AWS securityhub documentation change
Summary
Added 'RiskAssessment' attribute documentation and updated references to Security Hub CSPM throughout the document
Security assessment
The change introduces documentation for a new 'RiskAssessment' attribute that helps assess security risks through posture analysis and vulnerability indicators. While this enhances security documentation, there is no evidence it addresses a specific vulnerability. Other changes reflect product rebranding to 'Security Hub CSPM' without security implications.
Diff
diff --git a/securityhub/latest/userguide/asff-top-level-attributes.md b/securityhub/latest/userguide/asff-top-level-attributes.md index 4b5f5d843..76c36f84c 100644 --- a//securityhub/latest/userguide/asff-top-level-attributes.md +++ b//securityhub/latest/userguide/asff-top-level-attributes.md @@ -3 +3 @@ -[Documentation](/index.html)[AWS Security Hub](/securityhub/index.html)[User Guide](what-is-securityhub.html) +[Documentation](/index.html)[AWS Security Hub](/securityhub/index.html)[ User Guide ](what-is-security-hub-adv.html) @@ -5 +5 @@ -ActionAwsAccountNameCompanyNameComplianceConfidenceCriticalityDetectionFindingProviderFieldsFirstObservedAtLastObservedAtMalwareNetwork (Retired)NetworkPathNotePatchSummaryProcessProcessedAtProductFieldsProductNameRecordStateRegionRelatedFindingsRemediationSampleSourceUrlThreatIntelIndicatorsThreatsUserDefinedFieldsVerificationStateVulnerabilitiesWorkflowWorkflowState (Retired) +ActionAwsAccountNameCompanyNameComplianceConfidenceCriticalityDetectionFindingProviderFieldsFirstObservedAtLastObservedAtMalwareNetwork (Retired)NetworkPathNotePatchSummaryProcessProcessedAtProductFieldsProductNameRecordStateRegionRelatedFindingsRiskAssessmentRemediationSampleSourceUrlThreatIntelIndicatorsThreatsUserDefinedFieldsVerificationStateVulnerabilitiesWorkflowWorkflowState (Retired) @@ -9 +9 @@ ActionAwsAccountNameCompanyNameComplianceConfidenceCriticalityDetectionFindingPr -These top-level attributes are optional in the AWS Security Finding Format (ASFF). For more information about these attributes, see [AwsSecurityFinding](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_AwsSecurityFinding.html) in the _AWS Security Hub API Reference_. +The following top-level attributes in the AWS Security Finding Format (ASFF) are optional for findings in Security Hub CSPM. For more information about these attributes, see [AwsSecurityFinding](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_AwsSecurityFinding.html) in the _AWS Security Hub Cloud Security Posture Management (CSPM) API Reference_. @@ -67 +67 @@ The name of the company for the product that generated the finding. For control- -Security Hub populates this attribute automatically for each finding. You cannot update it using [`BatchImportFindings`](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_BatchImportFindings.html) or [`BatchUpdateFindings`](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_BatchUpdateFindings.html). The exception to this is when you use a custom integration. See [Integrating Security Hub with custom products](./securityhub-custom-providers.html). +Security Hub CSPM populates this attribute automatically for each finding. You cannot update it using [`BatchImportFindings`](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_BatchImportFindings.html) or [`BatchUpdateFindings`](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_BatchUpdateFindings.html). The exception to this is when you use a custom integration. See [Integrating Security Hub CSPM with custom products](./securityhub-custom-providers.html). @@ -69 +69 @@ Security Hub populates this attribute automatically for each finding. You cannot -When you use the Security Hub console to filter findings by company name, you use this attribute. When you use the Security Hub API to filter findings by company name, you use the `aws/securityhub/CompanyName` attribute under `ProductFields`. Security Hub does not synchronize those two attributes. +When you use the Security Hub CSPM console to filter findings by company name, you use this attribute. When you use the Security Hub CSPM API to filter findings by company name, you use the `aws/securityhub/CompanyName` attribute under `ProductFields`. Security Hub CSPM does not synchronize those two attributes. @@ -114 +114 @@ The [`Compliance`](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_ - "Description": "This finding has a compliance status of NOT AVAILABLE because AWS Config