ben.carrasco/prowler
1
0
Fork 0
mirror of https://github.com/prowler-cloud/prowler.git synced 2026-01-25 02:08:11 +00:00
Code Issues Packages Projects Releases Wiki Activity

docs(outputs): update docs for v4 outputs (#3734)

Browse Source 
Co-authored-by: Pepe Fagoaga <pepe@prowler.com>
This commit is contained in:
Pedro Martín
2024-04-10 11:54:41 +02:00
committed by GitHub
parent 693329b87e
commit e95f7dd540
2 changed files with 162 additions and 446 deletions
Download Patch File Download Diff File Expand all files Collapse all files

BIN
docs/img/output-html.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 631 KiB

608
docs/tutorials/reporting.md
View File

@@ -1,28 +1,36 @@
# Reporting
By default, Prowler will generate a CSV, JSON, JSON-OCSF and a HTML report, however you could generate a JSON-ASFF (used by AWS Security Hub) report with `-M` or `--output-modes`:
By default, Prowler will generate the CSV and JSON-[OCSF](https://schema.ocsf.io/) report.
```console
prowler <provider> -M csv json json-ocsf json-asff html
prowler <provider> -M csv json-ocsf json-asff
```
If you want to generate the JSON-ASFF (used by AWS Security Hub) report you can set it using the `-M/--output-modes/--output-formats`, like:
```console
prowler <provider> --output-formats json-asff
```
By default, all the compliance outputs will be generated when Prowler is executed. Compliance outputs will be placed inside the `/output/compliance` directory.
## Custom Output Flags
By default, Prowler creates a file inside the `output` directory named `prowler-output-ACCOUNT_NUM-OUTPUT_DATE.format`.
By default, Prowler creates a file inside the `output` directory named: `prowler-output-ACCOUNT_NUM-OUTPUT_DATE.format`.
However, both the output file name and directory can be personalised:
- Custom output report name: you can use the flag `-F`/`--output-filename`
```console
prowler <provider> -M csv json json-asff html -F <custom_report_name>
prowler <provider> -M csv json-ocsf json-asff -F <custom_report_name>
```
- Custom output directory: you can use the flag `-o`/`--output-directory`
```console
prowler <provider> -M csv json json-asff html -o <custom_report_directory>
prowler <provider> -M csv json-ocsf json-asff -o <custom_report_directory>
```
???+ note
Both flags can be used simultaneously to provide a custom directory and filename.
```console
prowler <provider> -M csv json json-asff html \
prowler <provider> -M csv json-ocsf json-asff \
-F <custom_report_name> -o <custom_report_directory>
```
## Output timestamp format
@@ -33,448 +41,142 @@ By default, the timestamp format of the output files is ISO 8601. This can be ch
Prowler supports natively the following output formats:
- CSV
- JSON
- JSON-OCSF
- JSON-ASFF
- HTML
Hereunder is the structure for each of the supported report formats by Prowler:
### HTML
![HTML Output](../img/output-html.png)
### CSV
CSV format has a set of common columns for all the providers, and then provider specific columns.
