AWS Security Hub import mapping

  • Release version: Yokohama
  • Updated April 2, 2026
  • 6 minutes to read

    • AWS Security Hub data mapping tables.

    AWS Security Hub Host Vulnerabilities import

    Data is loaded into the sn_vul_aws_security_hub_host_vuln_import table.

    Column Type Description
    activity_id integer Activity identifier
    activity_name string Activity name
    category_name string Category name
    category_uid integer Category unique identifier
    class_name string Class name
    class_uid integer Class unique identifier
    cloud string Cloud provider information (JSON)
    finding_info string Finding information (JSON)
    metadata string Metadata (JSON)
    remediation object Remediation information
    resources string Resource details (JSON)
    severity string Severity level
    severity_id integer Severity identifier
    status string Finding status
    status_id integer Status identifier
    time integer Timestamp (epoch)
    time_dt string Timestamp (datetime string)
    type_name string Type name
    type_uid integer Type unique identifier
    unmapped string Unmapped fields
    vulnerabilities string Vulnerabilities data (JSON)
    sys_domain Domain Domain for domain separation

    Severity and status mappings

    Table 1. AWS Security Hub severity mapping
    AWS Security Hub severity ServiceNow severity value ServiceNow severity label
    CRITICAL 1 Critical
    HIGH 2 High
    MEDIUM 3 Medium
    LOW 4 Low
    INFORMATIONAL 4 Low
    UNKNOWN 5 None
    FATAL 1 Critical
    OTHER 5 None
    Table 2. Detection status mapping
    AWS Security Hub status ServiceNow detection status value ServiceNow detection status label Notes
    New 0 Open
    In Progress 0 Open
    Resolved 1 Fixed
    Suppressed 0 Open Sets is_ignored=true
    Archived 1 Fixed
    Unknown 0 Open
    Other 0 Open
    Table 3. NVD entry field mapping [sn_vul_nvd_entry]
    AWS Security Hub field ServiceNow field Description
    vulnerabilities.cve.uid id CVE identifier
    "AWS" source Static value indicating AWS source
    (ref) aws_cvd_details Custom column referencing sn_vul_aws_cvd_attributes
    Table 4. CVD attributes field mapping [sn_vul_aws_cvd_attributes]
    AWS Security Hub field ServiceNow field Description
    cvss[].scoringVector v2_vector_string When version 2.x and source matches root level
    cvss[].baseScore score When version 2.x
    cvss[].baseScore v3_base_score When version 3.x
    cvss[].scoringVector v3_vector_string When version 3.x
    cvss[].baseScore v4_base_score When version 4.x
    cvss[].scoringVector v4_vector_string When version 4.x
    vulnerabilities.is_exploit_available exploit Exploit availability
    vulnerabilities.cve.epss.score epss_score EPSS probability score
    vulnerabilities.is_fix_available fix_available Fix availability
    vulnerabilities.severity source_severity fatal/critical→critical, high→high, medium→medium, low/informational→low, unknown/other→none
    vulnerabilities.exploit_last_seen_time_dt last_known_exploit_at Last known exploit date
    Table 5. Third-party vulnerability entry field mapping [sn_vul_third_party_entry]
    AWS Security Hub field ServiceNow field Description
    vulnerabilities.cve.uid id CVE identifier
    cvss severity severity CVSS severity
    cvss base_score score / v2_base_score / v3_base_score / v4_base_score Version-dependent base score
    cvss vector_string v2_vector_string / v3_vector_string / v4_vector_string Version-dependent vector string
    vulnerabilities.cve.desc summary Vulnerability description
    vulnerabilities.cve.modified_time_dt last_modified Last modified date
    vulnerabilities.cve.created_time_dt date_published Date published
    vulnerabilities.is_exploit_available exploit Exploit availability
    vulnerabilities.severity source_severity Source severity
    vulnerabilities.cve.epss.score epss_score EPSS probability score
    vulnerabilities.is_fix_available patch_available Patch availability
    vulnerabilities.exploit_last_seen_time_dt last_known_exploit_at Last known exploit date
    Table 6. Detection field mapping [sn_vul_detection]
    AWS Security Hub field ServiceNow field Description
    vulnerabilities[0].cve.uid vulnerability Reference to vulnerability entry
    finding_info.title short_description Finding title
    finding_info.desc description Finding description
    finding_info.desc proof Finding description as proof
    finding_info.first_seen_time_dt first_found First seen timestamp
    finding_info.last_seen_time_dt last_found Last seen timestamp
    status source_status New/In Progress/Unknown/Other→open, Resolved→closed, Suppressed→open with is_ignored=true, Archived→closed
    severity source_severity Source severity level
    affected_packages[].fixed_in_version fixed_version Fixed version of affected package
    finding_info.uid detection_key Unique detection key
    Table 7. Discovered item field mapping [sn_sec_cmn_src_ci]
    AWS Security Hub field ServiceNow field Description
    resources.uid source_id Source identifier
    resources.uid resource_id Resource identifier
    resources.region cloud_region AWS region
    resources.owner.account.uid cloud_account AWS account ID
    resources.type cloud_resource_type Cloud resource type
    "AWS" cloud_service_provider Static value: AWS
    "Cloud" asset_category Static value: Cloud
    resources source_data Raw source data
    Table 8. Vulnerable item field mapping
    AWS Security Hub field ServiceNow field Description
    status_id state State from status ID
    status status Status value
    severity source_severity Source severity
    (ref) vulnerability Reference to sn_vul_entry
    (ref) src_ci Reference to sn_sec_cmn_src_ci
    Table 9. Host vulnerability transform scripts
    Script timing Script name Description
    onStart AWSSecurityHubHostVulnerabilitiesProcessor.onStart Initializes the processor for Security Hub host findings.
    onBefore AWSSecurityHubHostVulnerabilitiesProcessor.onBefore Processes each imported record. Creates or updates VITs, detections, and discovered items.
    onComplete AWSSecurityHubHostVulnerabilitiesProcessor.onComplete Finalizes the import and logs summary statistics.

