Sample exposure finding
Amazon Security Hub normalizes exposure findings in the Open Cybersecurity Schema Framework (OCSF).
Sample exposure finding
In the following sample exposure finding, the
related_events parameter contains details unique to the
exposure finding, such as contributing findings. Contributing findings are the
traits and signals associated with an exposure finding. A single contributing
finding can include one or more traits. The observables parameter
identifies the resource associated with the contributing finding. This can be
different from the resources parameter, which identifies the
resource associated with the exposure finding.
{ "activity_id": 1, "activity_name": "Create", "category_name": "Findings", "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, "cloud": { "account": { "uid": "123456789012", "name": "production-application" }, "cloud_partition": "aws", "provider": "AWS", "region": "us-east-1" }, "finding_info": { "analytic": { "name": "Exposure", "type": "Rule", "type_id": 1, "uid": "0.0.1" }, "created_time_dt": "2024-11-15T21:39:26.337224100Z", "desc": "Publicly invocable Lambda function executed outside of VPC has vulnerability with known exploit that can be exploited from remote network", "finding.info.modified_time_dt": "2024-11-15T21:39:26.337224100Z", "related_events_count": 3, "related_events": [ { "tags": [ { "name": "Vulnerability", "values": [ "Attack Vector Network", "EPSS Level >= High", "EPSS Level >= Medium", "Exploit Available", "No Privileges Required", "No User Interaction Required", "Vulnerable" ] } ], "product": { "uid": "arn:aws-cn:securityhub:us-east-1::productv2/aws/inspector" }, "observables": [ { "type": "Resource UID", "type_id": 10, "value": "arn:aws-cn:lambda:us-east-1:123456789012:application-function" } ], "type": "Finding", "title": "CVE-2023-33246 - org.apache.rocketmq:rocketmq-controller", "uid": "arn:aws-cn:inspector2:us-east-1:123456789012:finding/1234567890abcdef0" }, { "tags": [ { "name": "Reachability", "values": [ "Publicly Invocable" ] } ], "product": { "uid": "arn:aws-cn:securityhub:us-east-1::productv2/aws/securityhub" }, "observables": [ { "type": "Resource UID", "type_id": 10, "value": "arn:aws-cn:lambda:us-east-1:123456789012:application-function" } ], "type": "Finding", "title": "Lambda function policies should prohibit public access", "uid": "arn:aws-cn:securityhub:us-east-1:123456789012:security-control/Lambda.1/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLEaaaaa" }, { "tags": [ { "name": "Misconfiguration", "values": [ "Deployed outside VPC" ] } ], "product": { "uid": "arn:aws-cn:securityhub:us-east-1::productv2/aws/securityhub" }, "observables": [ { "type": "Resource UID", "type_id": 10, "value": "arn:aws-cn:lambda:us-east-1:123456789012:application-function" } ], "type": "Finding", "title": "Lambda functions should be in a VPC", "uid": "arn:aws-cn:securityhub:us-east-1:123456789012:security-control/Lambda.3/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" } ], "title": "Publicly invocable Lambda function executed outside of VPC has vulnerability with known exploit that can be exploited from remote network", "types": [ "Exposure/Potential Impact/Resource Hijacking" ], "uid": "arn:aws-cn:securityhub:us-east-1:123456789012:risk:1234f781c7ae7507f01e2fb460f15ca8fe7f9c95e257698a092cb74a4ea84a42" }, "metadata": { "product": { "name": "Security Hub Exposure Analysis", "uid": "arn:aws-cn:securityhub:us-east-1::productv2/aws/securityhub-risk", "vendor_name": "Amazon" }, "processed_time_dt": "2024-11-15T21:39:58.819Z", "profiles": [ "cloud", "datetime" ], "version": "1.4.0-dev" }, "resources": [ { "cloud_partition": "aws", "region": "us-east-1", "tags": [ { "name": "aws:cloudformation:stack-name", "value": "LambdaProdStack" }, { "name": "aws:cloudformation:stack-id", "value": "arn:aws-cn:cloudformation:us-east-1:123456789012:stack/LambdaProdStack/a1b2c3d4-5678-90ab-cdef-EXAMPLE22222" }, { "name": "aws:cloudformation:logical-id", "value": "lambdar3function94D10D40" } ], "type": "AwsLambdaFunction", "uid": "arn:aws-cn:lambda:us-east-1:123456789012:application-function" } ], "severity": "Critical", "severity_id": 5, "status": "New", "status_id": 1, "time": 1731706766337, "time_dt": "2024-11-15T21:39:26.337224100Z", "type_name": "Detection Finding: Create", "type_uid": 200401, "vendor_attributes": { "severity_id": 5, "severity": "Critical" } }