Change log for AWS_SECURITY_HUB
| Date | Changes |
|---|---|
| 2026-02-05 | Enhancement:
- `event.idm.read_only_udm.metadata.product_version`: Newly mapped `finding.SchemaVersion` raw log field with `event.idm.read_only_udm.metadata.product_version` UDM field. - `event.idm.read_only_udm.additional.fields`: Newly mapped `m.resources`,`m.account`, `m.source`, `m.detailType`, `m.region`, `m.time`, `m.version`, `finding.Id`, `finding.Action.AwsApiCallAction.CallerType`, `finding.Action.AwsApiCallAction.Api`, `finding.Action.AwsApiCallAction.RemoteIpDetails.Country.CountryCode`, `finding.Action.AwsApiCallAction.RemoteIpDetails.Country.CountryName`, `finding.Action.AwsApiCallAction.RemoteIpDetails.Organization.AsnOrg`, `finding.ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/organization/asnOrg`, `finding.ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/organization/org`, `finding.ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/country/countryName`, `finding.ProductFields.aws/guardduty/service/additionalInfo/unusualBehavior/unusualUserAgentsUserIdentityProfiling`, `finding.ProductFields.aws/guardduty/service/additionalInfo/profiledBehavior/frequentProfiledUserNamesAccountProfiling`, `finding.ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/geoLocation/lon`, `finding.ProductFields.aws/guardduty/service/additionalInfo/profiledBehavior/frequentProfiledASNsAccountProfiling`, `finding.ProductFields.aws/guardduty/service/additionalInfo/profiledBehavior/frequentProfiledUserAgentsAccountProfiling`, `finding.ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/organization/asn`, `finding.ProductFields.aws/guardduty/service/additionalInfo/profiledBehavior/frequentProfiledAPIsAccountProfiling`, `finding.ProductFields.aws/guardduty/service/additionalInfo/userAgent/fullUserAgent`, `finding.ProductFields.aws/guardduty/service/additionalInfo/profiledBehavior/frequentProfiledUserTypesAccountProfiling`, `finding.ProductFields.aws/guardduty/service/additionalInfo/unusualBehavior/unusualAPIsUserIdentityProfiling`, `finding.ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/ipAddressV4`, `finding.ProductFields.aws/guardduty/service/additionalInfo/profiledBehavior/rareProfiledASNsAccountProfiling`, `finding.ProductFields.aws/guardduty/service/additionalInfo/unusualBehavior/unusualASNsUserIdentityProfiling`, `finding.ProductFields.aws/guardduty/service/additionalInfo/unusualBehavior/isUnusualUserIdentity`, `finding.ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/geoLocation/lat`, `finding.ProductFields.aws/guardduty/service/action/awsApiCallAction/serviceName`, `finding.ProductFields.aws/guardduty/service/additionalInfo/anomalies/anomalousAPIs`, `finding.ProductFields.aws/guardduty/service/additionalInfo/profiledBehavior/infrequentProfiledASNsAccountProfiling`, `finding.ProductFields.aws/guardduty/service/additionalInfo/unusualBehavior/unusualUserNamesAccountProfiling`, `finding.ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/organization/isp`, `finding.ProductFields.aws/guardduty/service/action/awsApiCallAction/callerType`, `finding.ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/city/cityName`, `finding.ProductFields.aws/guardduty/service/action/awsApiCallAction/api`, `finding.ProductFields.aws/guardduty/service/additionalInfo/profiledBehavior/infrequentProfiledUserNamesAccountProfiling`, `finding.ProductFields.aws/guardduty/service/additionalInfo/userAgent/userAgentCategory`, `finding.Sample`, `finding.ProductFields.aws/securityhub/ProductName`, `finding.ProductFields.aws/securityhub/CompanyName`, and `m.resources` raw log field(s) with `event.idm.read_only_udm.additional.fields` UDM field. - `event.idm.read_only_udm.principal.user.company_name`: Newly mapped `finding.CompanyName` raw log field with `event.idm.read_only_udm.principal.user.company_name` UDM field. - `event.idm.read_only_udm.principal.group.group_display_name`: Newly mapped `finding.AwsAccountName` raw log field with `event.idm.read_only_udm.principal.group.group_display_name` UDM field. - `event.idm.read_only_udm.principal.asset.first_seen_time`: Newly mapped `finding.FirstObservedAt` raw log field with `event.idm.read_only_udm.principal.asset.first_seen_time` UDM field. - `event.idm.read_only_udm.principal.location.name`: Newly mapped `finding.Region` raw log field with `event.idm.read_only_udm.principal.location.name` UDM field. - `event.idm.read_only_udm.principal.location.region_coordinates.longitude`: Newly mapped `finding.Action.AwsApiCallAction.RemoteIpDetails.GeoLocation.Lon` raw log field with `event.idm.read_only_udm.principal.location.region_coordinates.longitude` UDM field. - `event.idm.read_only_udm.principal.location.region_coordinates.latitude`: Newly mapped `finding.Action.AwsApiCallAction.RemoteIpDetails.GeoLocation.Lat` raw log field with `event.idm.read_only_udm.principal.location.region_coordinates.latitude` UDM field. - `event.idm.read_only_udm.target.ip`: Newly mapped `PortProbeDetail.RemoteIpDetails.IpAddressV4`, `Resource.Details.AwsEc2Instance.IpV4Addresses` raw log field(s) with `event.idm.read_only_udm.target.ip` UDM field. - `event.idm.read_only_udm.target.asset.ip`: Newly mapped `PortProbeDetail.RemoteIpDetails.IpAddressV4`, `Resource.Details.AwsEc2Instance.IpV4Addresses` raw log field(s) with `event.idm.read_only_udm.target.asset.ip` UDM field. - `event.idm.read_only_udm.target.asset.attribute.cloud.vpc.id`: Newly mapped `Resource.Details.AwsEc2Instance.VpcId` raw log field with `event.idm.read_only_udm.target.asset.attribute.cloud.vpc.id` UDM field. - `event.idm.read_only_udm.target.asset.attribute.creation_time`: Newly mapped `Resource.Details.AwsEc2Instance.LaunchedAt` raw log field with `event.idm.read_only_udm.target.asset.attribute.creation_time` UDM field. - `event.idm.read_only_udm.target.resource.attribute.labels`: Newly mapped `PortProbeDetail.RemoteIpDetails.GeoLocation.Lon`, `Resource.Details.AwsEc2Instance.IamInstanceProfileArn`, `Resource.Details.AwsEc2Instance.SubnetId`, `Resource.Details.AwsEc2Instance.ImageId`, `Resource.Details.AwsEc2Instance.Type`, `Resource.Partition`, `PortProbeDetail.RemoteIpDetails.GeoLocation.Lat`, `Resource.Tags.*`, `PortProbeDetail.RemoteIpDetails.City.CityName`, `PortProbeDetail.RemoteIpDetails.Country.CountryCode`, `PortProbeDetail.RemoteIpDetails.Country.CountryName`, `PortProbeDetail.RemoteIpDetails.Organization.Asn`, `PortProbeDetail.RemoteIpDetails.Organization.AsnOrg`, `PortProbeDetail.RemoteIpDetails.Organization.Isp`, `PortProbeDetail.RemoteIpDetails.Organization.Org`, `PortProbeDetail.LocalPortDetails.PortName`, `PortProbeDetail.LocalPortDetails.Port`, and `IpV4Address` (if grok fails) raw log field(s) with `event.idm.read_only_udm.target.resource.attribute.labels` UDM field. - `event.idm.read_only_udm.security_result.category_details`: Newly mapped `finding.Types` (at index 0) raw log field with `event.idm.read_only_udm.security_result.category_details` UDM