Change log for AWS_SECURITY_HUB
| Date | Changes |
|---|---|
| 2025-09-30 | Enhancement:
- event.idm.read_only_udm.additional.fields: Newly mapped `Sample` (key "Sample") and `ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/organization/isp` (key "ISP") raw log fields to event.idm.read_only_udm.additional.fields. - event.idm.read_only_udm.metadata.event_timestamp: Newly mapped `CreatedAt` raw log field to event.idm.read_only_udm.metadata.event_timestamp. - event.idm.read_only_udm.metadata.product_event_type: Newly mapped `ProductName` raw log field to event.idm.read_only_udm.metadata.product_event_type. - event.idm.read_only_udm.target.resource.attribute.labels: Newly mapped `ProductFields.ResourceOwnerAccount` (key "ResourceOwnerAccount") and `ProductFields.aws/guardduty/service/resourceRole` (key "GuardDutyResourceRole") raw log fields to event.idm.read_only_udm.target.resource.attribute.labels. - event.idm.read_only_udm.metadata.product_version: Newly mapped `SchemaVersion` raw log field to event.idm.read_only_udm.metadata.product_version. - event.idm.read_only_udm.target.resource.resource_subtype: Newly mapped `resource.Type` raw log field to event.idm.read_only_udm.target.resource.resource_subtype. - event.idm.read_only_udm.src.group.product_object_id: Newly mapped `resource.Details.Other.External Principal` raw log field to event.idm.read_only_udm.src.group.product_object_id. - event.idm.read_only_udm.src.user.company_name: Newly mapped `resource.Details.Other.External Principal Type` raw log field to event.idm.read_only_udm.src.user.company_name. - event.idm.read_only_udm.target.application: Newly mapped `Action.AwsApiCallAction.ServiceName` raw log field to event.idm.read_only_udm.target.application. - event.idm.read_only_udm.principal.ip: Newly mapped `Action.AwsApiCallAction.RemoteIpDetails.IpAddressV4` raw log field to event.idm.read_only_udm.principal.ip. - event.idm.read_only_udm.principal.asset.ip: Newly mapped `Action.AwsApiCallAction.RemoteIpDetails.IpAddressV4` raw log field to event.idm.read_only_udm.principal.asset.ip. - event.idm.read_only_udm.principal.group.group_display_name: Newly mapped `Action.AwsApiCallAction.RemoteIpDetails.Organization.Org` raw log field to event.idm.read_only_udm.principal.group.group_display_name. - event.idm.read_only_udm.principal.resource.attribute.labels: Newly mapped `Action.AwsApiCallAction.RemoteIpDetails.Organization.AsnOrg` (key "AsnOrg"), `Action.AwsApiCallAction.RemoteIpDetails.Organization.Asn` (key "Organization_Asn"), `Action.AwsApiCallAction.RemoteIpDetails.Country.CountryCode` (key "CountryCode"), `Action.AwsApiCallAction.RemoteIpDetails.GeoLocation.Lat` (key "GeoLocationLatitude"), `Action.AwsApiCallAction.RemoteIpDetails.GeoLocation.Lon` (key "GeoLocationLongitude"), and `Resources.0.Details.AwsIamAccessKey.PrincipalType` (key "PrincipalType") raw log fields to event.idm.read_only_udm.principal.resource.attribute.labels. - event.idm.read_only_udm.principal.location.country_or_region: Newly mapped `Action.AwsApiCallAction.RemoteIpDetails.Country.CountryName` raw log field to event.idm.read_only_udm.principal.location.country_or_region. - event.idm.read_only_udm.principal.location.city: Newly mapped `Action.AwsApiCallAction.RemoteIpDetails.City.CityName` raw log field to event.idm.read_only_udm.principal.location.city. - event.idm.read_only_udm.principal.user.userid: Newly mapped `Resources.0.Details.AwsIamAccessKey.PrincipalId` raw log field to event.idm.read_only_udm.principal.user.userid. - event.idm.read_only_udm.principal.user.user_display_name: Newly mapped `Resources.0.Details.AwsIamAccessKey.PrincipalName` raw log field to event.idm.read_only_udm.principal.user.user_display_name. - event.idm.read_only_udm.principal.asset.first_seen_time: