Severity and state mappings for Security Hub

Alert priority and resolution state mapping between Security Hub and Incident Response.

Security Hub alert priority mapping

Security Hub's alert priority is based on one field in the payload.

The field of interest is: body.Message.detail.finding[<index_of_finding>].FindingProviderFields.Severity.Label.

Security Hub payload field Security Hub payload value Incident Response alert priority value
body.Message.detail.finding[<index_of_finding>].FindingProviderFields.Severity.Label CRITICAL CRITICAL
HIGH MAJOR
MEDIUM MINOR
LOW WARNING
INFORMATIONAL OK

If body.Message.detail.finding[<index_of_finding>].FindingProviderFields.Severity.Label property is not sent in payload, then alert priority value set is P5-INFORMATIONAL

Security Hub resolution state mapping

The field of interest is: body.Message.detail.finding[<index_of_finding>].WorkFlow.Status

Security Hub payload field Security Hub payload value Incident Response alert resolution state value
body.Message.detail.finding[<index_of_finding>].WorkFlow.Status RESOLVED Closing
SUPPRESSED Closing
NEW New
NOTIFIED New
Note: If you require any other severity and state mappings, use the Generic webhook integration.