The common columns are the following:
The CSV format has a common format for all the providers. The following are the available columns:
- ASSESSMENT_START_TIME
- FINDING_UNIQUE_ID
- AUTH_METHOD
- TIMESTAMP
- ACCOUNT_UID
- ACCOUNT_NAME
- ACCOUNT_EMAIL
- ACCOUNT_ORGANIZATION_UID
- ACCOUNT_ORGANIZATION_NAME
- ACCOUNT_TAGS
- FINDING_UID
- PROVIDER
- CHECK_ID
- CHECK_TITLE
- CHECK_TYPE
- STATUS
- STATUS_EXTENDED
- MUTED
- SERVICE_NAME
- SUBSERVICE_NAME
- SEVERITY
- RESOURCE_TYPE
- RESOURCE_UID
- RESOURCE_NAME
- RESOURCE_DETAILS
- RESOURCE_TAGS
- PARTITION
- REGION
- DESCRIPTION
- RISK
- RELATED_URL
- REMEDIATION_RECOMMENDATION_TEXT
- REMEDIATION_RECOMMENDATION_URL
- REMEDIATION_RECOMMENDATION_CODE_NATIVEIAC
- REMEDIATION_RECOMMENDATION_CODE_TERRAFORM
- REMEDIATION_RECOMMENDATION_CODE_CLI
- REMEDIATION_RECOMMENDATION_CODE_OTHER
- REMEDIATION_CODE_NATIVEIAC
- REMEDIATION_CODE_TERRAFORM
- REMEDIATION_CODE_CLI
- REMEDIATION_CODE_OTHER
- COMPLIANCE
- CATEGORIES
- DEPENDS_ON
- RELATED_TO
- NOTES
And then by the provider specific columns:
#### AWS
- PROFILE
- ACCOUNT_ID
- ACCOUNT_NAME
- ACCOUNT_EMAIL
- ACCOUNT_ARN
- ACCOUNT_ORG
- ACCOUNT_TAGS
- REGION
- RESOURCE_ID
- RESOURCE_ARN
#### AZURE
- TENANT_DOMAIN
- SUBSCRIPTION
- RESOURCE_ID
- RESOURCE_NAME
#### GCP
- PROJECT_ID
- LOCATION
- RESOURCE_ID
- RESOURCE_NAME
#### KUBERNETES
- NAMESPACE
- RESOURCE_ID
- RESOURCE_NAME
- PROWLER_VERSION
???+ note
Since Prowler v4 the CSV column delimiter is the semicolon (`;`)
### JSON
The following code is an example output of the JSON format:
```json
[{
"AssessmentStartTime": "2022-12-01T14:16:57.354413",
"FindingUniqueId": "",
"Provider": "aws",
"Profile": "dev",
"AccountId": "ACCOUNT_ID",
"OrganizationsInfo": null,
"Region": "eu-west-1",
"CheckID": "rds_instance_minor_version_upgrade_enabled",
"CheckTitle": "Ensure RDS instances have minor version upgrade enabled.",
"CheckType": [],
"ServiceName": "rds",
"SubServiceName": "",
"Status": "PASS",
"StatusExtended": "RDS Instance rds-instance-id has minor version upgrade enabled.",
"Severity": "low",
"ResourceId": "rds-instance-id",
"ResourceArn": "",
"ResourceTags": {
"test": "test",
"enironment": "dev"
},
"ResourceType": "AwsRdsDbInstance",
"ResourceDetails": "",
"Description": "Ensure RDS instances have minor version upgrade enabled.",
"Risk": "Auto Minor Version Upgrade is a feature that you can enable to have your database automatically upgraded when a new minor database engine version is available. Minor version upgrades often patch security vulnerabilities and fix bugs and therefore should be applied.",
"RelatedUrl": "https://aws.amazon.com/blogs/database/best-practices-for-upgrading-amazon-rds-to-major-and-minor-versions-of-postgresql/",
"Remediation": {
"Code": {
"NativeIaC": "https://docs.bridgecrew.io/docs/ensure-aws-db-instance-gets-all-minor-upgrades-automatically#cloudformation",
"Terraform": "https://docs.bridgecrew.io/docs/ensure-aws-db-instance-gets-all-minor-upgrades-automatically#terraform",
"CLI": "aws rds modify-db-instance --db-instance-identifier <db_instance_id> --auto-minor-version-upgrade --apply-immediately",
"Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/RDS/rds-auto-minor-version-upgrade.html"
},
"Recommendation": {
"Text": "Enable auto minor version upgrade for all databases and environments.",