sent Security Hub a finding with a compliance state of Not Applicable. The potential reasons for a Not Applicable finding from Config are that (1) a resource has been moved out of scope of the Config rule; (2) the Config rule has been deleted; (3) the resource has been deleted; or (4) the logic of the Config rule itself includes scenarios where Not Applicable is returned. The specific reason why Not Applicable is returned is not available in the Config rule evaluation." + "Description": "This finding has a compliance status of NOT AVAILABLE because AWS Config sent Security Hub CSPM a finding with a compliance state of Not Applicable. The potential reasons for a Not Applicable finding from Config are that (1) a resource has been moved out of scope of the Config rule; (2) the Config rule has been deleted; (3) the resource has been deleted; or (4) the logic of the Config rule itself includes scenarios where Not Applicable is returned. The specific reason why Not Applicable is returned is not available in the Config rule evaluation." @@ -173 +173 @@ You can use the following guidelines: -The `Detection` object provides details about an attack sequence finding from Amazon GuardDuty Extended Threat Detection. GuardDuty generates an attack sequence finding when multiple events align to a potentially suspicious activity. To receive GuardDuty attack sequence findings in AWS Security Hub, you must have GuardDuty enabled in your account. For more information, see [Amazon GuardDuty Extended Threat Detection](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-extended-threat-detection.html) in the _Amazon GuardDuty User Guide_. +The `Detection` object provides details about an attack sequence finding from Amazon GuardDuty Extended Threat Detection. GuardDuty generates an attack sequence finding when multiple events align to a potentially suspicious activity. To receive GuardDuty attack sequence findings in AWS Security Hub Cloud Security Posture Management (CSPM), you must have GuardDuty enabled in your account. For more information, see [Amazon GuardDuty Extended Threat Detection](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-extended-threat-detection.html) in the _Amazon GuardDuty User Guide_. @@ -304 +304 @@ The `Detection` object provides details about an attack sequence finding from Am -The preceding fields are nested under the `FindingProviderFields` object, but have analogues of the same name as top-level ASFF fields. When a new finding is sent to Security Hub by a finding provider, Security Hub populates the `FindingProviderFields` object automatically if it is empty based on the corresponding top-level fields. +The preceding fields are nested under the `FindingProviderFields` object, but have analogues of the same name as top-level ASFF fields. When a new finding is sent to Security Hub CSPM by a finding provider, Security Hub CSPM populates the `FindingProviderFields` object automatically if it is empty based on the corresponding top-level fields. @@ -306 +306 @@ The preceding fields are nested under the `FindingProviderFields` object, but ha -Finding providers can update `FindingProviderFields` by using the[`BatchImportFindings`](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_BatchImportFindings.html) operation of the Security Hub API. Finding providers cannot update this object with [`BatchUpdateFindings`](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_BatchUpdateFindings.html). +Finding providers can update `FindingProviderFields` by using the[`BatchImportFindings`](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_BatchImportFindings.html) operation of the Security Hub CSPM API. Finding providers cannot update this object with [`BatchUpdateFindings`](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_BatchUpdateFindings.html). @@ -308 +308 @@ Finding providers can update `FindingProviderFields` by using the[`BatchImportFi -For details on how Security Hub handles updates from `BatchImportFindings` to `FindingProviderFields` and to the corresponding top-level attributes, see [Updating findings with FindingProviderFields](./finding-update-batchimportfindings.html#batchimportfindings-findingproviderfields). +For details on how Security Hub CSPM handles updates from `BatchImportFindings` to `FindingProviderFields` and to the corresponding top-level attributes, see [Updating findings with FindingProviderFields](./finding-update-batchimportfindings.html#batchimportfindings-findingproviderfields). @@ -499 +499 @@ Example: -Indicates when Security Hub received a finding and begins to process it. +Indicates when Security Hub CSPM received a finding and begins to process it. @@ -501 +501 @@ Indicates when Security Hub received a finding and begins to process it. -This differs from `CreatedAt` and `UpdatedAt`, which are required time stamps that relate to the finding provider's interaction with the security issue and finding. The `ProcessedAt` time stamp indicates when Security Hub starts to process a finding. A finding appears in a user's account after processing is completed. +This differs from `CreatedAt` and `UpdatedAt`, which are required time stamps that relate to the finding provider's interaction with the security issue and finding. The `ProcessedAt` time stamp indicates when Security Hub CSPM starts to process a finding. A finding appears in a user's account after processing is completed. @@ -510 +510 @@ A data type where security findings products can include additional solution-spe -For findings generated by Security Hub controls, `ProductFields` includes information about the control. See [Generating and updating control findings](./controls-findings-create-update.html). +For findings generated by Security Hub CSPM controls, `ProductFields` includes information about the control. See [Generating and updating control findings](./controls-findings-create-update.html). @@ -518 +518 @@ Although not required, products should format field names as `company-id/product -The fields referencing `Archival` are used when Security Hub archives an existing finding. For example, Security Hub archives existing findings when you disable a control or standard and when you turn [consolidated control findings](./controls-findings-create-update.html#consolidated-control-findings) on or off. +The fields referencing `Archival` are used when Security Hub CSPM archives an existing finding. For example, Security Hub CSPM archives existing findings when you disable a control or standard and when you turn [consolidated control findings](./controls-findings-create-update.html#consolidated-control-findings) on or off. @@ -539 +539 @@ This field may also include information about the standard that includes the con -Provides the name of the product that generated the finding. For control-based findings, the product name is Security Hub. +Provides the name of the product that generated the finding. For control-based findings, the product name is Security Hub CSPM. @@ -541 +541 @@ Provides the name of the product that generated the finding. For control-based f -Security Hub populates this attribute automatically for each finding. You cannot update it using [`BatchImportFindings`](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_BatchImportFindings.html) or [`BatchUpdateFindings`](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_BatchUpdateFindings.html). The exception to this is when you use a custom integration. See [Integrating Security Hub with custom products](./securityhub-custom-providers.html). +Security Hub CSPM populates this attribute automatically for each finding. You cannot update it using [`BatchImportFindings`](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_BatchImportFindings.html) or [`BatchUpdateFindings`](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_BatchUpdateFindings.html). The exception to this is when you use a custom integration. See [Integrating Security Hub CSPM with custom products](./securityhub-custom-providers.html). @@ -543 +543 @@ Security Hub populates this attribute automatically for each finding. You cannot -When you use the Security Hub console to filter findings by product name, you use this attribute. +When you use the Security Hub CSPM console to filter findings by product name, you use this attribute. @@ -545 +545 @@ When you use the Security Hub console to filter findings by product name, you us -When you use the Security Hub API to filter findings by product name, you use the `aws/securityhub/ProductName` attribute under `ProductFields`. +When you use the Security Hub CSPM API to filter findings by product name, you use the `aws/securityhub/ProductName` attribute under `ProductFields`. @@ -547 +547 @@ When you use the Security Hub API to filter findings by product name, you use th -Security Hub does not synchronize those two attributes. +Security Hub CSPM does not synchronize those two attributes. @@ -555 +555 @@ By default, when initially generated by a service, findings are