Change log for AWS_SECURITY_HUB
| Date | Changes |
|---|---|
| 2026-01-15 | Enhancement:
- `event.idm.read_only_udm.additional.fields`: Newly mapped `resource.Details.AwsEc2Instance.MetadataOptions.HttpPutResponseHopLimit`, `resource.Details.AwsEc2Instance.MetadataOptions.HttpProtocolIpv6`, `resource.Details.AwsEc2Instance.MetadataOptions.HttpTokens`, `resource.Details.AwsEc2Instance.MetadataOptions.InstanceMetadataTags`, `resource.Details.AwsEc2Instance.MetadataOptions.HttpEndpoint`, `resource.Details.AwsEc2Instance.VirtualizationType`, `resource.Details.AwsEc2Instance.NetworkInterfaces.NetworkInterfaceId`, `resource.Details.AwsEc2Instance.ImageId`, `resource.Details.AwsEc2Instance.SubnetId`, `resource.Details.AwsEc2Instance.IamInstanceProfileArn` raw log field(s) with `event.idm.read_only_udm.additional.fields` UDM field. - `event.idm.read_only_udm.target.resource.attribute.labels`: Newly mapped `resource.Tags.aws:autoscaling:groupName`, `resource.Tags.aws:ec2:fleet-id`, `resource.Tags.Attributes`, `resource.Tags.Environment`, `resource.Tags.Stage`, `resource.Tags.aws:ec2launchtemplate:version`, `resource.Tags.AmazonECSManaged`, `resource.Tags.Namespace`, `resource.Tags.aws:ec2launchtemplate:id`, `resource.Tags.Name` raw log field(s) with `event.idm.read_only_udm.target.resource.attribute.labels` UDM field. - `event.idm.read_only_udm.target.asset.attribute.creation_time`: Newly mapped `resource.Details.AwsEc2Instance.LaunchedAt` raw log field(s) with `event.idm.read_only_udm.target.asset.attribute.creation_time` UDM field. - `event.idm.read_only_udm.security_result.detection_fields`: Newly mapped `m.Workflow.Status` raw log field(s) with `event.idm.read_only_udm.security_result.detection_fields` UDM field. - `event.idm.read_only_udm.network.http.referral_url`: Newly mapped `m.Remediation.Recommendation.Url` raw log field(s) with `event.idm.read_only_udm.network.http.referral_url` UDM field. |
| 2025-11-26 | Enhancement:
- Enhanced parsing for the `Resources` array to extract detailed attributes from `Details` and `Tags` into UDM fields, primarily within `target.resource.attribute.labels`. - `event.idm.read_only_udm.target.resource.name`: Newly mapped `resource.Details.AwsEksCluster.Name` raw log field to `event.idm.read_only_udm.target.resource.name`. - `event.idm.read_only_udm.principal.ip`: Newly mapped `m.ProductFields.aws/guardduty/service/action/kubernetesApiCallAction/sourceIPs.0_` raw log field to `event.idm.read_only_udm.principal.ip`. - `event.idm.read_only_udm.principal.asset.ip`: Newly mapped `m.ProductFields.aws/guardduty/service/action/kubernetesApiCallAction/sourceIPs.0_` raw log field to `event.idm.read_only_udm.principal.asset.ip`. - `event.idm.read_only_udm.principal.location.country_or_region`: Newly mapped `m.ProductFields.aws/guardduty/service/action/kubernetesApiCallAction/remoteIpDetails/country/countryName` raw log field to `event.idm.read_only_udm.principal.location.country_or_region`. - `event.idm.read_only_udm.principal.location.region_longitude`: Newly mapped `m.ProductFields.aws/guardduty/service/action/kubernetesApiCallAction/remoteIpDetails/geoLocation/lon` raw log field to `event.idm.read_only_udm.principal.location.region_longitude`. - `event.idm.read_only_udm.principal.location.city`: Newly mapped `m.ProductFields.aws/guardduty/service/action/kubernetesApiCallAction/remoteIpDetails/city/cityName` raw log field to `event.idm.read_only_udm.principal.location.city`. - `event.idm.read_only_udm.network.http.response_code`: Newly mapped `m.ProductFields.aws/guardduty/service/action/kubernetesApiCallAction/statusCode` raw log field to `event.idm.read_only_udm.network.http.response_code`. - `event.idm.read_only_udm.target.resource.attribute.labels`: Newly mapped `resource.Id`, `resource.Details.Other.kubernetesDetails/kubernetesUserDetails/username`, `resource.Details.AwsEksCluster.ClusterStatus`, `resource.Details.AwsEksCluster.Arn`, `resource.Details.Other.kubernetesDetails/kubernetesUserDetails/groups.0_`, `resource.Details.Other.kubernetesDetails/kubernetesUserDetails/sessionName.0_`, `resource.Details.Other.kubernetesDetails/kubernetesUserDetails/uid`, `resource.Tags.pulumi_Stack`, `resource.Tags.wiz_outpost_id`, `resource.Tags.wiz`, `resource.Tags.Owner` raw log fields to `event.idm.read_only_udm.target.resource.attribute.labels`. - `event.idm.read_only_udm.additional.fields`: Newly mapped `m.ProductFields.aws/guardduty/service/action/kubernetesApiCallAction/remoteIpDetails/organization/isp`, `m.ProductFields.aws/guardduty/service/action/kubernetesApiCallAction/remoteIpDetails/organization/asn`, `m.ProductFields.aws/guardduty/service/action/kubernetesApiCallAction/remoteIpDetails/geoLocation/lat`, `m.ProductFields.aws/guardduty/service/action/kubernetesApiCallAction/resourceName`, `m.ProductFields.aws/guardduty/service/action/kubernetesRoleBindingDetails/roleRefKind`, `m.ProductFields.aws/guardduty/service/action/kubernetesApiCallAction/resource`, `m.ProductFields.aws/guardduty/service/action/kubernetesApiCallAction/userAgent`, `m.ProductFields.aws/guardduty/service/action/kubernetesRoleBindingDetails/roleRefName`, `m.ProductFields.aws/guardduty/service/action/kubernetesApiCallAction/verb`, `m.ProductFields.aws/guardduty/service/action/kubernetesApiCallAction/requestUri`, `m.ProductFields.aws/guardduty/service/action/kubernetesRoleBindingDetails/uid` raw log fields to `event.idm.read_only_udm.additional.fields`. |
| 2025-09-30 | Enhancement:
- event.idm.read_only_udm.additional.fields: Newly mapped `Sample` (key "Sample") and `ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/organization/isp` (key "ISP") raw log fields to event.idm.read_only_udm.additional.fields. - event.idm.read_only_udm.metadata.event_timestamp: Newly mapped `CreatedAt` raw log field to event.idm.read_only_udm.metadata.event_timestamp. - event.idm.read_only_udm.metadata.product_event_type: Newly mapped `ProductName` raw log field to event.idm.read_only_udm.metadata.product_event_type. - event.idm.read_only_udm.target.resource.attribute.labels: Newly mapped `ProductFields.ResourceOwnerAccount` (key "ResourceOwnerAccount") and `ProductFields.aws/guardduty/service/resourceRole` (key "GuardDutyResourceRole") raw log fields to event.idm.read_only_udm.target.resource.attribute.labels. - event.idm.read_only_udm.metadata.product_version: Newly mapped `SchemaVersion` raw log field to event.idm.read_only_udm.metadata.product_version. - event.idm.read_only_udm.target.resource.resource_subtype: Newly mapped `resource.Type` raw log field to event.idm.read_only_udm.target.resource.resource_subtype. - event.idm.read_only_udm.src.group.product_object_id: Newly mapped `resource.Details.Other.External Principal` raw log field to event.idm.read_only_udm.src.group.product_object_id. - event.idm.read_only_udm.src.user.company_name: Newly mapped `resource.Details.Other.External Principal Type` raw log field to event.idm.read_only_udm.src.user.company_name. - event.idm.read_only_udm.target.application: Newly mapped `Action.AwsApiCallAction.ServiceName` raw log field to event.idm.read_only_udm.target.application. - event.idm.read_only_udm.principal.ip: Newly mapped `Action.AwsApiCallAction.RemoteIpDetails.IpAddressV4` raw log field to event.idm.read_only_udm.principal.ip. - event.idm.read_only_udm.principal.asset.ip: Newly mapped `Action.AwsApiCallAction.RemoteIpDetails.IpAddressV4` raw log field to event.idm.read_only_udm.principal.asset.ip. - event.idm.read_only_udm.principal.group.group_display_name: Newly mapped `Action.AwsApiCallAction.RemoteIpDetails.Organization.Org` raw log field to event.idm.read_only_udm.principal.group.group_display_name. - event.idm.read_only_udm.principal.resource.attribute.labels: Newly mapped `Action.AwsApiCallAction.RemoteIpDetails.Organization.AsnOrg` (key "AsnOrg"), `Action.AwsApiCallAction.RemoteIpDetails.Organization.Asn` (key "Organization_Asn"), `Action.AwsApiCallAction.RemoteIpDetails.Country.CountryCode` (key "CountryCode"), `Action.AwsApiCallAction.RemoteIpDetails.GeoLocation.Lat` (key "GeoLocationLatitude"), `Action.AwsApiCallAction.RemoteIpDetails.GeoLocation.Lon` (key "GeoLocationLongitude"), and `Resources.0.Details.AwsIamAccessKey.PrincipalType` (key "PrincipalType") raw log fields to event.idm.read_only_udm.principal.resource.attribute.labels. - event.idm.read_only_udm.principal.location.country_or_region: Newly mapped `Action.AwsApiCallAction.RemoteIpDetails.Country.CountryName` raw log field to event.idm.read_only_udm.principal.location.country_or_region. - event.idm.read_only_udm.principal.location.city: Newly mapped `Action.AwsApiCallAction.RemoteIpDetails.City.CityName` raw log field to event.idm.read_only_udm.principal.location.city. - event.idm.read_only_udm.principal.user.userid: Newly mapped `Resources.0.Details.AwsIamAccessKey.PrincipalId` raw log field to event.idm.read_only_udm.principal.user.userid. - event.idm.read_only_udm.principal.user.user_display_name: Newly mapped `Resources.0.Details.AwsIamAccessKey.PrincipalName` raw log field to event.idm.read_only_udm.principal.user.user_display_name. - event.idm.read_only_udm.principal.asset.first_seen_time: Newly mapped `FirstObservedAt` raw log field to event.idm.read_only_udm.principal.asset.first_seen_time. - event.idm.read_only_udm.security_result.detection_fields: Newly mapped `WorkflowState` (key "Workflow_State"), `ProcessedAt` (key "ProcessedAt"), `GeneratorId` (key "GeneratorId"), `resource.Details.Other.Condition` (key "Condition"), `resource.Details.Other.Resource Control Policy Restriction Type` (key "Resource Control Policy Restriction Type"), `Action.AwsApiCallAction.Api` (key "ActionApi"), `Action.AwsApiCallAction.CallerType` (key "CallerType"), `Resources.0.Type` (key "ResourceType"), `FindingProviderFields.Severity.Product` (key "ProductSeverity"), `ProductFields.aws/securityhub/FindingId` (key "SecurityHubFindingId"), `LastObservedAt` (key "LastObservedAt"), `ProductFields.aws/guardduty/service/archived` (key "GuardDutyArchived"), `ProductFields.aws/guardduty/service/additionalInfo/value` (key "GuardDutyAdditionalInfo"), `ProductFields.aws/guardduty/service/featureName` (key "GuardDutyFeatureName"), `ProductFields.aws/guardduty/service/count` (key "GuardDutyEventCount"), `ProductFields.aws/guardduty/service/action/awsApiCallAction/affectedResources` (key "AffectedResources"), `ProductFields.aws/guardduty/service/additionalInfo/type` (key "GuardDutyAdditionalInfoType"), `ProductFields.aws/guardduty/service/eventFirstSeen` (key "ProductEventFirstSeen"), and `ProductFields.aws/guardduty/service/eventLastSeen` (key "ProductEventLastSeen") raw log fields to event.idm.read_only_udm.security_result.detection_fields. - event.idm.read_only_udm.security_result.category_details: Newly mapped `Types` raw log field to event.idm.read_only_udm.security_result.category_details. - event.idm.read_only_udm.security_result.last_updated_time: Newly mapped `UpdatedAt` raw log field to event.idm.read_only_udm.security_result.last_updated_time. - event.idm.read_only_udm.security_result.url_back_to_product: Newly mapped `SourceUrl` raw log field to event.idm.read_only_udm.security_result.url_back_to_product. - event.idm.read_only_udm.security_result.action_details: Newly mapped `resource.Details.Other.Action Granted` and `Action.ActionType` raw log fields to event.idm.read_only_udm.security_result.action_details. - event.idm.read_only_udm.security_result.severity: Newly mapped `FindingProviderFields.Severity.Label` raw log field to event.idm.read_only_udm.security_result.severity. - event.idm.read_only_udm.security_result.severity_details: Newly mapped `FindingProviderFields.Severity.Normalized` raw log field to event.idm.read_only_udm.security_result.severity_details. |
| 2025-02-18 | Enhancement:
- Added support for a new array of JSON log format. |
| 2025-01-20 | Enhancement - Added support for new log format.
|
| 2025-01-16 | Enhancement - Added support for a new JSON log format.
|
| 2023-06-20 | Enhancement - Modified "metadata.event_type" from "GENERIC_EVENT" to "USER_RESOURCE_ACCESS".
|
| 2023-03-24 | Enhancement - when "detail.findings.0.Resources.0.Type" == "AwsEcsTaskDefinition" -
- Mapped "target.resource.resource_type" to "TASK". - Mapped "event_type" to "USER_RESOURCE_ACCESS". - Mapped "detail.findings.0.ProductFields.Resources:0/Id" to "principal.asset_id". - Parsed all other failing logs as GENERIC_EVENT as STATUS_UPDATE was not a good parsing option for them. |
| 2022-08-22 | Enhancement -
- Updated vendor_name from "AWS SECURITY HUB" to "AMAZON". - Updated product_name from "AWS SECURITY HUB" to "AWS Security Hub". - Parsed The new JSON format logs containing "configurationItem" or "configurationItems". - Handled the logs which were ingested as an import file by separating them out using for loop and parse each as individual events. |
| 2022-07-01 | Newly Created Parser.
|