"Url": "https://aws.amazon.com/blogs/database/best-practices-for-upgrading-amazon-rds-to-major-and-minor-versions-of-postgresql/"
}
},
"Categories": [],
"Notes": "",
"Compliance": {
"CIS-1.4": [
"1.20"
],
"CIS-1.5": [
"1.20"
]
}
},
{
"AssessmentStartTime": "2022-12-01T14:16:57.354413",
"FindingUniqueId": "",
"Provider": "aws",
"Profile": "dev",
"AccountId": "ACCOUNT_ID",
"OrganizationsInfo": null,
"Region": "eu-west-1",
"CheckID": "rds_instance_minor_version_upgrade_enabled",
"CheckTitle": "Ensure RDS instances have minor version upgrade enabled.",
"CheckType": [],
"ServiceName": "rds",
"SubServiceName": "",
"Status": "PASS",
"StatusExtended": "RDS Instance rds-instance-id has minor version upgrade enabled.",
"Severity": "low",
"ResourceId": "rds-instance-id",
"ResourceArn": "",
"ResourceType": "AwsRdsDbInstance",
"ResourceTags": {},
"Description": "Ensure RDS instances have minor version upgrade enabled.",
"Risk": "Auto Minor Version Upgrade is a feature that you can enable to have your database automatically upgraded when a new minor database engine version is available. Minor version upgrades often patch security vulnerabilities and fix bugs and therefore should be applied.",
"RelatedUrl": "https://aws.amazon.com/blogs/database/best-practices-for-upgrading-amazon-rds-to-major-and-minor-versions-of-postgresql/",
"Remediation": {
"Code": {
"NativeIaC": "https://docs.bridgecrew.io/docs/ensure-aws-db-instance-gets-all-minor-upgrades-automatically#cloudformation",
"Terraform": "https://docs.bridgecrew.io/docs/ensure-aws-db-instance-gets-all-minor-upgrades-automatically#terraform",
"CLI": "aws rds modify-db-instance --db-instance-identifier <db_instance_id> --auto-minor-version-upgrade --apply-immediately",
"Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/RDS/rds-auto-minor-version-upgrade.html"
},
"Recommendation": {
"Text": "Enable auto minor version upgrade for all databases and environments.",
"Url": "https://aws.amazon.com/blogs/database/best-practices-for-upgrading-amazon-rds-to-major-and-minor-versions-of-postgresql/"
}
},
"Categories": [],
"Notes": "",
"Compliance": {}
}]
```
Since Prowler v3 the CSV column delimiter is the semicolon (`;`)
### JSON-OCSF
Based on [Open Cybersecurity Schema Framework Security Finding v1.0.0-rc.3](https://schema.ocsf.io/1.0.0-rc.3/classes/security_finding?extensions=)
The JSON-OCSF output format implements the [Detection Finding](https://schema.ocsf.io/1.1.0/classes/detection_finding) from the [OCSF v1.1.0](https://schema.ocsf.io/1.1.0)
```json
[{
"finding": {
"title": "Check if ACM Certificates are about to expire in specific days or less",
"desc": "Check if ACM Certificates are about to expire in specific days or less",
"supporting_data": {
"Risk": "Expired certificates can impact service availability.",
"Notes": ""
"metadata": {
"product": {
"name": "Prowler",
"vendor_name": "Prowler",
"version": "4.0.0"
},
"remediation": {
"kb_articles": [
"https://docs.aws.amazon.com/config/latest/developerguide/acm-certificate-expiration-check.html"
],
"desc": "Monitor certificate expiration and take automated action to renew; replace or remove. Having shorter TTL for any security artifact is a general recommendation; but requires additional automation in place. If not longer required delete certificate. Use AWS config using the managed rule: acm-certificate-expiration-check."
