Security Hub
compliance-findingsVendor: AWS
Type: Compliance-Findings
Subtype: compliance-findings
OCSF Version: 1.6.0
Created by: buer shen
Templates provide pre-built configurations for transforming common log formats into OCSF. They save you time by handling the complex mapping logic for popular security tools and services. Learn more about using templates →
Mapping Configuration
The mapping configuration transforms parsed log fields into OCSF format. This step is required to convert your specific log structure into OCSF's standardized schema. To define these field mappings, the configuration below uses the Fleak Eval Expression Language (FEEL). This language lets you specify how to transform data from AWS Compliance-Findings logs into OCSF fields - converting timestamps to standard formats, restructuring nested data, and applying conditional logic to determine field values.
dict(
time=ts_str_to_epoch($.CreatedAt, "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'"),
device=case(
size_of($.Resources) > 0 => dict(uid=$.Resources[0].Id, region=$.Resources[0].Region, type_id=99, type="SecurityGroup"),
_ => null
),
status=case(
$.Workflow.Status == "RESOLVED" => 'Resolved',
$.Workflow.Status == "SUPPRESSED" => 'Suppressed',
$.Workflow.Status == "NOTIFIED" => 'In Progress',
$.Workflow.Status == "NEW" => 'New',
$.RecordState == "ARCHIVED" => 'Archived',
_ => 'Other'
),
comment=case(
$.ProductFields != null and size_of($.ProductFields) > 0 => to_str($.ProductFields),
_ => null
),
message=$.Description,
end_time=case(
$.LastObservedAt != null => ts_str_to_epoch($.LastObservedAt, "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'"),
_ => null
),
metadata=dict(
uid=$.Id,
product=dict(
name=$.ProductName,
feature=dict(
name=$.ProductFields.ControlId
),
vendor_name=$.CompanyName
),
version="1.6.0",
log_name="Security Hub",
logged_time=ts_str_to_epoch($.CreatedAt, "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'"),
log_provider=$.CompanyName,
original_time=$.CreatedAt,
processed_time=ts_str_to_epoch($.UpdatedAt, "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'")
),
raw_data=to_str($),
severity=case(
$.Severity.Label == 'INFORMATIONAL' => 'Informational',
$.Severity.Label == 'LOW' => 'Low',
$.Severity.Label == 'MEDIUM' => 'Medium',
$.Severity.Label == 'HIGH' => 'High',
$.Severity.Label == 'CRITICAL' => 'Critical',
$.Severity.Label == null => 'Unknown',
_ => 'Other'
),
type_uid=case(
$.Workflow.Status == "RESOLVED" => 200303,
$.RecordState == "ACTIVE" and $.WorkflowState == "NEW" => 200301,
$.RecordState == "ACTIVE" => 200302,
_ => 200399
),
unmapped=dict(
Region=$.Region,
Process=$.Process,
ProductArn=$.ProductArn,
GeneratorId=$.GeneratorId,
AwsAccountId=$.AwsAccountId,
SchemaVersion=$.SchemaVersion,
FindingProviderFields=$.FindingProviderFields
),
class_uid=2003,
resources=arr_foreach($.Resources, resource, dict(
uid=$.Resources[0].Id,
group=case(
resource.Details.AwsEc2SecurityGroup != null and resource.Details.AwsEc2SecurityGroup.VpcId != null => dict(uid=resource.Details.AwsEc2SecurityGroup.VpcId, name=resource.Details.AwsEc2SecurityGroup.VpcId),
_ => null
),
owner=case(
resource.Details.AwsEc2SecurityGroup != null and resource.Details.AwsEc2SecurityGroup.OwnerId != null => dict(
uid=resource.Details.AwsEc2SecurityGroup.OwnerId,
type='Service',
type_id=4,
account=dict(uid=resource.Details.AwsEc2SecurityGroup.OwnerId, type='AWS Account', type_id=10)),
_ => null
),
role_id=1
)
),
status_id=case(
$.Workflow.Status == "RESOLVED" => 4,
$.Workflow.Status == "SUPPRESSED" => 3,
$.Workflow.Status == "NOTIFIED" => 2,
$.Workflow.Status == "NEW" => 1,
$.RecordState == "ARCHIVED" => 5,
_ => 99
),
type_name=case(
$.Workflow.Status == 'RESOLVED' => 'Compliance Finding: Close',
$.RecordState == 'ACTIVE' and $.WorkflowState == 'NEW' => 'Compliance Finding: Create',
$.RecordState == 'ACTIVE' => 'Compliance Finding: Update',
_ => 'Compliance Finding: Other'
),
class_name='Compliance Finding',
compliance=dict(
desc=$.Description,
status=case(
$.Compliance.Status == 'PASSED' => 'Pass',
$.Compliance.Status == 'FAILED' => 'Fail',
$.Compliance.Status == 'WARNING' => 'Warning',
