Security Hub
vulnerability-findingAuto-generated mapping for AWS Security Hub Vulnerability Finding
Templates provide pre-built configurations for transforming common log formats into OCSF. They save you time by handling the complex mapping logic for popular security tools and services. Learn more about using templates →
Mapping Configuration
The mapping configuration transforms parsed log fields into OCSF format. This step is required to convert your specific log structure into OCSF's standardized schema. To define these field mappings, the configuration below uses the Fleak Eval Expression Language (FEEL). This language lets you specify how to transform data from AWS Vulnerability Finding logs into OCSF fields - converting timestamps to standard formats, restructuring nested data, and applying conditional logic to determine field values.
dict(
time=ts_str_to_epoch($.LastObservedAt, 'yyyy-MM-dd\'T\'HH:mm:ss\'Z\''),
cloud=dict(
region=$.Region,
account=dict(
uid=$.AwsAccountId
),
provider='AWS'
),
status=$.Workflow.Status,
message=$.Description,
time_dt=$.LastObservedAt,
metadata=dict(
product=dict(
uid=$.ProductArn,
name=$.ProductName,
feature=dict(
uid=$.GeneratorId
),
vendor_name=$.CompanyName
),
version='1.1.0',
profiles=array('cloud', 'datetime'),
log_version=$.SchemaVersion,
processed_time_dt=$.ProcessedAt
),
resource=dict(
uid=$.Resources[0].Id,
data=$.Resources[0].Details,
type=$.Resources[0].Type,
labels=$.Resources[0].Tags,
region=$.Resources[0].Region,
cloud_partition=$.Resources[0].Partition
),
severity=$.Severity.Label,
type_uid=case(
$.CreatedAt == $.UpdatedAt => 200201,
_ => 200202
),
class_uid=2002,
type_name=case(
$.CreatedAt == $.UpdatedAt => 'Vulnerability Finding: Create',
_ => 'Vulnerability Finding: Update'
),
class_name='Vulnerability Finding',
activity_id=case(
$.CreatedAt == $.UpdatedAt => 1,
_ => 2
),
severity_id=case(
lower($.Severity.Label) == 'low' => 1,
lower($.Severity.Label) == 'medium' => 2,
lower($.Severity.Label) == 'high' => 3,
lower($.Severity.Label) == 'critical' => 4,
_ => 0
),
category_uid=2,
finding_info=dict(
uid=$.Id,
desc=$.Description,
title=$.Title,
types=$.Types,
related_events=arr_foreach($.RelatedFindings, finding, dict(
uid=finding.Id,
product_uid=finding.ProductArn
)
),
created_time_dt=$.CreatedAt,
modified_time_dt=$.UpdatedAt,
last_seen_time_dt=$.LastObservedAt,
first_seen_time_dt=$.FirstObservedAt
),
activity_name=case(
$.CreatedAt == $.UpdatedAt => 'Create',
_ => 'Update'
),
category_name='Findings',
vulnerabilities=arr_foreach($.Vulnerabilities, vuln, dict(
cve=dict(
uid=vuln.Id,
cvss=arr_foreach(vuln.Cvss, cvss, dict(
version=cvss.Version,
base_score=cvss.BaseScore,
vector_string=cvss.BaseVector
)
),
epss=dict(
score=vuln.EpssScore
),
references=array(
vuln.Vendor.Url
),
created_time_dt=vuln.Vendor.VendorCreatedAt,
modified_time_dt=vuln.Vendor.VendorUpdatedAt
),
references=vuln.ReferenceUrls,
vendor_name=vuln.Vendor.Name,
is_fix_available=case(
upper(vuln.FixAvailable) == 'YES' => true,
upper(vuln.FixAvailable) == 'NO' => false,
_ => null
),
affected_packages=arr_foreach(vuln.VulnerablePackages, pkg, dict(
name=pkg.Name,
epoch=pkg.Epoch,
release=pkg.Release,
version=pkg.Version,
remediation=dict(
desc=pkg.Remediation
),
architecture=pkg.Architecture,
package_manager=pkg.PackageManager,
fixed_in_version=pkg.FixedInVersion
)
),
is_exploit_available=case(
upper(vuln.ExploitAvailable) == 'YES' => true,
upper(vuln.ExploitAvailable) == 'NO' => false,
_ => null
),
related_vulnerabilities=vuln.RelatedVulnerabilities
)
)
)Template ID: 7100639e-3866-46db-8921-2e81555cc68e
Text Mapping: No
Ready to use this template?