | aws.securityhub_findings.company.name | The name of the company for the product that generated the finding. | keyword | | aws.securityhub_findings.compliance.related_requirements | For a control, the industry or regulatory framework requirements that are related to the control. | keyword | +| aws.securityhub_findings.compliance.security_control_id | Unique identifier of a control across standards. | keyword | | aws.securityhub_findings.compliance.status | The result of a standards check. | keyword | | aws.securityhub_findings.compliance.status_reasons.description | The corresponding description for the status reason code. | keyword | | aws.securityhub_findings.compliance.status_reasons.reason_code | A code that represents a reason for the control status. | keyword | @@ -590,6 +591,7 @@ Please refer to the following [document](https://www.elastic.co/guide/en/ecs/cur | aws.securityhub_findings.process.path | The path to the process executable. | keyword | | aws.securityhub_findings.process.pid | The process ID. | long | | aws.securityhub_findings.process.terminated_at | Indicates when the process was terminated. | date | +| aws.securityhub_findings.processed_at | Indicates when AWS Security Hub received a finding and begins to process it. | date | | aws.securityhub_findings.product.arn | The ARN generated by Security Hub that uniquely identifies a product that generates findings. This can be the ARN for a third-party product that is integrated with Security Hub, or the ARN for a custom integration. | keyword | | aws.securityhub_findings.product.fields | A data type where security-findings providers can include additional solution-specific details that aren't part of the defined AwsSecurityFinding format. | flattened | | aws.securityhub_findings.product.name | The name of the product that generated the finding. | keyword | @@ -651,15 +653,34 @@ Please refer to the following [document](https://www.elastic.co/guide/en/ecs/cur | aws.securityhub_findings.workflow.state | The workflow state of a finding. | keyword | | aws.securityhub_findings.workflow.status | The status of the investigation into the finding. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.provider | | constant_keyword | | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | +| event.kind | | constant_keyword | | event.module | Event module. | constant_keyword | | host.containerized | If the host is a container. | boolean | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | | input.type | Input type | keyword | | log.offset | Log offset | long | +| observer.vendor | | constant_keyword | +| resource.id | | keyword | +| resource.name | | keyword | +| resource.sub_type | | keyword | +| resource.type | | keyword | +| result.evaluation | | keyword | +| result.evidence.cloud_configuration_link | | text | +| result.evidence.configuration_path | | text | +| result.evidence.current_value | | text | +| result.evidence.expected_value | | text | +| rule.description | | text | +| rule.id | | keyword | +| rule.name | | keyword | +| rule.reference | | text | +| rule.references | | text | +| rule.remediation | | text | +| rule.uuid | | keyword | | url.user_info | | keyword | diff --git a/packages/aws/kibana/dashboard/aws-c9f103d0-5f63-11ed-bd69-473ce047ef30.json b/packages/aws/kibana/dashboard/aws-c9f103d0-5f63-11ed-bd69-473ce047ef30.json index 90d4f910b6af..04315e0dbf32 100644 --- a/packages/aws/kibana/dashboard/aws-c9f103d0-5f63-11ed-bd69-473ce047ef30.json +++ b/packages/aws/kibana/dashboard/aws-c9f103d0-5f63-11ed-bd69-473ce047ef30.json @@ -3,8 +3,54 @@ "controlGroupInput": { "chainingSystem": "HIERARCHICAL", "controlStyle": "oneLine", - "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", - "panelsJSON": "{\"d620f0d7-381f-456f-8660-a6e6838e34fc\":{\"order\":0,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"data_stream.dataset\",\"title\":\"Integrations\",\"id\":\"d620f0d7-381f-456f-8660-a6e6838e34fc\",\"enhancements\":{},\"selectedOptions\":[]}},\"f7d8c037-280e-4387-84e2-fa76ee6124da\":{\"order\":2,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"aws.securityhub_findings.region\",\"title\":\"Region\",\"id\":\"f7d8c037-280e-4387-84e2-fa76ee6124da\",\"enhancements\":{},\"selectedOptions\":[]}},\"c819da49-49e8-4460-8329-8521d7f8ac8a\":{\"order\":1,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"cloud.account.id\",\"title\":\"Account\",\"id\":\"c819da49-49e8-4460-8329-8521d7f8ac8a\",\"enhancements\":{},\"selectedOptions\":[]}}}" + "ignoreParentSettingsJSON": { + "ignoreFilters": false, + "ignoreQuery": false, + "ignoreTimerange": false, + "ignoreValidations": false + }, + "panelsJSON": { + "c819da49-49e8-4460-8329-8521d7f8ac8a": { + "explicitInput": { + "enhancements": {}, + "fieldName": "cloud.account.id", + "id": "c819da49-49e8-4460-8329-8521d7f8ac8a", + "selectedOptions": [], + "title": "Account" + }, + "grow": true, + "order": 1, + "type": "optionsListControl", + "width": "medium" + }, + "d620f0d7-381f-456f-8660-a6e6838e34fc": { + "explicitInput": { + "enhancements": {}, + "fieldName": "data_stream.dataset", + "id": "d620f0d7-381f-456f-8660-a6e6838e34fc", + "selectedOptions": [], + "title": "Integrations" + }, + "grow": true, + "order": 0, + "type": "optionsListControl", + "width": "medium" + }, + "f7d8c037-280e-4387-84e2-fa76ee6124da": { + "explicitInput": { + "enhancements": {}, + "fieldName": "aws.securityhub_findings.region", + "id": "f7d8c037-280e-4387-84e2-fa76ee6124da", + "selectedOptions": [], + "title": "Region" + }, + "grow": true, + "order": 2, + "type": "optionsListControl", + "width": "medium" + } + }, + "showApplySelections": false }, "description": "AWS Security Hub Findings Summary", "kibanaSavedObjectMeta": { @@ -46,6 +92,42 @@ "useMargins": true }, "panelsJSON": [ + { + "embeddableConfig": { + "enhancements": {}, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "params": { + "fontSize": 12, + "markdown": "[Findings Action Overview](#/dashboard/aws-3d3dbe00-f79f-11ec-aa7f-c173c0f9e267) | [Findings Malware, Threat Intelligence Indicator and Network Path Overview](#/dashboard/aws-8fcf4c20-f7a3-11ec-aa7f-c173c0f9e267) | [Findings and Insights Overview](#/dashboard/aws-cc571400-dc61-11ec-a6e3-1bc5ab0aa1b4)", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + } + }, + "gridData": { + "h": 4, + "i": "d5280fe0-536d-45b0-87c4-1fb9c41065fd", + "w": 48, + "x": 0, + "y": 0 + }, + "panelIndex": "d5280fe0-536d-45b0-87c4-1fb9c41065fd", + "title": "Dashboards [Logs AWS]", + "type": "visualization" + }, { "embeddableConfig": { "enhancements": {}, @@ -80,8 +162,7 @@ "y": 4 }, "panelIndex": "cc027475-1e31-4ccf-bdd7-9655809a1c30", - "type": "visualization", - "version": "8.8.1" + "type": "visualization" }, { "embeddableConfig": { @@ -178,14 +259,13 @@ "gridData": { "h": 15, "i": "146c2ac6-d83d-4fcb-808a-d24c2762f45c", - "w": 24, + "w": 25, "x": 0, "y": 7 }, "panelIndex": "146c2ac6-d83d-4fcb-808a-d24c2762f45c", "title": "Distribution of Events by Account [Logs AWS]", - "type": "lens", - "version": "8.8.1" + "type": "lens" }, { "embeddableConfig": { @@ -198,6 +278,7 @@ } ], "state": { + "adHocDataViews": {}, "datasourceStates": { "formBased": { "layers": { @@ -235,10 +316,11 @@ "parentFormat": { "id": "terms" }, + "secondaryFields": [], "size": 5 }, "scale": "ordinal", - "sourceField": "aws.securityhub_findings.region" + "sourceField": "cloud.region" } }, "incompleteColumns": {} @@ -247,9 +329,10 @@ } }, "filters": [], + "internalReferences": [], "query": { "language": "kuery", - "query": "" + "query": "event.module : \"aws\" " }, "visualization": { "layers": [ @@ -281,14 +364,396 @@ "gridData": { "h": 15, "i": "2aeb6bda-8e7f-40bf-a8b3-ea8fdee8dea7", - "w": 24, - "x": 24, + "w": 23, + "x": 25, "y": 7 }, "panelIndex": "2aeb6bda-8e7f-40bf-a8b3-ea8fdee8dea7", "title": "Distribution of Events by Region [Logs AWS]", - "type": "lens", - "version": "8.8.1" + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-45c33cba-b3b0-45a4-91f3-a13600dbfdcc", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "45c33cba-b3b0-45a4-91f3-a13600dbfdcc": { + "columnOrder": [ + "25539159-d53b-4507-9e4b-e5aa60e46960" + ], + "columns": { + "25539159-d53b-4507-9e4b-e5aa60e46960": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Findings Outcome - Success", + "operationType": "unique_count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "event.id" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"aws.securityhub_findings\" AND event.outcome : \"success\" " + }, + "visualization": { + "color": "#54B399", + "layerId": "45c33cba-b3b0-45a4-91f3-a13600dbfdcc", + "layerType": "data", + "metricAccessor": "25539159-d53b-4507-9e4b-e5aa60e46960" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 7, + "i": "996217a3-e617-4b6a-b40a-89a521d588dc", + "w": 8, + "x": 0, + "y": 22 + }, + "panelIndex": "996217a3-e617-4b6a-b40a-89a521d588dc", + "title": "Events with Successful Findings [Logs AWS]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-45c33cba-b3b0-45a4-91f3-a13600dbfdcc", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "45c33cba-b3b0-45a4-91f3-a13600dbfdcc": { + "columnOrder": [ + "de7e9ccb-b11c-4159-9c9d-e52d8bc6f027", + "25539159-d53b-4507-9e4b-e5aa60e46960" + ], + "columns": { + "25539159-d53b-4507-9e4b-e5aa60e46960": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "de7e9ccb-b11c-4159-9c9d-e52d8bc6f027": { + "dataType": "string", + "isBucketed": true, + "label": "Top 10 values of cloud.service.name", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "25539159-d53b-4507-9e4b-e5aa60e46960", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 10 + }, + "scale": "ordinal", + "sourceField": "cloud.service.name" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"aws.securityhub_findings\" " + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "layerId": "45c33cba-b3b0-45a4-91f3-a13600dbfdcc", + "layerType": "data", + "legendDisplay": "default", + "metrics": [ + "25539159-d53b-4507-9e4b-e5aa60e46960" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "de7e9ccb-b11c-4159-9c9d-e52d8bc6f027" + ] + } + ], + "shape": "pie" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "4de4ac27-d439-4131-81f2-f6f9fcd10387", + "w": 15, + "x": 8, + "y": 22 + }, + "panelIndex": "4de4ac27-d439-4131-81f2-f6f9fcd10387", + "title": "Distribution of Events by AWS Service [Logs AWS]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-45c33cba-b3b0-45a4-91f3-a13600dbfdcc", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "45c33cba-b3b0-45a4-91f3-a13600dbfdcc": { + "columnOrder": [ + "cdc92661-6c47-4778-8437-561304965eb6", + "6161b72a-cf02-4c69-804e-fa663042331a", + "25539159-d53b-4507-9e4b-e5aa60e46960" + ], + "columns": { + "25539159-d53b-4507-9e4b-e5aa60e46960": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "6161b72a-cf02-4c69-804e-fa663042331a": { + "dataType": "string", + "isBucketed": true, + "label": "Top 3 values of rule.id", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "25539159-d53b-4507-9e4b-e5aa60e46960", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 3 + }, + "scale": "ordinal", + "sourceField": "rule.id" + }, + "cdc92661-6c47-4778-8437-561304965eb6": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Top