considered `ACTI -The `ARCHIVED` state indicates that a finding should be hidden from view. Archived findings are not immediately deleted. You can search, review, and report on them. Security Hub automatically archives control-based findings if the associated resource is deleted, the resource does not exist, or the control is disabled. +The `ARCHIVED` state indicates that a finding should be hidden from view. Archived findings are not immediately deleted. You can search, review, and report on them. Security Hub CSPM automatically archives control-based findings if the associated resource is deleted, the resource does not exist, or the control is disabled. @@ -561 +561 @@ To track the status of your investigation into a finding, use Workflow instead o -If the record state changes from `ARCHIVED` to `ACTIVE`, and the workflow status of the finding is either `NOTIFIED` or `RESOLVED`, then Security Hub automatically sets the workflow status to `NEW`. +If the record state changes from `ARCHIVED` to `ACTIVE`, and the workflow status of the finding is either `NOTIFIED` or `RESOLVED`, then Security Hub CSPM automatically sets the workflow status to `NEW`. @@ -572 +572 @@ Specifies the AWS Region from which the finding was generated. -Security Hub populates this attribute automatically for each finding. You cannot update it using [`BatchImportFindings`](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_BatchImportFindings.html) or [`BatchUpdateFindings`](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_BatchUpdateFindings.html). +Security Hub CSPM populates this attribute automatically for each finding. You cannot update it using [`BatchImportFindings`](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_BatchImportFindings.html) or [`BatchUpdateFindings`](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_BatchUpdateFindings.html). @@ -587 +587 @@ For [`BatchImportFindings`](https://docs.aws.amazon.com/securityhub/1.0/APIRefer -To view descriptions of `RelatedFindings` attributes, see [`RelatedFinding`](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_RelatedFinding.html) in the _AWS Security Hub API Reference_. +To view descriptions of `RelatedFindings` attributes, see [`RelatedFinding`](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_RelatedFinding.html) in the _AWS Security Hub Cloud Security Posture Management (CSPM) API Reference_. @@ -598,0 +599,43 @@ To view descriptions of `RelatedFindings` attributes, see [`RelatedFinding`](htt +## RiskAssessment + +**Example** + + + "RiskAssessment": { + "Posture": { + "FindingTotal": 4, + "Indicators": [ + { + "Type": "Reachability", + "Findings": [ + { + "Id": "arn:aws:inspector2:us-east-2:123456789012:finding/1234567890abcdef0", + "ProductArn": "arn:aws:securityhub:us-east-1::product/aws/inspector", + "Title": "Finding title" + }, + { + "Id": "arn:aws:inspector2:us-east-2:123456789012:finding/abcdef01234567890", + "ProductArn": "arn:aws:securityhub:us-east-1::product/aws/inspector", + "Title": "Finding title" + } + ] + }, + { + "Type": "Vulnerability", + "Findings": [ + { + "Id": "arn:aws:inspector2:us-east-2:123456789012:finding/021345abcdef6789", + "ProductArn": "arn:aws:securityhub:us-east-1::product/aws/inspector", + "Title": "Finding title" + }, + { + "Id": "arn:aws:inspector2:us-east-2:123456789012:finding/021345ghijkl6789", + "ProductArn": "arn:aws:securityhub:us-east-1::product/aws/inspector", + "Title": "Finding title" + } + ] + } + ] + } + } + @@ -608 +651 @@ The [`Remediation`](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API - "Text": "For instructions on how to fix this issue, see the AWS Security Hub documentation for EC2.2.", + "Text": "For instructions on how to fix this issue, see the AWS Security Hub Cloud Security Posture Management (CSPM) documentation for EC2.2.", @@ -764 +807 @@ This field is intended for customers to use with remediation, orchestration, and -You can only update the `Workflow` field with [`BatchUpdateFindings`](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_BatchUpdateFindings.html). Customers can also update it from the console. See [Setting the workflow status of Security Hub findings](./findings-workflow-status.html). +You can only update the `Workflow` field with [`BatchUpdateFindings`](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_BatchUpdateFindings.html). Customers can also update it from the console. See [Setting the workflow status of findings in Security Hub CSPM](./findings-workflow-status.html).