},
"types": [
"Data Protection"
],
"src_url": "https://docs.aws.amazon.com/config/latest/developerguide/acm-certificate-expiration-check.html",
"uid": "prowler-aws-acm_certificates_expiration_check-012345678912-eu-west-1-*.xxxxxxxxxxxxxx",
"related_events": []
"version": "1.1.0"
},
"severity_id": 4,
"severity": "High",
"status": "New",
"status_code": "FAIL",
"status_detail": "No CloudTrail trails enabled and logging were found.",
"status_id": 1,
"activity_name": "Create",
"activity_id": 1,
"finding_info": {
"created_time": "2024-04-08T11:33:51.870861",
"desc": "Ensure CloudTrail is enabled in all regions",
"product_uid": "prowler",
"title": "Ensure CloudTrail is enabled in all regions",
"uid": "prowler-aws-cloudtrail_multi_region_enabled-xxxxxxxx-ap-northeast-1-xxxxxxxx"
},
"resources": [
{
"cloud_partition": "aws",
"region": "ap-northeast-1",
"group": {
"name": "acm"
"name": "cloudtrail"
},
"region": "eu-west-1",
"name": "xxxxxxxxxxxxxx",
"uid": "arn:aws:acm:eu-west-1:012345678912:certificate/xxxxxxxxxxxxxx",
"labels": [
{
"Key": "project",
"Value": "prowler-pro"
},
{
"Key": "environment",
"Value": "dev"
},
{
"Key": "terraform",
"Value": "true"
},
{
"Key": "terraform_state",
"Value": "aws"
}
],
"type": "AwsCertificateManagerCertificate",
"details": ""
"labels": [],
"name": "xxxxxxxx",
"type": "AwsCloudTrailTrail",
"uid": "arn:aws:cloudtrail:ap-northeast-1:xxxxxxxx:trail"
}
],
"status_detail": "ACM Certificate for xxxxxxxxxxxxxx expires in 111 days.",
"compliance": {
"status": "Success",
"requirements": [
"CISA: ['your-data-2']",
"SOC2: ['cc_6_7']",
"MITRE-ATTACK: ['T1040']",
"GDPR: ['article_32']",
"HIPAA: ['164_308_a_4_ii_a', '164_312_e_1']",
"AWS-Well-Architected-Framework-Security-Pillar: ['SEC09-BP01']",
"NIST-800-171-Revision-2: ['3_13_1', '3_13_2', '3_13_8', '3_13_11']",
"NIST-800-53-Revision-4: ['ac_4', 'ac_17_2', 'sc_12']",
"NIST-800-53-Revision-5: ['sc_7_12', 'sc_7_16']",
"NIST-CSF-1.1: ['ac_5', 'ds_2']",
"RBI-Cyber-Security-Framework: ['annex_i_1_3']",
"FFIEC: ['d3-pc-im-b-1']",
"FedRamp-Moderate-Revision-4: ['ac-4', 'ac-17-2', 'sc-12']",
"FedRAMP-Low-Revision-4: ['ac-17', 'sc-12']"
],
"status_detail": "ACM Certificate for xxxxxxxxxxxxxx expires in 111 days."
