Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
Reference for AWSSecurityHubFindings table in Azure Monitor Logs.
| Attribute | Value |
|---|---|
| Category | AWS |
| Basic Logs Eligible | ✓ Yes (source) |
| Supports Transformations | ✓ Yes (source) |
| Ingestion API Supported | ✓ Yes |
| Lake-Only Ingestion | ✓ Yes (source) |
| Azure Monitor Tables Reference | View Documentation |
| Azure Monitor Logs Ingestion API | View Documentation |
Source: Azure Monitor documentation
| Column Name | Type | Description |
|---|---|---|
| _BilledSize | real | The record size in bytes |
| _IsBillable | string | Specifies whether ingesting the data is billable. When _IsBillable is false ingestion isn't billed to your Azure account |
| AwsAccountId | string | The AWS account ID associated with the event. |
| AwsRegion | string | The AWS region where the event occurred. |
| AwsSecurityFindingCreatedAt | datetime | The timestamp when the security finding was created. |
| AwsSecurityFindingDescription | string | A detailed description of the AWS security finding. |
| AwsSecurityFindingFirstObservedAt | datetime | The timestamp when the security finding was first observed. |
| AwsSecurityFindingGeneratorId | string | The ID of the generator that created the security finding. |
| AwsSecurityFindingId | string | The unique identifier for the AWS security finding. |
| AwsSecurityFindingLastObservedAt | datetime | The timestamp when the security finding was last observed. |
| AwsSecurityFindingProcessedAt | datetime | The timestamp when the security finding was processed. |
| AwsSecurityFindingProductArn | string | The Amazon Resource Name (ARN) of the product that generated the finding. |
| AwsSecurityFindingProductFields | dynamic | Additional fields provided by the product that generated the finding. |
| AwsSecurityFindingProductName | string | The name of the product that generated the finding. |
| AwsSecurityFindingSeverity | dynamic | The severity level of the security finding. |
| AwsSecurityFindingTitle | string | The title of the AWS security finding. |
| AwsSecurityFindingTypes | dynamic | The types or categories of the AWS security finding. |
| AwsSecurityFindingUpdatedAt | datetime | The timestamp when the security finding was last updated. |
| ComplianceAssociatedStandards | dynamic | The compliance standards associated with the resource. |
| ComplianceRelatedRequirements | dynamic | The related compliance requirements. |
| ComplianceSecurityControlId | string | The ID of the security control related to compliance. |
| ComplianceSecurityControlParameters | dynamic | Parameters associated with the security control. |
| ComplianceStatus | string | The compliance status of the resource (e.g., COMPLIANT, NON_COMPLIANT). |
| ComplianceStatusReasons | dynamic | The reasons for the compliance status. |
| RawData | dynamic | The raw data associated with the finding. |
| RecordState | string | The state of the record (e.g., ACTIVE, ARCHIVED). |
| Remediation | dynamic | Details about how to remediate the security finding. |
| Resources | dynamic | The resources associated with the security finding. |
| SchemaVersion | string | The version of the schema used for the finding. |
| SourceSystem | string | The type of agent the event was collected by. For example, OpsManager for Windows agent, either direct connect or Operations Manager, Linux for all Linux agents, or Azure for Azure Diagnostics |
| TenantId | string | The Log Analytics workspace ID |
| TimeGenerated | datetime | The timestamp when the event was generated. |
| Type | string | The name of the table |
| WorkflowState | string | The workflow state of the finding (e.g., NEW, RESOLVED). |
This table is used by the following solutions:
This table is ingested by the following connectors:
| Connector | Selection Criteria |
|---|---|
| AWS Security Hub Findings (via Codeless Connector Framework) |
In solution AWS Security Hub: ComplianceStatus == "FAILED"RecordState == "ACTIVE"
In solution AWS Security Hub:
| Hunting Query | Selection Criteria |
|---|---|
| AWS Security Hub - CloudTrail trails without log file validation | AwsSecurityFindingGeneratorId == "security-control/CloudTrail.4"ComplianceSecurityControlId == "CloudTrail.4"ComplianceStatus == "FAILED"RecordState == "ACTIVE" |
| AWS Security Hub - EC2 instances with public IPv4 address | AwsSecurityFindingGeneratorId == "security-control/EC2.9"ComplianceSecurityControlId == "EC2.9"ComplianceStatus == "FAILED"RecordState == "ACTIVE" |
| AWS Security Hub - IAM users with console password and no MFA | AwsSecurityFindingGeneratorId == "security-control/IAM.5"ComplianceSecurityControlId == "IAM.5"ComplianceStatus == "FAILED"RecordState == "ACTIVE" |
In solution AWS Security Hub: ComplianceStatus in "FAILED,PASSED"RecordState == "ACTIVE"
| Workbook |
|---|
| AWSSecurityHubComplianceWorkbook |
References by type: 0 connectors, 12 content items, 0 ASIM parsers, 0 other parsers.
| Selection Criteria | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
ComplianceStatus == "FAILED"RecordState == "ACTIVE" |
- | 8 | - | - | 8 |
AwsSecurityFindingGeneratorId == "security-control/CloudTrail.4"ComplianceSecurityControlId == "CloudTrail.4"ComplianceStatus == "FAILED"RecordState == "ACTIVE" |
- | 1 | - | - | 1 |
AwsSecurityFindingGeneratorId == "security-control/EC2.9"ComplianceSecurityControlId == "EC2.9"ComplianceStatus == "FAILED"RecordState == "ACTIVE" |
- | 1 | - | - | 1 |
AwsSecurityFindingGeneratorId == "security-control/IAM.5"ComplianceSecurityControlId == "IAM.5"ComplianceStatus == "FAILED"RecordState == "ACTIVE" |
- | 1 | - | - | 1 |
ComplianceStatus in "FAILED,PASSED"RecordState == "ACTIVE" |
- | 1 | - | - | 1 |
| Total | 0 | 12 | 0 | 0 | 12 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
security-control/CloudTrail.4 |
- | 1 | - | - | 1 |
security-control/EC2.9 |
- | 1 | - | - | 1 |
security-control/IAM.5 |
- | 1 | - | - | 1 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
CloudTrail.4 |
- | 1 | - | - | 1 |
EC2.9 |
- | 1 | - | - | 1 |
IAM.5 |
- | 1 | - | - | 1 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
FAILED |
- | 12 | - | - | 12 |
PASSED |
- | 1 | - | - | 1 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
ACTIVE |
- | 12 | - | - | 12 |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