Security Hub
compliance-findingVendor: AWS
Type: Compliance-Finding
Subtype: compliance-finding
OCSF Version: 1.6.0
Created by: buer shen
Templates provide pre-built configurations for transforming common log formats into OCSF. They save you time by handling the complex mapping logic for popular security tools and services. Learn more about using templates →
Mapping Configuration
The mapping configuration transforms parsed log fields into OCSF format. This step is required to convert your specific log structure into OCSF's standardized schema. To define these field mappings, the configuration below uses the Fleak Eval Expression Language (FEEL). This language lets you specify how to transform data from AWS Compliance-Finding logs into OCSF fields - converting timestamps to standard formats, restructuring nested data, and applying conditional logic to determine field values.
dict(
time=ts_str_to_epoch($.CreatedAt, "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'"),
status=case(
$.Workflow.Status == 'NEW' => 'New',
$.Workflow.Status == 'NOTIFIED' => 'In Progress',
$.Workflow.Status == 'SUPPRESSED' => 'Suppressed',
$.Workflow.Status == 'RESOLVED' => 'Resolved',
$.RecordState == 'ARCHIVED' => 'Archived',
_ => 'Other'
),
message=$.Description,
end_time=ts_str_to_epoch($.LastObservedAt, "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'"),
metadata=dict(
uid=$.Id,
product=dict(
name=$.ProductName,
feature=dict(
name=$.GeneratorId
),
vendor_name=$.CompanyName
),
version="1.6.0",
logged_time=ts_str_to_epoch($.ProcessedAt, "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'"),
log_provider=$.ProductArn,
original_time=$.CreatedAt,
processed_time=ts_str_to_epoch($.ProcessedAt, "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'")
),
raw_data=to_str($),
severity=case(
$.Severity.Label == "INFORMATIONAL" => 'Informational',
$.Severity.Label == "LOW" => 'Low',
$.Severity.Label == "MEDIUM" => 'Medium',
$.Severity.Label == "HIGH" => 'High',
$.Severity.Label == "CRITICAL" => 'Critical',
_ => 'Unknown'
),
type_uid=case(
$.Workflow.Status == "NEW" and $.RecordState == "ACTIVE" and $.FirstObservedAt == $.CreatedAt => 200301,
$.Workflow.Status == "NEW" and $.RecordState == "ACTIVE" and $.FirstObservedAt != $.CreatedAt => 200302,
$.Workflow.Status == "RESOLVED" or $.RecordState == "ARCHIVED" => 200303,
_ => 200399
),
unmapped=dict(
Region=$.Region,
AwsAccountId=$.AwsAccountId,
ProductFields=$.ProductFields,
SchemaVersion=$.SchemaVersion,
WorkflowState=$.WorkflowState,
FindingProviderFields=$.FindingProviderFields
),
class_uid=2003,
resources=arr_foreach($.Resources, resource, dict(
uid=resource.Id,
data=dict(
partition=resource.Partition
),
namespace=resource.Region
)
),
status_id=case(
$.Workflow.Status == "NEW" => 1,
$.Workflow.Status == "NOTIFIED" => 2,
$.Workflow.Status == "SUPPRESSED" => 3,
$.Workflow.Status == "RESOLVED" => 4,
$.RecordState == "ARCHIVED" => 5,
_ => 99
),
type_name=case(
$.Workflow.Status == "NEW" and $.RecordState == "ACTIVE" and $.FirstObservedAt == $.CreatedAt => 'Compliance Finding: Create',
$.Workflow.Status == "NEW" and $.RecordState == "ACTIVE" and $.FirstObservedAt != $.CreatedAt => 'Compliance Finding: Update',
$.Workflow.Status == "RESOLVED" or $.RecordState == "ARCHIVED" => 'Compliance Finding: Close',
_ => 'Compliance Finding: Other'
),
class_name='Compliance Finding',
compliance=dict(
status=case(
$.Compliance.Status == 'PASSED' => 'Pass',
$.Compliance.Status == 'WARNING' => 'Warning',
$.Compliance.Status == 'FAILED' => 'Fail',
$.Compliance.Status == 'NOT_AVAILABLE' => 'Unknown',
_ => 'Other'
),
control=$.Compliance.SecurityControlId,
status_id=case(
$.Compliance.Status == "PASSED" => 1,
$.Compliance.Status == "WARNING" => 2,
$.Compliance.Status == "FAILED" => 3,
$.Compliance.Status == "NOT_AVAILABLE" => 0,
_ => 99
),
requirements=$.Compliance.RelatedRequirements
),
confidence=case(
$.Compliance.Status == "PASSED" => 'High',
$.Compliance.Status == "FAILED" => 'Medium',
$.Compliance.Status == "WARNING" => 'Medium',
$.Compliance.Status == "NOT_AVAILABLE" => 'Unknown',
_ => 'Other'
),
start_time=ts_str_to_epoch($.FirstObservedAt, "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'"),
activity_id=case(
$.Workflow.Status == "NEW" and $.RecordState == "ACTIVE" and $.FirstObservedAt == $.CreatedAt => 1,
$.Workflow.Status == "NEW" and $.RecordState == "ACTIVE" and $.FirstObservedAt != $.CreatedAt => 2,
$.Workflow.Status == "RESOLVED" or $.RecordState == "ARCHIVED" => 3,
_ => 99
),
remediation=dict(
desc=$.Remediation.Recommendation.Text,
references=array(
$.Remediation.Recommendation.Url
)
),
severity_id=case(
$.Severity.Label == "INFORMATIONAL" => 1,
$.Severity.Label == "LOW" => 2,
$.Severity.Label == "MEDIUM" => 3,
$.Severity.Label == "HIGH" => 4,
$.Severity.Label == "CRITICAL" => 5,
_ => 0
),
status_code=$.Compliance.Status,
category_uid=2,
finding_info=dict(
uid=$.Id,
desc=$.Description,
title=$.Title,
types=$.Types,
product=dict(
name=$.ProductName,
feature=dict(
name=$.GeneratorId
),
vendor_name=$.CompanyName
),
src_url=$.Remediation.Recommendation.Url,
created_time=ts_str_to_epoch($.CreatedAt, "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'"),
modified_time=ts_str_to_epoch($.UpdatedAt, "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'"),
last_seen_time=ts_str_to_epoch($.LastObservedAt, "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'"),
first_seen_time=ts_str_to_epoch($.FirstObservedAt, "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'")
),
activity_name=case(
$.Workflow.Status == "NEW" and $.RecordState == "ACTIVE" and $.FirstObservedAt == $.CreatedAt => 'Create',
$.Workflow.Status == "NEW" and $.RecordState == "ACTIVE" and $.FirstObservedAt != $.CreatedAt => 'Update',
$.Workflow.Status == "RESOLVED" or $.RecordState == "ARCHIVED" => 'Close',
_ => 'Other'
),
category_name='Findings',
confidence_id=case(
$.Compliance.Status == "PASSED" => 3,
$.Compliance.Status == "FAILED" => 2,
$.Compliance.Status == "WARNING" => 2,
$.Compliance.Status == "NOT_AVAILABLE" => 0,
_ => 99
),
status_detail=$.Workflow.Status
)Template ID: 5793f9aa-e403-4145-af39-3e6017202939
Text Mapping: No
Ready to use this template?