Newly mapped `FirstObservedAt` raw log field to event.idm.read_only_udm.principal.asset.first_seen_time. - event.idm.read_only_udm.security_result.detection_fields: Newly mapped `WorkflowState` (key "Workflow_State"), `ProcessedAt` (key "ProcessedAt"), `GeneratorId` (key "GeneratorId"), `resource.Details.Other.Condition` (key "Condition"), `resource.Details.Other.Resource Control Policy Restriction Type` (key "Resource Control Policy Restriction Type"), `Action.AwsApiCallAction.Api` (key "ActionApi"), `Action.AwsApiCallAction.CallerType` (key "CallerType"), `Resources.0.Type` (key "ResourceType"), `FindingProviderFields.Severity.Product` (key "ProductSeverity"), `ProductFields.aws/securityhub/FindingId` (key "SecurityHubFindingId"), `LastObservedAt` (key "LastObservedAt"), `ProductFields.aws/guardduty/service/archived` (key "GuardDutyArchived"), `ProductFields.aws/guardduty/service/additionalInfo/value` (key "GuardDutyAdditionalInfo"), `ProductFields.aws/guardduty/service/featureName` (key "GuardDutyFeatureName"), `ProductFields.aws/guardduty/service/count` (key "GuardDutyEventCount"), `ProductFields.aws/guardduty/service/action/awsApiCallAction/affectedResources` (key "AffectedResources"), `ProductFields.aws/guardduty/service/additionalInfo/type` (key "GuardDutyAdditionalInfoType"), `ProductFields.aws/guardduty/service/eventFirstSeen` (key "ProductEventFirstSeen"), and `ProductFields.aws/guardduty/service/eventLastSeen` (key "ProductEventLastSeen") raw log fields to event.idm.read_only_udm.security_result.detection_fields. - event.idm.read_only_udm.security_result.category_details: Newly mapped `Types` raw log field to event.idm.read_only_udm.security_result.category_details. - event.idm.read_only_udm.security_result.last_updated_time: Newly mapped `UpdatedAt` raw log field to event.idm.read_only_udm.security_result.last_updated_time. - event.idm.read_only_udm.security_result.url_back_to_product: Newly mapped `SourceUrl` raw log field to event.idm.read_only_udm.security_result.url_back_to_product. - event.idm.read_only_udm.security_result.action_details: Newly mapped `resource.Details.Other.Action Granted` and `Action.ActionType` raw log fields to event.idm.read_only_udm.security_result.action_details. - event.idm.read_only_udm.security_result.severity: Newly mapped `FindingProviderFields.Severity.Label` raw log field to event.idm.read_only_udm.security_result.severity. - event.idm.read_only_udm.security_result.severity_details: Newly mapped `FindingProviderFields.Severity.Normalized` raw log field to event.idm.read_only_udm.security_result.severity_details. |
| 2025-02-18 | Enhancement:
- Added support for a new array of JSON log format. |
| 2025-01-20 | Enhancement - Added support for new log format.
|
| 2025-01-16 | Enhancement - Added support for a new JSON log format.
|
| 2023-06-20 | Enhancement - Modified "metadata.event_type" from "GENERIC_EVENT" to "USER_RESOURCE_ACCESS".
|
| 2023-03-24 | Enhancement - when "detail.findings.0.Resources.0.Type" == "AwsEcsTaskDefinition" -
- Mapped "target.resource.resource_type" to "TASK". - Mapped "event_type" to "USER_RESOURCE_ACCESS". - Mapped "detail.findings.0.ProductFields.Resources:0/Id" to "principal.asset_id". - Parsed all other failing logs as GENERIC_EVENT as STATUS_UPDATE was not a good parsing option for them. |
| 2022-08-22 | Enhancement -
- Updated vendor_name from "AWS SECURITY HUB" to "AMAZON". - Updated product_name from "AWS SECURITY HUB" to "AWS Security Hub". - Parsed The new JSON format logs containing "configurationItem" or "configurationItems". - Handled the logs which were ingested as an import file by separating them out using for loop and parse each as individual events. |
| 2022-07-01 | Newly Created Parser.
|