field. - `event.idm.read_only_udm.security_result.detection_fields`: Newly mapped `finding.Action.PortProbeAction.Blocked`,`finding.Severity.Product`, `finding.Severity.Normalized`, `finding.ProcessedAt`, `finding.WorkflowState`, `finding.Workflow.Status`, `finding.RecordState`, `finding.GeneratorId`, `finding.LastObservedAt`, and `finding.ProductArn` raw log field(s) with `event.idm.read_only_udm.security_result.detection_fields` UDM field. - `event.idm.read_only_udm.security_result.url_back_to_product`: Newly mapped `finding.SourceUrl` raw log field with `event.idm.read_only_udm.security_result.url_back_to_product` UDM field. - `event.idm.read_only_udm.security_result.last_updated_time`: Newly mapped `finding.UpdatedAt` raw log field with `event.idm.read_only_udm.security_result.last_updated_time` UDM field. - `event.idm.read_only_udm.metadata.event_timestamp`: Newly mapped `finding.CreatedAt` raw log field with `event.idm.read_only_udm.metadata.event_timestamp` UDM field. |
| 2026-01-15 | Enhancement:
- `event.idm.read_only_udm.additional.fields`: Newly mapped `resource.Details.AwsEc2Instance.MetadataOptions.HttpPutResponseHopLimit`, `resource.Details.AwsEc2Instance.MetadataOptions.HttpProtocolIpv6`, `resource.Details.AwsEc2Instance.MetadataOptions.HttpTokens`, `resource.Details.AwsEc2Instance.MetadataOptions.InstanceMetadataTags`, `resource.Details.AwsEc2Instance.MetadataOptions.HttpEndpoint`, `resource.Details.AwsEc2Instance.VirtualizationType`, `resource.Details.AwsEc2Instance.NetworkInterfaces.NetworkInterfaceId`, `resource.Details.AwsEc2Instance.ImageId`, `resource.Details.AwsEc2Instance.SubnetId`, `resource.Details.AwsEc2Instance.IamInstanceProfileArn` raw log field(s) with `event.idm.read_only_udm.additional.fields` UDM field. - `event.idm.read_only_udm.target.resource.attribute.labels`: Newly mapped `resource.Tags.aws:autoscaling:groupName`, `resource.Tags.aws:ec2:fleet-id`, `resource.Tags.Attributes`, `resource.Tags.Environment`, `resource.Tags.Stage`, `resource.Tags.aws:ec2launchtemplate:version`, `resource.Tags.AmazonECSManaged`, `resource.Tags.Namespace`, `resource.Tags.aws:ec2launchtemplate:id`, `resource.Tags.Name` raw log field(s) with `event.idm.read_only_udm.target.resource.attribute.labels` UDM field. - `event.idm.read_only_udm.target.asset.attribute.creation_time`: Newly mapped `resource.Details.AwsEc2Instance.LaunchedAt` raw log field(s) with `event.idm.read_only_udm.target.asset.attribute.creation_time` UDM field. - `event.idm.read_only_udm.security_result.detection_fields`: Newly mapped `m.Workflow.Status` raw log field(s) with `event.idm.read_only_udm.security_result.detection_fields` UDM field. - `event.idm.read_only_udm.network.http.referral_url`: Newly mapped `m.Remediation.Recommendation.Url` raw log field(s) with `event.idm.read_only_udm.network.http.referral_url` UDM field. |
| 2025-11-26 | Enhancement:
- Enhanced parsing for the `Resources` array to extract detailed attributes from `Details` and `Tags` into UDM fields, primarily within `target.resource.attribute.labels`. - `event.idm.read_only_udm.target.resource.name`: Newly mapped `resource.Details.AwsEksCluster.Name` raw log field to `event.idm.read_only_udm.target.resource.name`. - `event.idm.read_only_udm.principal.ip`: Newly mapped `m.ProductFields.aws/guardduty/service/action/kubernetesApiCallAction/sourceIPs.0_` raw log field to `event.idm.read_only_udm.principal.ip`. - `event.idm.read_only_udm.principal.asset.ip`: Newly mapped `m.ProductFields.aws/guardduty/service/action/kubernetesApiCallAction/sourceIPs.0_` raw log field to `event.idm.read_only_udm.principal.asset.ip`. - `event.idm.read_only_udm.principal.location.country_or_region`: Newly mapped `m.ProductFields.aws/guardduty/service/action/kubernetesApiCallAction/remoteIpDetails/country/countryName` raw log field to `event.idm.read_only_udm.principal.location.country_or_region`. - `event.idm.read_only_udm.principal.location.region_longitude`: Newly mapped `m.ProductFields.aws/guardduty/service/action/kubernetesApiCallAction/remoteIpDetails/geoLocation/lon` raw log field to `event.idm.read_only_udm.principal.location.region_longitude`. - `event.idm.read_only_udm.principal.location.city`: Newly mapped `m.ProductFields.aws/guardduty/service/action/kubernetesApiCallAction/remoteIpDetails/city/cityName` raw log field to `event.idm.read_only_udm.principal.location.city`. - `event.idm.read_only_udm.network.http.response_code`: Newly mapped `m.ProductFields.aws/guardduty/service/action/kubernetesApiCallAction/statusCode` raw log field to `event.idm.read_only_udm.network.http.response_code`. - `event.idm.read_only_udm.target.resource.attribute.labels`: Newly mapped `resource.Id`, `resource.Details.Other.kubernetesDetails/kubernetesUserDetails/username`, `resource.Details.AwsEksCluster.ClusterStatus`, `resource.Details.AwsEksCluster.Arn`, `resource.Details.Other.kubernetesDetails/kubernetesUserDetails/groups.0_`, `resource.Details.Other.kubernetesDetails/kubernetesUserDetails/sessionName.0_`, `resource.Details.Other.kubernetesDetails/kubernetesUserDetails/uid`, `resource.Tags.pulumi_Stack`, `resource.Tags.wiz_outpost_id`, `resource.Tags.wiz`, `resource.Tags.Owner` raw log fields to `event.idm.read_only_udm.target.resource.attribute.labels`. - `event.idm.read_only_udm.additional.fields`: Newly mapped `m.ProductFields.aws/guardduty/service/action/kubernetesApiCallAction/remoteIpDetails/organization/isp`, `m.ProductFields.aws/guardduty/service/action/kubernetesApiCallAction/remoteIpDetails/organization/asn`, `m.ProductFields.aws/guardduty/service/action/kubernetesApiCallAction/remoteIpDetails/geoLocation/lat`, `m.ProductFields.aws/guardduty/service/action/kubernetesApiCallAction/resourceName`, `m.ProductFields.aws/guardduty/service/action/kubernetesRoleBindingDetails/roleRefKind`, `m.ProductFields.aws/guardduty/service/action/kubernetesApiCallAction/resource`, `m.ProductFields.aws/guardduty/service/action/kubernetesApiCallAction/userAgent`, `m.ProductFields.aws/guardduty/service/action/kubernetesRoleBindingDetails/roleRefName`, `m.ProductFields.aws/guardduty/service/action/kubernetesApiCallAction/verb`, `m.ProductFields.aws/guardduty/service/action/kubernetesApiCallAction/requestUri`, `m.ProductFields.aws/guardduty/service/action/kubernetesRoleBindingDetails/uid` raw log fields to `event.idm.read_only_udm.additional.fields`. |
| 2025-09-30 | Enhancement:
- event.idm.read_only_udm.additional.fields: Newly mapped `Sample` (key "Sample") and `ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/organization/isp` (key "ISP") raw log fields to event.idm.read_only_udm.additional.fields. - event.idm.read_only_udm.metadata.event_timestamp: Newly mapped `CreatedAt` raw log field to event.idm.read_only_udm.metadata.event_timestamp. - event.idm.read_only_udm.metadata.product_event_type: Newly mapped `ProductName` raw log field to event.idm.read_only_udm.metadata.product_event_type. - event.idm.read_only_udm.target.resource.attribute.labels: Newly mapped `ProductFields.ResourceOwnerAccount` (key "ResourceOwnerAccount") and `ProductFields.aws/guardduty/service/resourceRole` (key "GuardDutyResourceRole") raw log fields to event.idm.read_only_udm.target.resource.attribute.labels. - event.idm.read_only_udm.metadata.product_version: Newly mapped `SchemaVersion` raw log field to event.idm.read_only_udm.metadata.product_version. - event.idm.read_only_udm.target.resource.resource_subtype: Newly mapped `resource.Type` raw log field to event.idm.read_only_udm.target.resource.resource_subtype. - event.idm.read_only_udm.src.group.product_object_id: Newly mapped `resource.Details.Other.External Principal` raw log field to event.idm.read_only_udm.src.group.product_object_id. - event.idm.read_only_udm.src.user.company_name: Newly mapped `resource.Details.Other.External Principal Type` raw log field to event.idm.read_only_udm.src.user.company_name. - event.idm.read_only_udm.target.application: Newly mapped `Action.AwsApiCallAction.ServiceName` raw log field to event.idm.read_only_udm.target.application. - event.idm.read_only_udm.principal.ip: Newly mapped `Action.AwsApiCallAction.RemoteIpDetails.IpAddressV4` raw log field to event.idm.read_only_udm.principal.ip. - event.idm.read_only_udm.principal.asset.ip: Newly mapped `Action.AwsApiCallAction.RemoteIpDetails.IpAddressV4` raw log field to event.idm.read_only_udm.principal.asset.ip. - event.idm.read_only_udm.principal.group.group_display_name: Newly mapped `Action.AwsApiCallAction.RemoteIpDetails.Organization.Org` raw log field to event.idm.read_only_udm.principal.group.group_display_name. - event.idm.read_only_udm.principal.resource.attribute.labels: Newly mapped `Action.AwsApiCallAction.RemoteIpDetails.Organization.AsnOrg` (key "AsnOrg"), `Action.AwsApiCallAction.RemoteIpDetails.Organization.Asn` (key "Organization_Asn"), `Action.AwsApiCallAction.RemoteIpDetails.Country.CountryCode` (key "CountryCode"), `Action.AwsApiCallAction.RemoteIpDetails.GeoLocation.Lat` (key "GeoLocationLatitude"), `Action.AwsApiCallAction.RemoteIpDetails.GeoLocation.Lon` (key "GeoLocationLongitude"), and `Resources.0.Details.AwsIamAccessKey.PrincipalType` (key "PrincipalType") raw log fields to event.idm.read_only_udm.principal.resource.attribute.labels. - event.idm.read_only_udm.principal.location.country_or_region: Newly mapped `Action.AwsApiCallAction.RemoteIpDetails.Country.CountryName` raw log field to event.idm.read_only_udm.principal.location.country_or_region. - event.idm.read_only_udm.principal.location.city: Newly mapped `Action.AwsApiCallAction.RemoteIpDetails.City.CityName` raw log field to event.idm.read_only_udm.principal.location.city. - event.idm.read_only_udm.principal.user.userid: Newly mapped `Resources.0.Details.AwsIamAccessKey.PrincipalId` raw log field to event.idm.read_only_udm.principal.user.userid. - event.idm.read_only_udm.principal.user.user_display_name: Newly mapped `Resources.0.Details.AwsIamAccessKey.PrincipalName` raw log field to event.idm.read_only_udm.principal.user.user_display_name. - event.idm.read_only_udm.principal.asset.first_seen_time: Newly mapped `FirstObservedAt` raw log field to event.idm.read_only_udm.principal.asset.first_seen_time. - event.idm.read_only_udm.security_result.detection_fields: Newly mapped `WorkflowState` (key "Workflow_State"), `ProcessedAt` (key "ProcessedAt"), `GeneratorId` (key "GeneratorId"), `resource.Details.Other.Condition` (key "Condition"), `resource.Details.Other.Resource Control Policy Restriction Type` (key "Resource Control Policy Restriction Type"), `Action.AwsApiCallAction.Api` (key "ActionApi"), `Action.AwsApiCallAction.CallerType` (key "CallerType"), `Resources.0.Type` (key "ResourceType"), `FindingProviderFields.Severity.Product` (key "ProductSeverity"), `ProductFields.aws/securityhub/FindingId` (key "SecurityHubFindingId"), `LastObservedAt` (key "LastObservedAt"), `ProductFields.aws/guardduty/service/archived` (key "GuardDutyArchived"), `ProductFields.aws/guardduty/service/additionalInfo/value` (key "GuardDutyAdditionalInfo"), `ProductFields.aws/guardduty/service/featureName` (key "GuardDutyFeatureName"), `ProductFields.aws/guardduty/service/count` (key "GuardDutyEventCount"), `ProductFields.aws/guardduty/service/action/awsApiCallAction/affectedResources` (key "AffectedResources"), `ProductFields.aws/guardduty/service/additionalInfo/type` (key "GuardDutyAdditionalInfoType"), `ProductFields.aws/guardduty/service/eventFirstSeen` (key "ProductEventFirstSeen"), and `ProductFields.aws/guardduty/service/eventLastSeen` (key "ProductEventLastSeen") raw log fields to event.idm.read_only_udm.security_result.detection_fields. - event.idm.read_only_udm.security_result.category_details: Newly mapped `Types` raw log field to event.idm.read_only_udm.security_result.category_details. - event.idm.read_only_udm.security_result.last_updated_time: Newly mapped `UpdatedAt` raw log field to event.idm.read_only_udm.security_result.last_updated_time. - event.idm.read_only_udm.security_result.url_back_to_product: Newly mapped `SourceUrl` raw log field to event.idm.read_only_udm.security_result.url_back_to_product. - event.idm.read_only_udm.security_result.action_details: Newly mapped `resource.Details.Other.Action Granted` and `Action.ActionType` raw log fields to event.idm.read_only_udm.security_result.action_details. - event.idm.read_only_udm.security_result.severity: Newly mapped `FindingProviderFields.Severity.Label` raw log field to event.idm.read_only_udm.security_result.severity. - event.idm.read_only_udm.security_result.severity_details: Newly mapped `FindingProviderFields.Severity.Normalized` raw log field to event.idm.read_only_udm.security_result.severity_details. |
| 2025-02-18 | Enhancement:
- Added support for a new array of JSON log format. |
| 2025-01-20 | Enhancement - Added support for new log format.
|
| 2025-01-16 | Enhancement - Added support for a new JSON log format.
|
| 2023-06-20 | Enhancement - Modified "metadata.event_type" from "GENERIC_EVENT" to "USER_RESOURCE_ACCESS".
|
| 2023-03-24 | Enhancement - when "detail.findings.0.Resources.0.Type" == "AwsEcsTaskDefinition" -
- Mapped "target.resource.resource_type" to "TASK". - Mapped "event_type" to "USER_RESOURCE_ACCESS". - Mapped "detail.findings.0.ProductFields.Resources:0/Id" to "principal.asset_id". - Parsed all other failing logs as GENERIC_EVENT as STATUS_UPDATE was not a good parsing option for them. |
| 2022-08-22 | Enhancement -
- Updated vendor_name from "AWS SECURITY HUB" to "AMAZON". - Updated product_name from "AWS SECURITY HUB" to "AWS Security Hub". - Parsed The new JSON format logs containing "configurationItem" or "configurationItems". - Handled the logs which were ingested as an import file by separating them out using for loop and parse each as individual events. |
| 2022-07-01 | Newly Created Parser.
|