Rules", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "25539159-d53b-4507-9e4b-e5aa60e46960", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 10 + }, + "scale": "ordinal", + "sourceField": "rule.name" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"aws.securityhub_findings\" " + }, + "visualization": { + "columns": [ + { + "columnId": "25539159-d53b-4507-9e4b-e5aa60e46960" + }, + { + "columnId": "cdc92661-6c47-4778-8437-561304965eb6", + "isMetric": false, + "isTransposed": false, + "width": 501.5 + }, + { + "columnId": "6161b72a-cf02-4c69-804e-fa663042331a", + "isMetric": false, + "isTransposed": false, + "width": 270.75 + } + ], + "layerId": "45c33cba-b3b0-45a4-91f3-a13600dbfdcc", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "69a42735-8625-4f93-af73-09fc337b6bb1", + "w": 25, + "x": 23, + "y": 22 + }, + "panelIndex": "69a42735-8625-4f93-af73-09fc337b6bb1", + "title": "Top Rules Contributing to Findings [Logs AWS]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-45c33cba-b3b0-45a4-91f3-a13600dbfdcc", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "45c33cba-b3b0-45a4-91f3-a13600dbfdcc": { + "columnOrder": [ + "25539159-d53b-4507-9e4b-e5aa60e46960" + ], + "columns": { + "25539159-d53b-4507-9e4b-e5aa60e46960": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Findings Outcome - Failure", + "operationType": "unique_count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "event.id" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"aws.securityhub_findings\" AND event.outcome : \"failure\" " + }, + "visualization": { + "color": "#E7664C", + "layerId": "45c33cba-b3b0-45a4-91f3-a13600dbfdcc", + "layerType": "data", + "metricAccessor": "25539159-d53b-4507-9e4b-e5aa60e46960" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 8, + "i": "7419d896-5a39-461c-a72d-09734cc6d67e", + "w": 8, + "x": 0, + "y": 29 + }, + "panelIndex": "7419d896-5a39-461c-a72d-09734cc6d67e", + "title": "Events with Failure Findings [Logs AWS] (copy)", + "type": "lens" }, { "embeddableConfig": { @@ -374,12 +839,11 @@ "i": "7a319626-d1c2-4728-9611-3bbea3c850d4", "w": 24, "x": 0, - "y": 22 + "y": 37 }, "panelIndex": "7a319626-d1c2-4728-9611-3bbea3c850d4", "title": "Count by Severity [Logs AWS]", - "type": "lens", - "version": "8.8.1" + "type": "lens" }, { "embeddableConfig": { @@ -464,11 +928,10 @@ "i": "7cb13a54-c41f-4653-be22-340b99b6d83c", "w": 24, "x": 24, - "y": 22 + "y": 37 }, "panelIndex": "7cb13a54-c41f-4653-be22-340b99b6d83c", - "type": "lens", - "version": "8.8.1" + "type": "lens" }, { "embeddableConfig": { @@ -603,12 +1066,11 @@ "i": "7c5505a3-f4e0-43af-8e25-260e9e7e8473", "w": 48, "x": 0, - "y": 30 + "y": 45 }, "panelIndex": "7c5505a3-f4e0-43af-8e25-260e9e7e8473", "title": "Distribution of Finding's Severity Over Time [Logs AWS]", - "type": "lens", - "version": "8.8.1" + "type": "lens" }, { "embeddableConfig": { @@ -718,12 +1180,11 @@ "i": "d296bb5b-a63d-4931-84aa-d3a2d0fa754d", "w": 11, "x": 0, - "y": 39 + "y": 54 }, "panelIndex": "d296bb5b-a63d-4931-84aa-d3a2d0fa754d", "title": "Security Hub - Affected Instance ID [Logs AWS]", - "type": "lens", - "version": "8.8.1" + "type": "lens" }, { "embeddableConfig": { @@ -864,12 +1325,11 @@ "i": "933df910-8ae4-4a4b-9af7-87b30a92d952", "w": 37, "x": 11, - "y": 39 + "y": 54 }, "panelIndex": "933df910-8ae4-4a4b-9af7-87b30a92d952", "title": "Security Hub - Finding Types [Logs AWS]", - "type": "lens", - "version": "8.8.1" + "type": "lens" }, { "embeddableConfig": { @@ -979,12 +1439,11 @@ "i": "a4cba719-5f51-4090-910f-12e39dc01239", "w": 11, "x": 0, - "y": 47 + "y": 62 }, "panelIndex": "a4cba719-5f51-4090-910f-12e39dc01239", "title": "Security Hub - Network Direction [Logs