AWS aws_security_hub Mappings

AWS Security Hub is a tool that supports the aggregation, organization, and prioritization of security alerts and findings from multiple services including Amazon GuardDuty, Amazon Inspector, Amazon Macie, AWS Identity and Access Management (IAM) Access Analyzer, AWS Systems Manager, AWS Firewall Manager, and AWS Partner Network (APN) solutions. To do this, AWS Security Hub relies on managed insights which are collections of findings that identify security areas that need to be addressed as well as custom checks for different detections. While AWS Security Hub supports custom insights and numerous AWS Config checks, this mapping focuses only on the managed insights and the custom Security Hub checks provided by Amazon. Custom managed insights and AWS Config checks are considered out of scope for this mapping as the custom managed insights will vary from organization to organization and AWS Config has its own mapping.

Mappings

Capability ID Capability Description Category Value ATT&CK ID ATT&CK Name
aws_security_hub AWS Security Hub detect partial T1068 Exploitation for Privilege Escalation
aws_security_hub AWS Security Hub detect minimal T1078 Valid Accounts
aws_security_hub AWS Security Hub detect significant T1078.004 Cloud Accounts
aws_security_hub AWS Security Hub detect minimal T1098 Account Manipulation
aws_security_hub AWS Security Hub detect significant T1098.001 Additional Cloud Credentials
aws_security_hub AWS Security Hub detect minimal T1110 Brute Force
aws_security_hub AWS Security Hub detect minimal T1110.001 Password Guessing
aws_security_hub AWS Security Hub detect minimal T1110.003 Password Spraying
aws_security_hub AWS Security Hub detect minimal T1110.004 Credential Stuffing
aws_security_hub AWS Security Hub detect partial T1190 Exploit Public-Facing Application
aws_security_hub AWS Security Hub detect partial T1203 Exploitation for Client Execution
aws_security_hub AWS Security Hub detect partial T1210 Exploitation of Remote Services
aws_security_hub AWS Security Hub detect partial T1211 Exploitation for Defense Evasion
aws_security_hub AWS Security Hub detect partial T1212 Exploitation for Credential Access
aws_security_hub AWS Security Hub detect minimal T1485 Data Destruction
aws_security_hub AWS Security Hub detect partial T1530 Data from Cloud Storage Object
aws_security_hub AWS Security Hub detect partial T1531 Account Access Removal
aws_security_hub AWS Security Hub protect significant T1543.005 Container Service
aws_security_hub AWS Security Hub detect partial T1562 Impair Defenses
aws_security_hub AWS Security Hub detect significant T1562.001 Disable or Modify Tools
aws_security_hub AWS Security Hub detect significant T1562.007 Disable or Modify Cloud Firewall
aws_security_hub AWS Security Hub detect significant T1562.008 Disable Cloud Logs
aws_security_hub AWS Security Hub detect partial T1580 Cloud Infrastructure Discovery
aws_security_hub AWS Security Hub detect minimal T1589 Gather Victim Identity Information
aws_security_hub AWS Security Hub detect minimal T1589.001 Credentials
aws_security_hub AWS Security Hub detect minimal T1589.002 Email Addresses
aws_security_hub AWS Security Hub detect minimal T1589.003 Employee Names
aws_security_hub AWS Security Hub detect minimal T1590 Gather Victim Network Information
aws_security_hub AWS Security Hub detect minimal T1590.001 Domain Properties
aws_security_hub AWS Security Hub detect minimal T1590.002 DNS
aws_security_hub AWS Security Hub detect minimal T1590.003 Network Trust Dependencies
aws_security_hub AWS Security Hub detect minimal T1590.004 Network Topology
aws_security_hub AWS Security Hub detect minimal T1590.005 IP Addresses
aws_security_hub AWS Security Hub detect minimal T1590.006 Network Security Appliances
aws_security_hub AWS Security Hub detect minimal T1591 Gather Victim Org Information
aws_security_hub AWS Security Hub detect minimal T1591.001 Determine Physical Locations
aws_security_hub AWS Security Hub detect minimal T1591.002 Business Relationships
aws_security_hub AWS Security Hub detect minimal T1591.003 Identify Business Tempo
aws_security_hub AWS Security Hub detect minimal T1591.004 Identify Roles
aws_security_hub AWS Security Hub detect minimal T1592 Gather Victim Host Information
aws_security_hub AWS Security Hub detect minimal T1592.001 Hardware
aws_security_hub AWS Security Hub detect minimal T1592.002 Software
aws_security_hub AWS Security Hub detect minimal T1592.003 Firmware
aws_security_hub AWS Security Hub detect minimal T1592.004 Client Configurations
aws_security_hub AWS Security Hub protect partial T1651 Cloud Administration Command