    AWS Security Hub Container Vulnerabilities import

    Data is loaded into the sn_vul_aws_security_hub_container_vuln_import table.

    Column Type Description
    activity_id integer Activity identifier
    activity_name string Activity name
    category_name string Category name
    category_uid integer Category unique identifier
    class_name string Class name
    class_uid integer Class unique identifier
    cloud string Cloud provider information (JSON)
    finding_info string Finding information (JSON)
    metadata string Metadata (JSON)
    remediation object Remediation information
    resources string Resource details (JSON)
    severity string Severity level
    severity_id integer Severity identifier
    status string Finding status
    status_id integer Status identifier
    time integer Timestamp (epoch)
    time_dt string Timestamp (datetime string)
    type_name string Type name
    type_uid integer Type unique identifier
    unmapped string Unmapped fields
    vulnerabilities string Vulnerabilities data (JSON)
    sys_domain Domain Domain for domain separation

    Container vulnerability field mappings

    Table 10. Discovered container image field mapping [sn_vul_container_image]
    AWS Security Hub field ServiceNow field Description
    resources[0].name image_name Container image name
    resources[0].image.hash.value image_digest Image digest hash
    resources[0].image.uid image_id Image unique identifier
    resources[0].image.tag repository_entry Image tag
    resources[0].registry_uid registry Container registry UID
    cloud.provider cloud_provider Cloud provider
    cloud.region cloud_region AWS region
    cloud.account.uid cloud_account AWS account ID
    resources[0].repository_name repository Repository name
    Table 11. Container image findings field mapping
    AWS Security Hub field ServiceNow field Description
    status state Finding state
    severity severity Finding severity
    finding_info.desc proof Finding description as proof
    finding_info.first_seen_time_dt first_found First seen timestamp
    finding_info.last_seen_time_dt last_found Last seen timestamp
    status status Finding status
    vulnerabilities.affected_packages[].path path Package file path
    Table 12. Container image package field mapping
    AWS Security Hub field ServiceNow field Description
    vulnerabilities.affected_packages[].name name Package name
    vulnerabilities.affected_packages[].version version Package version
    vulnerabilities.affected_packages[].path path Package file path
    Table 13. Container Vulnerable Item field mapping (CVIT)
    AWS Security Hub field ServiceNow field Description
    firstObservedAt first_found_dt_tm First found date and time
    lastObservedAt last_found_dt_tm Last found date and time
    status state State
    title short_description Short description
    description description Description
    vulnerabilities[0].cve.uid vulnerability Reference to vulnerability
    Table 14. Container vulnerability transform scripts
    Script timing Script name Description
    onStart AWSSecurityHubContainerVulnerabilitiesProcessor.onStart Initializes the processor for Security Hub container findings.
    onBefore AWSSecurityHubContainerVulnerabilitiesProcessor.onBefore Processes each imported container finding. Creates or updates CVITs, container images, and findings.
    onComplete AWSSecurityHubContainerVulnerabilitiesProcessor.onComplete Finalizes the container import and logs summary statistics.

