AWS Security Hub

AWS Security Hub is an AWS service that can automate security best practice checks, aggregate security alerts into a single place and format, and understand your overall security posture across all of your AWS accounts. Security Hub is a cloud security posture management (CSPM) service that performs security best practice checks, aggregates alerts, and enables automated remediation.

Query integrates with AWS Security Hub to surface details about:

  • Resource IDs (the protected resource httpSourceId which is typically an ARN and webaclId which is always an ARN despite the name)
  • Process name
  • File name

The following Entities, Events and Objects are supported by Query for those data points. For more information about this terminology, refer to the Normalization and the Query Data Model (QDM) section of the docs or check out our QDM Schema website.


  • Resource ID (mapped to finding.uid, finding_info.uid and resources.uid)
  • Process Name (mapped to
  • File Name (mapped to process.file.path and malware.path)


  • Security Finding
  • Detection Finding
  • Compliance Finding
  • Vulnerability Finding

For example, the analyst could obtain the following context:

  • Searching for a suspected resource id (arn:aws:us-east-1, i-123456abcdef”, etc) for an organizations owned AWS resource or ARN you would get any of the Events identified by Security Hub.

To integrate AWS Security Hub, see integration documentation here. The integration will normalize data pulled from AWS Security Hub into Query’s OCSF based QDM (Query Data Model) modeled on OCSF’s Event Activity from OCSF v1.0.0-rc2.