Amazon AWS Security Hub Sample Event Message
Use these sample event messages as a way of verifying a successful integration with JSA.
The following table provides a sample event message when you use the Amazon Web Services protocol for the Amazon AWS Security Hub DSM
Event name |
Low level category |
Sample log message |
---|---|---|
|
Security Protocol |
{LogStreamName: SecurityHubLogStream,Timestamp: 1568035216780,Message: {"version":"0","id":"2b91a1e3-38d5-0160- 7d19-8b21b5359b4c","detail-type":"Security Hub Findings - Impor ted","source":"aws.securityhub","account": "111111111111","time" :"2019-09-09T13:20:16Z","region":"useast- 1","resources":["... "],"detail":{"findings": [{"SchemaVersion":"2018-10-08","Id":". ..","ProductArn":"arn:aws:securityhub:useast- 1::product/aws/g uardduty","GeneratorId":"...","AwsAccountId":"111 111111111","T ypes":["TTPs/UnauthorizedAccess:IAMUser- MaliciousIPCaller.Cust om"],"FirstObservedAt":"2019-04-22T18:52:24.444Z"," LastObserve dAt":"...","CreatedAt":"...","UpdatedAt":"...","Sever ity":{"Product":5,"Normalized":50},"Title":"API Generated FindingAPIName was invoked from an IP address on a custom threat list.","Description":"API was invoked from an IP ad dress on the custom threat list.","ProductFields": {},"Res ources": [{"Type":"AwsIamAccessKey","Id":"AWS::IAM::Access Key:GeneratedFindingAccessKeyId","Partition":"aws", "Region":"us-east-1","Details":{"AwsIamAccessKey": {"UserName":"GeneratedFindingAWSService"}}}],"RecordSt ate":"ACTIVE","WorkflowState":"NEW","approximateArriva lTimestamp":1568035214.555}]}},IngestionTime: 15680352 16790,EventId: 349683538317335097971020828834079158036 95330140453142528} |