    AWS Security Hub Test Results import

    Data is loaded into the sn_vul_aws_security_hub_test_results_import table.

    Column Type Description
    activity_id integer Activity identifier
    activity_name string Activity name
    category_name string Category name
    category_uid integer Category unique identifier
    class_name string Class name
    class_uid integer Class unique identifier
    cloud string Cloud provider information (JSON)
    compliance string Compliance information (JSON)
    finding_info string Finding information (JSON)
    metadata string Metadata (JSON)
    remediation object Remediation information
    resources string Resource details (JSON)
    severity string Severity level
    severity_id integer Severity identifier
    status string Finding status
    status_id integer Status identifier
    time integer Timestamp (epoch)
    time_dt string Timestamp (datetime string)
    type_name string Type name
    type_uid integer Type unique identifier
    vendor_attributes string Vendor-specific attributes (JSON)
    sys_domain Domain Domain for domain separation

    Test Results field mappings

    Table 15. Authoritative source field mapping [sn_vulc_auth_src]
    AWS Security Hub field ServiceNow field Description
    "AWS" source Static source value
    compliance.standards source_id Compliance standard identifier
    compliance.standards short_description Used for display
    Table 16. Citation field mapping [sn_vulc_citation]
    AWS Security Hub field ServiceNow field Description
    (ref) control Reference to sn_vulc_test
    "AWS" source Static source value
    compliance.control section_name Control section name
    compliance.control section Control section
    (ref) auth_src Reference to sn_vulc_auth_src
    Table 17. Test field mapping [sn_vulc_test]
    AWS Security Hub field ServiceNow field Description
    "AWS" source Static source value
    finding_info.title short_description Test short description
    finding_info.desc description Test description
    finding_info.uid source_id Source identifier
    finding_info.types source_category Source category
    finding_info.created_time_dt source_created Source creation date
    finding_info.modified_time_dt source_updated Source update date
    severity source_criticality Source criticality
    remediation.desc remediation Remediation description
    Table 18. Test result field mapping [sn_vulc_result]
    AWS Security Hub field ServiceNow field Description
    finding_info.first_seen_time_dt first_seen First seen date
    finding_info.last_seen_time_dt last_seen Last seen date
    compliance.status result Compliance result: PASS, FAIL, WARNING, or UNKNOWN
    vendor_attributes.severity risk_score Risk score from vendor
    time_dt last_found_dt_time Last found date and time
    finding_info.desc description Result description
    (ref) control Reference to sn_vulc_test
    Table 19. Test Results CI field mapping [sn_sec_cmn_src_ci]
    AWS Security Hub field ServiceNow field Description
    resources.uid source_id Source identifier
    resources.uid resource_id Resource identifier
    resources.region cloud_region AWS region
    resources.owner.account.uid cloud_account AWS account ID
    resources.type cloud_resource_type Cloud resource type
    cloud.provider cloud_service_provider Cloud service provider
    "Cloud" asset_category Static value: Cloud
    resources source_data Raw source data
    Table 20. Test Results transform scripts
    Script timing Script name Description
    onStart AWSSecurityHubTestResultsProcessor.onStart Initializes the processor for test results.
    onBefore AWSSecurityHubTestResultsProcessor.onBefore Processes each imported configuration finding. Creates or updates tests, test results, and CIs.
    onComplete AWSSecurityHubTestResultsProcessor.onComplete Finalizes the test results import and logs summary statistics.