AWS]", - "type": "lens", - "version": "8.8.1" + "type": "lens" }, { "embeddableConfig": { @@ -1287,12 +1746,11 @@ "i": "5c3b2b5f-b097-4b2e-adae-a4d9149e808f", "w": 48, "x": 0, - "y": 55 + "y": 70 }, "panelIndex": "5c3b2b5f-b097-4b2e-adae-a4d9149e808f", "title": "Security Hub - Findings [Logs AWS]", - "type": "lens", - "version": "8.8.1" + "type": "lens" }, { "embeddableConfig": { @@ -1323,12 +1781,11 @@ "i": "7a8bdb96-e4c4-4e63-bc80-14fbd4b97c2f", "w": 48, "x": 0, - "y": 73 + "y": 88 }, "panelIndex": "7a8bdb96-e4c4-4e63-bc80-14fbd4b97c2f", "title": "", - "type": "visualization", - "version": "8.8.1" + "type": "visualization" }, { "embeddableConfig": { @@ -1602,12 +2059,11 @@ "i": "9c9ea523-c04c-4783-9737-494bb8a1d068", "w": 48, "x": 0, - "y": 76 + "y": 91 }, "panelIndex": "9c9ea523-c04c-4783-9737-494bb8a1d068", "title": "", - "type": "lens", - "version": "8.8.1" + "type": "lens" }, { "embeddableConfig": { @@ -1638,12 +2094,11 @@ "i": "a22c199d-3314-4dc0-9c99-79d7dad12c6c", "w": 48, "x": 0, - "y": 93 + "y": 108 }, "panelIndex": "a22c199d-3314-4dc0-9c99-79d7dad12c6c", "title": "", - "type": "visualization", - "version": "8.8.1" + "type": "visualization" }, { "embeddableConfig": { @@ -1654,12 +2109,11 @@ "i": "7fad8ba7-c80b-45f5-ace4-0757caa63766", "w": 48, "x": 0, - "y": 96 + "y": 111 }, "panelIndex": "7fad8ba7-c80b-45f5-ace4-0757caa63766", "panelRefName": "panel_7fad8ba7-c80b-45f5-ace4-0757caa63766", - "type": "search", - "version": "8.8.1" + "type": "search" }, { "embeddableConfig": { @@ -1670,61 +2124,21 @@ "i": "d730fda4-95c3-4c8f-9236-6dd187a9f63c", "w": 48, "x": 0, - "y": 112 + "y": 127 }, "panelIndex": "d730fda4-95c3-4c8f-9236-6dd187a9f63c", "panelRefName": "panel_d730fda4-95c3-4c8f-9236-6dd187a9f63c", - "type": "search", - "version": "8.8.1" - }, - { - "embeddableConfig": { - "enhancements": {}, - "savedVis": { - "data": { - "aggs": [], - "searchSource": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } - }, - "description": "", - "params": { - "fontSize": 12, - "markdown": "[Findings Action Overview](#/dashboard/aws-3d3dbe00-f79f-11ec-aa7f-c173c0f9e267) | [Findings Malware, Threat Intelligence Indicator and Network Path Overview](#/dashboard/aws-8fcf4c20-f7a3-11ec-aa7f-c173c0f9e267) | [Findings and Insights Overview](#/dashboard/aws-cc571400-dc61-11ec-a6e3-1bc5ab0aa1b4)", - "openLinksInNewTab": false - }, - "title": "", - "type": "markdown", - "uiState": {} - } - }, - "gridData": { - "h": 4, - "i": "d5280fe0-536d-45b0-87c4-1fb9c41065fd", - "w": 48, - "x": 0, - "y": 0 - }, - "panelIndex": "d5280fe0-536d-45b0-87c4-1fb9c41065fd", - "title": "Dashboards [Logs AWS]", - "type": "visualization", - "version": "8.8.1" + "type": "search" } ], "timeRestore": false, "title": "[Logs AWS] Security Hub Summary Dashboard", - "version": 1 + "version": 2 }, - "coreMigrationVersion": "8.7.0", - "created_at": "2023-10-30T10:13:47.936Z", + "coreMigrationVersion": "8.8.0", + "created_at": "2024-09-23T11:31:27.865Z", "id": "aws-c9f103d0-5f63-11ed-bd69-473ce047ef30", - "migrationVersion": { - "dashboard": "8.7.0" - }, + "managed": false, "references": [ { "id": "logs-*", @@ -1741,6 +2155,26 @@ "name": "2aeb6bda-8e7f-40bf-a8b3-ea8fdee8dea7:indexpattern-datasource-layer-45c33cba-b3b0-45a4-91f3-a13600dbfdcc", "type": "index-pattern" }, + { + "id": "logs-*", + "name": "996217a3-e617-4b6a-b40a-89a521d588dc:indexpattern-datasource-layer-45c33cba-b3b0-45a4-91f3-a13600dbfdcc", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "4de4ac27-d439-4131-81f2-f6f9fcd10387:indexpattern-datasource-layer-45c33cba-b3b0-45a4-91f3-a13600dbfdcc", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "69a42735-8625-4f93-af73-09fc337b6bb1:indexpattern-datasource-layer-45c33cba-b3b0-45a4-91f3-a13600dbfdcc", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "7419d896-5a39-461c-a72d-09734cc6d67e:indexpattern-datasource-layer-45c33cba-b3b0-45a4-91f3-a13600dbfdcc", + "type": "index-pattern" + }, { "id": "logs-*", "name": "7a319626-d1c2-4728-9611-3bbea3c850d4:indexpattern-datasource-layer-abc2e8dc-c832-4535-bdf4-d39175c25d2e", @@ -1805,7 +2239,14 @@ "id": "logs-*", "name": "controlGroup_c819da49-49e8-4460-8329-8521d7f8ac8a:optionsListDataView", "type": "index-pattern" + }, + { + "id": "aws-security-solution-default", + "name": "tag-ref-security-solution-default", + "type": "tag" } ], - "type": "dashboard" + "type": "dashboard", + "typeMigrationVersion": "10.2.0", + "updated_by": "u_2762430631_cloud" } \ No newline at end of file diff --git a/packages/aws/kibana/search/aws-b111d3a0-5f3e-11ed-b2ee-f91fa284c4b5.json b/packages/aws/kibana/search/aws-b111d3a0-5f3e-11ed-b2ee-f91fa284c4b5.json index e4dd11b43a5e..357290a65546 100644 --- a/packages/aws/kibana/search/aws-b111d3a0-5f3e-11ed-b2ee-f91fa284c4b5.json +++ b/packages/aws/kibana/search/aws-b111d3a0-5f3e-11ed-b2ee-f91fa284c4b5.json @@ -22,18 +22,22 @@ ], "title": "Security Hub - Raw Events [Logs AWS]" }, - "coreMigrationVersion": "8.7.0", - "created_at": "2023-07-18T08:47:59.330Z", + "coreMigrationVersion": "8.8.0", + "created_at": "2024-09-23T11:21:41.694Z", "id": "aws-b111d3a0-5f3e-11ed-b2ee-f91fa284c4b5", - "migrationVersion": { - "search": "8.0.0" - }, + "managed": true, "references": [ { "id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern" + }, + { + "id": "aws-security-solution-default", + "name": "tag-ref-security-solution-default", + "type": "tag" } ], - "type": "search" + "type": "search", + "typeMigrationVersion": "10.3.0" } \ No newline at end of file diff --git a/packages/aws/kibana/search/aws-cc2e2cf0-5f3f-11ed-b2ee-f91fa284c4b5.json b/packages/aws/kibana/search/aws-cc2e2cf0-5f3f-11ed-b2ee-f91fa284c4b5.json index c49bdff5dc0b..3d44e55eea8f 100644 --- a/packages/aws/kibana/search/aws-cc2e2cf0-5f3f-11ed-b2ee-f91fa284c4b5.json +++ b/packages/aws/kibana/search/aws-cc2e2cf0-5f3f-11ed-b2ee-f91fa284c4b5.json @@ -31,18 +31,22 @@ ], "title": "Essential Details - Security Hub [Logs AWS]" }, - "coreMigrationVersion": "8.7.0", - "created_at": "2023-07-18T08:47:59.330Z", + "coreMigrationVersion": "8.8.0", + "created_at": "2024-09-23T11:21:41.694Z", "id": "aws-cc2e2cf0-5f3f-11ed-b2ee-f91fa284c4b5", - "migrationVersion": { - "search": "8.0.0" - }, + "managed": true, "references": [ { "id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern" + }, + { + "id": "aws-security-solution-default", + "name": "tag-ref-security-solution-default", + "type": "tag" } ], - "type": "search" + "type": "search", + "typeMigrationVersion": "10.3.0" } \ No newline at end of file diff --git a/packages/aws/kibana/tag/aws-security-solution-default.json b/packages/aws/kibana/tag/aws-security-solution-default.json new file mode 100644 index 000000000000..4b7620ded40d --- /dev/null +++ b/packages/aws/kibana/tag/aws-security-solution-default.json @@ -0,0 +1,14 @@ +{ + "attributes": { + "color": "#D36086", + "description": "", + "name": "Security Solution" + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2024-09-10T10:47:15.483Z", + "id": "aws-security-solution-default", + "managed": true, + "references": [], + "type": "tag", + "typeMigrationVersion": "8.0.0" +} \ No newline at end of file diff --git a/packages/aws/manifest.yml b/packages/aws/manifest.yml index 12145bf7499e..069d674aa362 100644 --- a/packages/aws/manifest.yml +++ b/packages/aws/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.0.0 name: aws title: AWS -version: 2.25.0 +version: 2.26.0 description: Collect logs and metrics from Amazon Web Services (AWS) with Elastic Agent. type: integration categories: