OCSF Logo OCSF.ai

Security Hub

compliance-findings

Maps AWS Security Hub findings to OCSF schema (2001 class - Security Finding), transforming security alerts, process details, vulnerability data and resource information into standardized OCSF fields with proper activity tracking based on create/update timestamps.

Vendor: AWS
Type: Compliance Findings
OCSF Version: 1.0.0_rc.2
Created by: Rajas Panat, Adam Plotzker

Templates provide pre-built configurations for transforming common log formats into OCSF. They save you time by handling the complex mapping logic for popular security tools and services. Learn more about using templates →

Mapping Configuration

The mapping configuration transforms parsed log fields into OCSF format. This step is required to convert your specific log structure into OCSF's standardized schema. To define these field mappings, the configuration below uses the Fleak Eval Expression Language (FEEL). This language lets you specify how to transform data from AWS Compliance Findings logs into OCSF fields - converting timestamps to standard formats, restructuring nested data, and applying conditional logic to determine field values.

dict(
  time=ts_str_to_epoch($.LastObservedAt, 'yyyy-MM-dd\'T\'HH:mm:ss.SSS\'Z\''),
  cloud=dict(
    region=$.Region,
    account=dict(
      uid=$.AwsAccountId
    ),
    provider='AWS'
  ),
  process=dict(
    pid=$.Process.Pid,
    file=dict(
      path=$.Process.Path
    ),
    name=$.Process.Name,
    created_time=$.Process.LaunchedAt,
    parent_process=dict(
      pid=$.Process.ParentPid
    ),
    terminated_time=$.Process.TerminatedAt
  ),
  metadata=dict(
    product=dict(
      uid=$.ProductArn,
      name=$.ProductName,
      feature=dict(
        uid=$.GeneratorId
      ),
      vendor_name=$.CompanyName
    ),
    version=$.SchemaVersion,
    profiles=array('cloud')
  ),
  severity=$.Severity.Label,
  type_uid=case(
    $.CreatedAt == $.UpdatedAt => 200101,
    _ => 200102
  ),
  class_uid=2001,
  resources=arr_foreach($.Resources, resource, dict(
      uid=resource.Id,
      type=resource.Type,
      labels=resource.Tags,
      region=resource.Region,
      cloud_partition=resource.Partition
    )
  ),
  type_name=case(
    $.CreatedAt == $.UpdatedAt => 'Security Finding: Create',
    _ => 'Security Finding: Update'
  ),
  class_name='Security Finding',
  activity_id=case(
    $.CreatedAt == $.UpdatedAt => 1,
    _ => 2
  ),
  remediation=dict(
    desc=$.Remediation.Recommendation.Text,
    kb_articles=array(
      $.Remediation.Recommendation.Url
    )
  ),
  category_uid=2,
  finding_info=dict(
    uid=$.Id,
    desc=$.Description,
    title=$.Title,
    types=$.Types,
    created_time=$.CreatedAt,
    modified_time=$.UpdatedAt,
    last_seen_time=$.LastObservedAt,
    first_seen_time=$.FirstObservedAt
  ),
  activity_name=case(
    $.CreatedAt == $.UpdatedAt => 'Create',
    _ => 'Update'
  ),
  category_name='Findings'
)

Template ID: 73c10f53-84b9-4e40-9153-33bf02797b7d

Text Mapping: No

Ready to use this template?