},
"message": "ACM Certificate for xxxxxxxxxxxxxx expires in 111 days.",
"severity_id": 4,
"severity": "High",
"category_name": "Findings",
"category_uid": 2,
"class_name": "DetectionFinding",
"class_uid": 2004,
"cloud": {
"account": {
"name": "",
"uid": "012345678912"
"type": "AWS_Account",
"type_id": 10,
"uid": "xxxxxxxx"
},
"region": "eu-west-1",
"org": {
"uid": "",
"name": ""
},
"provider": "aws",
"project_uid": ""
},
"time": "2023-06-30 10:28:55.297615",
"metadata": {
"original_time": "2023-06-30T10:28:55.297615",
"profiles": [
"dev"
],
"product": {
"language": "en",
"name": "Prowler",
"version": "3.6.1",
"vendor_name": "Prowler/ProwlerPro",
"feature": {
"name": "acm_certificates_expiration_check",
"uid": "acm_certificates_expiration_check",
"version": "3.6.1"
}
},
"version": "1.0.0-rc.3"
},
"state_id": 0,
"state": "New",
"status_id": 1,
"status": "Success",
"type_uid": 200101,
"type_name": "Security Finding: Create",
"impact_id": 0,
"impact": "Unknown",
"confidence_id": 0,
"confidence": "Unknown",
"activity_id": 1,
"activity_name": "Create",
"category_uid": 2,
"category_name": "Findings",
"class_uid": 2001,
"class_name": "Security Finding"
},{
"finding": {
"title": "Check if ACM Certificates are about to expire in specific days or less",
"desc": "Check if ACM Certificates are about to expire in specific days or less",
"supporting_data": {
"Risk": "Expired certificates can impact service availability.",
"Notes": ""
},
"remediation": {
"kb_articles": [
"https://docs.aws.amazon.com/config/latest/developerguide/acm-certificate-expiration-check.html"
],
"desc": "Monitor certificate expiration and take automated action to renew; replace or remove. Having shorter TTL for any security artifact is a general recommendation; but requires additional automation in place. If not longer required delete certificate. Use AWS config using the managed rule: acm-certificate-expiration-check."
},
"types": [
"Data Protection"
],
"src_url": "https://docs.aws.amazon.com/config/latest/developerguide/acm-certificate-expiration-check.html",
"uid": "prowler-aws-acm_certificates_expiration_check-012345678912-eu-west-1-xxxxxxxxxxxxx",
"related_events": []
},
"resources": [
{
"group": {
"name": "acm"
},
"region": "eu-west-1",
"name": "xxxxxxxxxxxxx",
"uid": "arn:aws:acm:eu-west-1:012345678912:certificate/3ea965a0-368d-4d13-95eb-5042a994edc4",
"labels": [
{
"Key": "name",
"Value": "prowler-pro-saas-dev-acm-internal-wildcard"
},
{
"Key": "project",
"Value": "prowler-pro-saas"
},
{
"Key": "environment",
"Value": "dev"
},
{
"Key": "terraform",
"Value": "true"
},
{
"Key": "terraform_state",
"Value": "aws/saas/base"
}
],
"type": "AwsCertificateManagerCertificate",
"details": ""
}
],
"status_detail": "ACM Certificate for xxxxxxxxxxxxx expires in 119 days.",
"compliance": {
"status": "Success",
"requirements": [
"CISA: ['your-data-2']",
"SOC2: ['cc_6_7']",
"MITRE-ATTACK: ['T1040']",
"GDPR: ['article_32']",
"HIPAA: ['164_308_a_4_ii_a', '164_312_e_1']",
"AWS-Well-Architected-Framework-Security-Pillar: ['SEC09-BP01']",
"NIST-800-171-Revision-2: ['3_13_1', '3_13_2', '3_13_8', '3_13_11']",
"NIST-800-53-Revision-4: ['ac_4', 'ac_17_2', 'sc_12']",
"NIST-800-53-Revision-5: ['sc_7_12', 'sc_7_16']",
"NIST-CSF-1.1: ['ac_5', 'ds_2']",
"RBI-Cyber-Security-Framework: ['annex_i_1_3']",
"FFIEC: ['d3-pc-im-b-1']",
"FedRamp-Moderate-Revision-4: ['ac-4', 'ac-17-2', 'sc-12']",
"FedRAMP-Low-Revision-4: ['ac-17', 'sc-12']"
],
"status_detail": "ACM Certificate for xxxxxxxxxxxxx expires in 119 days."
