OCSF Logo OCSF.ai

Security Hub

vulnerability-finding

Vendor: AWS
Type: Vulnerability-Finding
Subtype: vulnerability-finding
OCSF Version: 1.6.0
Created by: buer shen

Templates provide pre-built configurations for transforming common log formats into OCSF. They save you time by handling the complex mapping logic for popular security tools and services. Learn more about using templates →

Mapping Configuration

The mapping configuration transforms parsed log fields into OCSF format. This step is required to convert your specific log structure into OCSF's standardized schema. To define these field mappings, the configuration below uses the Fleak Eval Expression Language (FEEL). This language lets you specify how to transform data from AWS Vulnerability-Finding logs into OCSF fields - converting timestamps to standard formats, restructuring nested data, and applying conditional logic to determine field values.

dict(
  time=ts_str_to_epoch($['CreatedAt'], "yyyy-MM-dd'T'HH:mm:ss'Z'"),
  device=dict(
    uid=$.Resources[0].Details.AwsEcrContainerImage.RegistryId,
    type="Container Image",
    region=$.Resources[0].Region,
    type_id=99
  ),
  status=case(
    $['Workflow']['Status'] == 'NEW' => 'New',
    $['Workflow']['Status'] == 'NOTIFIED' => 'In Progress',
    $['Workflow']['Status'] == 'RESOLVED' => 'Resolved',
    $['Workflow']['Status'] == 'SUPPRESSED' => 'Suppressed',
    $['RecordState'] == 'ARCHIVED' => 'Archived',
    _ => 'Other'
  ),
  message=$['Description'],
  metadata=dict(
    uid=$['Id'],
    product=dict(
      name=$['ProductName'],
      feature=dict(
        name=$['ProductFields']['aws/inspector/ProductVersion']
      ),
      vendor_name=$['CompanyName']
    ),
    version="1.6.0",
    log_name=$['ProductFields']['aws/securityhub/FindingId'],
    logged_time=ts_str_to_epoch($['CreatedAt'], "yyyy-MM-dd'T'HH:mm:ss'Z'"),
    log_provider=$['GeneratorId'],
    original_time=$['CreatedAt'],
    processed_time=ts_str_to_epoch($['ProcessedAt'], "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'")
  ),
  raw_data=to_str($),
  severity=case(
    $['Severity']['Label'] == "INFORMATIONAL" => 'Informational',
    $['Severity']['Label'] == "LOW" => 'Low',
    $['Severity']['Label'] == "MEDIUM" => 'Medium',
    $['Severity']['Label'] == "HIGH" => 'High',
    $['Severity']['Label'] == "CRITICAL" => 'Critical',
    _ => 'Unknown'
  ),
  type_uid=case(
    $['Workflow']['Status'] == "NEW" => 200201,
    $['Workflow']['Status'] == "RESOLVED" => 200203,
    $['Workflow']['Status'] == "SUPPRESSED" => 200203,
    $['RecordState'] == "ARCHIVED" => 200203,
    _ => 200299
  ),
  unmapped=dict(
    Region=$.Region,
    ProductArn=$.ProductArn,
    AwsAccountId=$.AwsAccountId,
    SchemaVersion=$.SchemaVersion,
    WorkflowState=$.WorkflowState,
    FindingProviderFields=$.FindingProviderFields
  ),
  class_uid=2002,
  resources=arr_foreach($['Resources'], resource, dict(
      uid=$.Resources[0].Id,
      name=case(
        resource['Type'] == "AwsEcrContainerImage" => resource['Details']['AwsEcrContainerImage']['RepositoryName'],
        _ => null
      ),
      role_id=1,
      version=case(
        resource['Type'] == "AwsEcrContainerImage" => resource['Details']['AwsEcrContainerImage']['ImageDigest'],
