Severity and state mappings for Security Hub
Alert priority and resolution state mapping between Security Hub and Incident Response.
Security Hub alert priority mapping
Security Hub's alert priority is based on one field in the payload.
The field of interest is:
body.Message.detail.finding[<index_of_finding>].FindingProviderFields.Severity.Label.
| Security Hub payload field | Security Hub payload value | Incident Response alert priority value |
|---|---|---|
| body.Message.detail.finding[<index_of_finding>].FindingProviderFields.Severity.Label | CRITICAL | CRITICAL |
| HIGH | MAJOR | |
| MEDIUM | MINOR | |
| LOW | WARNING | |
| INFORMATIONAL | OK |
If
body.Message.detail.finding[<index_of_finding>].FindingProviderFields.Severity.Label
property is not sent in payload, then alert priority value set is
P5-INFORMATIONAL
Security Hub resolution state mapping
The field of interest is:
body.Message.detail.finding[<index_of_finding>].WorkFlow.Status
| Security Hub payload field | Security Hub payload value | Incident Response alert resolution state value |
|---|---|---|
| body.Message.detail.finding[<index_of_finding>].WorkFlow.Status | RESOLVED | Closing |
| SUPPRESSED | Closing | |
| NEW | New | |
| NOTIFIED | New |
Note: If you require any other severity and state mappings, use the
Generic webhook integration.