},
"message": "ACM Certificate for xxxxxxxxxxxxx expires in 119 days.",
"severity_id": 4,
"severity": "High",
"cloud": {
"account": {
"name": "",
"uid": "012345678912"
},
"region": "eu-west-1",
"org": {
"uid": "",
"name": ""
"uid": ""
},
"provider": "aws",
"project_uid": ""
"region": "ap-northeast-1"
},
"time": "2023-06-30 10:28:55.297615",
"metadata": {
"original_time": "2023-06-30T10:28:55.297615",
"profiles": [
"dev"
],
"product": {
"language": "en",
"name": "Prowler",
"version": "3.6.1",
"vendor_name": "Prowler/ProwlerPro",
"feature": {
"name": "acm_certificates_expiration_check",
"uid": "acm_certificates_expiration_check",
"version": "3.6.1"
}
},
"version": "1.0.0-rc.3"
"event_time": "2024-04-08T11:33:51.870861",
"remediation": {
"desc": "Ensure Logging is set to ON on all regions (even if they are not being used at the moment.",
"references": [
"aws cloudtrail create-trail --name <trail_name> --bucket-name <s3_bucket_for_cloudtrail> --is-multi-region-trail aws cloudtrail update-trail --name <trail_name> --is-multi-region-trail ",
"https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrailconcepts.html#cloudtrail-concepts-management-events"
]
},
"state_id": 0,
"state": "New",
"status_id": 1,
"status": "Success",
"type_uid": 200101,
"type_name": "Security Finding: Create",
"impact_id": 0,
"impact": "Unknown",
"confidence_id": 0,
"confidence": "Unknown",
"activity_id": 1,
"activity_name": "Create",
"category_uid": 2,
"category_name": "Findings",
"class_uid": 2001,
"class_name": "Security Finding"
"type_uid": 200401,
"type_name": "Create"
}]
```
???+ note
Each finding is a `json` object.
Each finding is a `json` object within a list.
### JSON-ASFF
???+ note
Only available when using `--security-hub` or `--output-formats json-asff`
The following code is an example output of the [JSON-ASFF](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format-syntax.html) format:
```json
@@ -540,70 +242,84 @@ The following code is an example output of the [JSON-ASFF](https://docs.aws.amaz
"Url": "https://aws.amazon.com/blogs/database/best-practices-for-upgrading-amazon-rds-to-major-and-minor-versions-of-postgresql/"
}
}
},{
"SchemaVersion": "2018-10-08",
"Id": "prowler-rds_instance_minor_version_upgrade_enabled-ACCOUNT_ID-eu-west-1-06d21d75e",
"ProductArn": "arn:aws:securityhub:eu-west-1::product/prowler/prowler",
"RecordState": "ACTIVE",
"ProductFields": {
"ProviderName": "Prowler",
"ProviderVersion": "3.0-beta-21Nov2022",
"ProwlerResourceName": "rds-instance-id"
},
"GeneratorId": "prowler-rds_instance_minor_version_upgrade_enabled",
"AwsAccountId": "ACCOUNT_ID",
"Types": [],
"FirstObservedAt": "2022-12-01T13:16:57Z",
"UpdatedAt": "2022-12-01T13:16:57Z",
"CreatedAt": "2022-12-01T13:16:57Z",
"Severity": {
"Label": "LOW"
},
"Title": "Ensure RDS instances have minor version upgrade enabled.",
"Description": "Ensure RDS instances have minor version upgrade enabled.",
"Resources": [
{
"Type": "AwsRdsDbInstance",
"Id": "rds-instance-id",
"Partition": "aws",
"Region": "eu-west-1"
}
],
"Compliance": {
"Status": "PASSED",
"RelatedRequirements": [
"CISA your-systems-2 booting-up-thing-to-do-first-3",
"CIS-1.5 2.3.2",
"AWS-Foundational-Security-Best-Practices rds",
"RBI-Cyber-Security-Framework annex_i_6",
"FFIEC d3-cc-pm-b-1 d3-cc-pm-b-3"
],
"AssociatedStandards": [
{
"StandardsId": "CISA"
},
{
"StandardsId": "CIS-1.5"
},
{
"StandardsId": "AWS-Foundational-Security-Best-Practices"
},
{
"StandardsId": "RBI-Cyber-Security-Framework"
},
{
"StandardsId": "FFIEC"
}
]
},
"Remediation": {
"Recommendation": {
"Text": "Enable auto minor version upgrade for all databases and environments.",
"Url": "https://aws.amazon.com/blogs/database/best-practices-for-upgrading-amazon-rds-to-major-and-minor-versions-of-postgresql/"
}
}
}]
```
???+ note
Each finding is a `json` object within a list.
## V4 Deprecations
Some deprecations have been made to unify formats and improve outputs.
### HTML
HTML output format has been deprecated in favor of the new dashboard, use it with `prowler dashboard`. You can read more about it at [here](dashboard.md).
### JSON
Native JSON format has been deprecated in favor of JSON [OCSF](https://schema.ocsf.io/) `v1.1.0`.
The following is the mapping between the native JSON and the Detection Finding from the JSON-OCSF:
| Native JSON Prowler v3 | JSON-OCSF v.1.1.0 |
| --- |---|
| AssessmentStartTime | event_time |
| FindingUniqueId | finding_info.uid |
| Provider | cloud.account.type |
| CheckID | unmapped.check_id |
| CheckTitle | finding_info.title |
| CheckType | unmapped.check_type |
| ServiceName | resources.group.name |
| SubServiceName | _Not mapped yet_ |
| Status | status_code |
| StatusExtended | status_detail |
| Severity | severity |
| ResourceType | resources.type |
| ResourceDetails | _Not mapped yet_ |
| Description | finding_info.desc |
| Risk | unmapped.risk |
| RelatedUrl | unmapped.related_url |
| Remediation.Recommendation.Text | remediation.desc |
| Remediation.Recommendation.Url | remediation.references |
| Remediation.Code.NativeIaC | remediation.references |
| Remediation.Code.Terraform | remediation.references |
| Remediation.Code.CLI | remediation.references |
| Remediation.Code.Other | remediation.references |
| Compliance | _Not mapped yet_ |
| Categories | unmapped.categories |
| DependsOn | unmapped.depends_on |
| RelatedTo | unmapped.related_to |
| Notes | unmapped.notes |
| Profile | _Not mapped yet_ |
| AccountId | cloud.account.uid |
| OrganizationsInfo.account_name | cloud.account.name |
| OrganizationsInfo.account_email | _Not mapped yet_ |
| OrganizationsInfo.account_arn | _Not mapped yet_ |
| OrganizationsInfo.account_org | cloud.org.name |
| OrganizationsInfo.account_tags | cloud.account.labels _Available from OCSF 1.2_ |
| Region | resources.region |
| ResourceId | resources.name |
| ResourceArn | resources.uid |
| ResourceTags | resources.labels |
### CSV Columns
In Prowler v3 each provider had some specific columns, different from the rest. These are the cases that have changed in Prowler v4:
| Provider | v3 | v4 |
| --- |---|---|
| AWS | PROFILE | AUTH_METHOD |
| AWS | ACCOUNT_ID| ACCOUNT_UID |
| AWS | ACCOUNT_ORGANIZATION_ARN | ACCOUNT_ORGANIZATION_UID |
| AWS | ACCOUNT_ORG | ACCOUNT_ORGANIZATION_NAME |
| AWS | FINDING_UNIQUE_ID | FINDING_UID |
| AWS | ASSESSMENT_START_TIME | TIMESTAMP |
| AZURE | TENANT_DOMAIN | ACCOUNT_ORGANIZATION_NAME |
| AZURE | SUBSCRIPTION | ACCOUNT_UID |
| GCP | PROJECT_ID | ACCOUNT_UID |
| GCP | LOCATION | REGION |
| AWS / AZURE / GCP | RESOURCE_ID | RESOURCE_NAME |
| AWS / AZURE / GCP | RESOURCE_ARN | RESOURCE_UID |