        _ => null
      ),
      namespace=case(
        resource['Type'] == "AwsEcrContainerImage" => resource['Partition'],
        _ => null
      ),
      created_time=case(
        resource['Type'] == "AwsEcrContainerImage" and resource['Details']['AwsEcrContainerImage']['ImagePublishedAt'] != null => ts_str_to_epoch(resource['Details']['AwsEcrContainerImage']['ImagePublishedAt'], "yyyy-MM-dd'T'HH:mm:ss'Z'"),
        _ => null
      )
    )
  ),
  status_id=case(
    $['Workflow']['Status'] == "NEW" => 1,
    $['Workflow']['Status'] == "NOTIFIED" => 2,
    $['Workflow']['Status'] == "RESOLVED" => 4,
    $['Workflow']['Status'] == "SUPPRESSED" => 3,
    $['RecordState'] == "ARCHIVED" => 5,
    _ => 99
  ),
  type_name=case(
    $['Workflow']['Status'] == 'NEW' => 'Vulnerability Finding: Create',
    $['Workflow']['Status'] == 'RESOLVED' => 'Vulnerability Finding: Close',
    $['Workflow']['Status'] == 'SUPPRESSED' => 'Vulnerability Finding: Close',
    $['RecordState'] == 'ARCHIVED' => 'Vulnerability Finding: Close',
    _ => 'Vulnerability Finding: Other'
  ),
  class_name='Vulnerability Finding',
  confidence=case(
    size_of($['Vulnerabilities']) > 0 and $['Vulnerabilities'][0]['Cvss'] != null and size_of($['Vulnerabilities'][0]['Cvss']) > 0 => case(
    $['Vulnerabilities'][0]['Cvss'][0]['BaseScore'] >= 9.0 => 'High',
    $['Vulnerabilities'][0]['Cvss'][0]['BaseScore'] >= 7.0 => 'High',
    $['Vulnerabilities'][0]['Cvss'][0]['BaseScore'] >= 4.0 => 'Medium',
    $['Vulnerabilities'][0]['Cvss'][0]['BaseScore'] > 0.0 => 'Low',
    _ => 'Unknown'
  ),
    $['ProductFields']['aws/inspector/inspectorScore'] != null => case(
    parse_float($['ProductFields']['aws/inspector/inspectorScore']) >= 7.0 => 'High',
    parse_float($['ProductFields']['aws/inspector/inspectorScore']) >= 4.0 => 'Medium',
    parse_float($['ProductFields']['aws/inspector/inspectorScore']) > 0.0 => 'Low',
    _ => 'Unknown'
  ),
    _ => 'Unknown'
  ),
  activity_id=case(
    $['Workflow']['Status'] == "NEW" => 1,
    $['Workflow']['Status'] == "RESOLVED" => 3,
    $['Workflow']['Status'] == "SUPPRESSED" => 3,
    $['RecordState'] == "ARCHIVED" => 3,
    _ => 99
  ),
  severity_id=case(
    $['Severity']['Label'] == "INFORMATIONAL" => 1,
    $['Severity']['Label'] == "LOW" => 2,
    $['Severity']['Label'] == "MEDIUM" => 3,
    $['Severity']['Label'] == "HIGH" => 4,
    $['Severity']['Label'] == "CRITICAL" => 5,
    _ => 0
  ),
  status_code=case(
    $['Workflow']['Status'] == "NEW" => "NEW",
    $['Workflow']['Status'] == "RESOLVED" => "RESOLVED",
    $['Workflow']['Status'] == "SUPPRESSED" => "SUPPRESSED",
    $['RecordState'] == "ARCHIVED" => "ARCHIVED",
    _ => $['Workflow']['Status']
  ),
  category_uid=2,
  finding_info=dict(
    uid=$['Id'],
    desc=$['Description'],
    title=$['Title'],
    types=$['Types'],
    product=dict(
      name=$['ProductName'],
      feature=dict(
        name=$['ProductFields']['aws/inspector/ProductVersion']
      ),
      vendor_name=$['CompanyName']
    ),
    src_url=case(
      size_of($['Vulnerabilities']) > 0 => $['Vulnerabilities'][0]['Vendor']['Url'],
      _ => null
    ),
