AWS Inspector data mapping

Zurich Security Management

Release: zurich
ft:locale: en-US
ft:publication_title: Zurich Security Management
ft:clusterId: security
bundleId: security
workflow: Technology

Data mapping for the AWS Inspector integration

Release version: Zurich

Updated April 2, 2026

2 minutes to read

AWS Inspector data mapping tables.

AWS Inspector Host Vulnerabilities import

Data is loaded into [sn_vul_aws_inspector_host_vuln_import] table.


Column	Type	Description
account_id	string	AWS account ID
description	string	Finding description
exploit_available	string	Exploit availability flag
finding_arn	string	Finding ARN (unique identifier)
first_observed_at	string	First observed timestamp
fix_available	string	Fix availability flag
inspector_score	float	AWS Inspector risk score
inspector_score_details	string	JSON with CVSS details and adjustments
last_observed_at	string	Last observed timestamp
network_reachability_details	string	Network reachability information
package_vulnerability_details	string	JSON with CVE, CVSS, packages
remediation	string	Remediation recommendation
resources	string	JSON with resource details (EC2, Lambda)
severity	string	Finding severity
status	string	Finding status (ACTIVE, SUPPRESSED, CLOSED)
title	string	Finding title
type	string	Finding type
updated_at	string	Last updated timestamp
epss	string	EPSS score data

Table 1. AWS Inspector severity mapping
AWS Inspector severity	ServiceNow severity value
CRITICAL	1
HIGH	2
MEDIUM	3
LOW	4
INFORMATIONAL	4
UNTRIAGED	5

Table 2. AWS Inspector cloud resource type mapping
AWS Inspector resource type	ServiceNow cloud resource type
AWS_EC2_INSTANCE	AWS::EC2::Instance
AWS_LAMBDA_FUNCTION	AWS::Lambda::Function

Table 3. CVD attributes field mapping [sn_vul_aws_cvd_attributes]

exploitAvailable	exploit	YES=1, NO=2
packageVulnerabilityDetails. severity	source_severity	Via SOURCE_SEVERITY_MAP
sourceUrl	summary	Source URL for the vulnerability
cvss[].scoringVector	v2_vector_string	When version 2.x and source is NVD
cvss[].baseScore	score	When version 2.x
cvss[].baseScore	v3_base_score	When version 3.x and source is NVD
cvss[].scoringVector	v3_vector_string	When version 3.x and source is NVD
cvss[].baseScore	v4_base_score	When version 4.x and source is NVD
cvss[].scoringVector	v4_vector_string	When version 4.x and source is NVD
epss.score	epss_score	EPSS probability score
fixAvailable	fix_available	Fix availability
exploitabilityDetails.lastKnownExploitAt	last_known_exploit_at	Last known exploit date
inspectorScoreDetails.adjustedCvss.adjustments[]	adjustment	CVSS score adjustments
inspectorScoreDetails.adjustedCvss.cvssSource	cvss_source	CVSS source
inspectorScoreDetails.adjustedCvss.score	inspector_score	Adjusted inspector score
inspectorScoreDetails.adjustedCvss.scoreSource	score_source	Score source
inspectorScoreDetails.adjustedCvss.scoringVector	scoring_vector	Adjusted scoring vector
inspectorScoreDetails.adjustedCvss.version	version	CVSS version

Table 4. Detection field mapping [sn_vul_detection]
AWS Inspector field	ServiceNow field	Description
status	source_status	Raw status from AWS Inspector
status	status	active→open; suppressed→open with is_ignored=true; closed→closed
firstObservedAt	first_found	First observed timestamp
lastObservedAt	last_found	Last observed timestamp
packageVulnerabilityDetails.vulnerablePackages	proof	Vulnerable package details
packageVulnerabilityDetails.vulnerabilityId	vulnerability	Reference to vulnerability entry
remediation.recommendation.text	solution_summary	Remediation recommendation text
findingArn	detection_key	Unique detection key for split detection
severity	source_severity	Severity of the finding from AWS

Table 5. Discovered item field mapping [sn_sec_cmn_src_ci]
AWS Inspector field	ServiceNow field	Description
resources[0].id	source_id	Source identifier
resources[0].id	resource_id	Resource identifier
lastObservedAt	last_scan_date	Last scan date
resources[0].details.awsEc2Instance.imageId	image_id	EC2 instance image ID
resources[0].details.awsEc2Instance.platform	os	Operating system platform
(mapped from resources[0].type)	cloud_resource_type	AWS_EC2_INSTANCE→AWS::EC2::Instance; AWS_LAMBDA_FUNCTION→AWS::Lambda::Function
accountId	cloud_account	AWS account ID
resources[0].region	cloud_region	AWS region
"AWS"	cloud_service_provider	Static value: AWS
"Cloud"	asset_category	Static value: Cloud
resources.details	source_data	Raw source data

Table 6. Vulnerable item field mapping [sn_vul_vulnerable_item]
AWS Inspector field	ServiceNow field	Description
firstObservedAt	first_found_dt_tm	First found date/time
lastObservedAt	last_found_dt_tm	Last found date/time
vulnerablePackages	description	Vulnerable package description
packageVulnerabilityDetails.vulnerabilityId	vulnerability	Reference to vulnerability

Table 7. Third-party vulnerability entry field mapping [sn_vul_third_party_entry]
AWS Inspector field	ServiceNow field	Description
`packageVulnerabilityDetails.vulnerabilityId`	id	Vulnerability identifier
`"AWS"`	source	Static source value
`sourceUrl`	summary	Source URL
`exploitAvailable`	exploit	Exploit availability
`packageVulnerabilityDetails.source`	category	Vulnerability source category
`packageVulnerabilityDetails.severity`	source_severity	critical→critical, high→high, medium→medium, low/informational→low, untriaged→none
`packageVulnerabilityDetails.vendorCreatedAt`	date_published	Date vulnerability was published
`packageVulnerabilityDetails.vendorUpdatedAt`	last_modified	Date vulnerability was last modified
`inspectorScore`	source_risk_score	Inspector risk score
`cvss[].baseScore`	v3_base_score	When version 3.x
`cvss[].scoringVector`	v3_vector_string	When version 3.x
`cvss[].baseScore`	v2_base_score	When version 2.x
`cvss[].scoringVector`	v2_vector_string	When version 2.x
`cvss[].baseScore`	v4_base_score	When version 4.x
`cvss[].scoringVector`	v4_vector_string	When version 4.x
`fixAvailable`	patch_available	Patch availability
`epss.score`	epss_score	EPSS probability score
`exploitabilityDetails.lastKnownExploitAt`	last_known_exploit_date	Custom field in AWS scope