$.Compliance.Status == 'NOT_AVAILABLE' => 'Unknown',
_ => 'Other'
),
control=$.ProductFields.ControlId,
status_id=case(
$.Compliance.Status == "PASSED" => 1,
$.Compliance.Status == "FAILED" => 3,
$.Compliance.Status == "WARNING" => 2,
$.Compliance.Status == "NOT_AVAILABLE" => 0,
_ => 99
),
status_code=$.Compliance.Status
),
confidence=case(
$.Vulnerabilities != null and size_of($.Vulnerabilities) > 0 => case(
$.Vulnerabilities[0].Cvss != null and size_of($.Vulnerabilities[0].Cvss) > 0 => case(
$.Vulnerabilities[0].Cvss[0].BaseScore >= 7.0 => 'High',
$.Vulnerabilities[0].Cvss[0].BaseScore >= 4.0 => 'Medium',
$.Vulnerabilities[0].Cvss[0].BaseScore > 0 => 'Low',
_ => 'Unknown'
),
_ => 'Medium'
),
$.Compliance != null and $.Compliance.Status != null => case(
$.Compliance.Status == 'PASSED' => 'High',
$.Compliance.Status == 'FAILED' => 'Medium',
$.Compliance.Status == 'WARNING' => 'Low',
_ => 'Unknown'
),
$.Severity != null and $.Severity.Label != null => case(
$.Severity.Label == 'CRITICAL' or $.Severity.Label == 'HIGH' => 'High',
$.Severity.Label == 'MEDIUM' => 'Medium',
$.Severity.Label == 'LOW' or $.Severity.Label == 'INFORMATIONAL' => 'Low',
_ => 'Unknown'
),
_ => 'Unknown'
),
start_time=case(
$.FirstObservedAt != null => ts_str_to_epoch($.FirstObservedAt, "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'"),
_ => null
),
activity_id=case(
$.Workflow.Status == "RESOLVED" => 3,
$.RecordState == "ACTIVE" and $.WorkflowState == "NEW" => 1,
$.RecordState == "ACTIVE" => 2,
_ => 99
),
remediation=dict(
desc=$.Remediation.Recommendation.Text,
references=array(
$.Remediation.Recommendation.Url
)
),
severity_id=case(
$.Severity.Label == "INFORMATIONAL" => 1,
$.Severity.Label == "LOW" => 2,
$.Severity.Label == "MEDIUM" => 3,
$.Severity.Label == "HIGH" => 4,
$.Severity.Label == "CRITICAL" => 5,
$.Severity.Label == null => 0,
_ => 99
),
status_code=$.Compliance.Status,
category_uid=2,
finding_info=dict(
uid=$.Id,
desc=$.Description,
title=$.Title,
types=$.Types,
product=dict(
name=$.ProductName,
feature=dict(
name=$.ProductFields.ControlId
),
vendor_name=$.CompanyName
),
src_url=$.ProductFields.RecommendationUrl,
created_time=ts_str_to_epoch($.CreatedAt, "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'"),
modified_time=ts_str_to_epoch($.UpdatedAt, "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'"),
last_seen_time=ts_str_to_epoch($.LastObservedAt, "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'"),
first_seen_time=ts_str_to_epoch($.FirstObservedAt, "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'")
),
activity_name=case(
$.Workflow.Status == "RESOLVED" => 'Close',
$.RecordState == "ACTIVE" and $.WorkflowState == "NEW" => 'Create',
$.RecordState == "ACTIVE" => 'Update',
_ => 'Other'
),
category_name='Findings',
confidence_id=case(
$.Vulnerabilities != null and size_of($.Vulnerabilities) > 0 => case(
$.Vulnerabilities[0].Cvss != null and size_of($.Vulnerabilities[0].Cvss) > 0 => case(
$.Vulnerabilities[0].Cvss[0].BaseScore >= 7.0 => 3,
$.Vulnerabilities[0].Cvss[0].BaseScore >= 4.0 => 2,
$.Vulnerabilities[0].Cvss[0].BaseScore > 0 => 1,
_ => 0
),
_ => 2
),
$.Compliance != null and $.Compliance.Status != null => case(
$.Compliance.Status == "PASSED" => 3,
$.Compliance.Status == "FAILED" => 2,
$.Compliance.Status == "WARNING" => 1,
_ => 0
),
$.Severity != null and $.Severity.Label != null => case(
$.Severity.Label == "CRITICAL" or $.Severity.Label == "HIGH" => 3,
$.Severity.Label == "MEDIUM" => 2,
$.Severity.Label == "LOW" or $.Severity.Label == "INFORMATIONAL" => 1,
_ => 0
),
_ => 0
),
status_detail=case(
$.Compliance != null and $.Compliance.StatusReasons != null and size_of($.Compliance.StatusReasons) > 0 => $.Compliance.StatusReasons[0].Description,
$.Workflow != null and $.Workflow.Status != null => $.Workflow.Status,
$.WorkflowState != null => $.WorkflowState,
_ => null
),
confidence_score=case(
$.Vulnerabilities != null and size_of($.Vulnerabilities) > 0 and $.Vulnerabilities[0].Cvss != null and size_of($.Vulnerabilities[0].Cvss) > 0 => floor($.Vulnerabilities[0].Cvss[0].BaseScore * 10),
_ => null
)
)Template ID: 16f08650-9559-412a-903f-4b103f9aeed9
Text Mapping: No
Ready to use this template?