    created_time=ts_str_to_epoch($['CreatedAt'], "yyyy-MM-dd'T'HH:mm:ss'Z'"),
    modified_time=ts_str_to_epoch($['UpdatedAt'], "yyyy-MM-dd'T'HH:mm:ss'Z'"),
    last_seen_time=ts_str_to_epoch($['LastObservedAt'], "yyyy-MM-dd'T'HH:mm:ss'Z'"),
    first_seen_time=ts_str_to_epoch($['FirstObservedAt'], "yyyy-MM-dd'T'HH:mm:ss'Z'")
  ),
  activity_name=case(
    $['Workflow']['Status'] == 'NEW' => 'Create',
    $['Workflow']['Status'] == 'RESOLVED' => 'Close',
    $['Workflow']['Status'] == 'SUPPRESSED' => 'Close',
    $['RecordState'] == 'ARCHIVED' => 'Close',
    _ => 'Other'
  ),
  category_name='Findings',
  confidence_id=case(
    size_of($['Vulnerabilities']) > 0 and $['Vulnerabilities'][0]['Cvss'] != null and size_of($['Vulnerabilities'][0]['Cvss']) > 0 => case(
    $['Vulnerabilities'][0]['Cvss'][0]['BaseScore'] >= 9.0 => 3,
    $['Vulnerabilities'][0]['Cvss'][0]['BaseScore'] >= 7.0 => 3,
    $['Vulnerabilities'][0]['Cvss'][0]['BaseScore'] >= 4.0 => 2,
    $['Vulnerabilities'][0]['Cvss'][0]['BaseScore'] > 0.0 => 1,
    _ => 0
  ),
    $['ProductFields']['aws/inspector/inspectorScore'] != null => case(
    parse_float($['ProductFields']['aws/inspector/inspectorScore']) >= 7.0 => 3,
    parse_float($['ProductFields']['aws/inspector/inspectorScore']) >= 4.0 => 2,
    parse_float($['ProductFields']['aws/inspector/inspectorScore']) > 0.0 => 1,
    _ => 0
  ),
    _ => 0
  ),
  status_detail=case(
    $['Workflow']['Status'] == "NEW" => "Active finding awaiting review",
    $['Workflow']['Status'] == "RESOLVED" => "Finding has been resolved",
    $['Workflow']['Status'] == "SUPPRESSED" => "Finding has been suppressed",
    $['RecordState'] == "ARCHIVED" => "Finding has been archived",
    $['Remediation']['Recommendation']['Text'] != null => $['Remediation']['Recommendation']['Text'],
    _ => null
  ),
  timezone_offset=0,
  vulnerabilities=arr_foreach($.Vulnerabilities, vuln, dict(
      cve=dict(
        uid=vuln.Id,
        cvss=arr_foreach(vuln.Cvss, cvss, dict(
            version=cvss.Version,
            base_score=cvss.BaseScore,
            vector_string=cvss.BaseVector
          )
        ),
        epss=dict(
          score=to_str(vuln.EpssScore)
        ),
        references=array(
          vuln.Vendor.Url
        )
      ),
      references=vuln.ReferenceUrls,
      vendor_name=vuln.Vendor.Name,
      is_fix_available=case(
        upper(vuln.FixAvailable) == 'YES' => true,
        upper(vuln.FixAvailable) == 'NO' => false,
        _ => null
      ),
      affected_packages=arr_foreach(vuln.VulnerablePackages, pkg, dict(
          name=pkg.Name,
          epoch=parse_int(pkg.Epoch),
          release=pkg.Release,
          version=pkg.Version,
          remediation=dict(
            desc=pkg.Remediation
          ),
          architecture=pkg.Architecture,
          package_manager=pkg.PackageManager,
          fixed_in_version=pkg.FixedInVersion
        )
      ),
      is_exploit_available=case(
        upper(vuln.ExploitAvailable) == 'YES' => true,
        upper(vuln.ExploitAvailable) == 'NO' => false,
        _ => null
      ),
      related_vulnerabilities=vuln.RelatedVulnerabilities
    )
  )
)

Template ID: 30e9cc1e-9605-4610-b693-9e96716ecaac

Text Mapping: No

Ready to use this template?