Viewing results in evidence finder - AWS Audit Manager

Viewing results in evidence finder

After your search is finished, you can view the results that matched your search criteria.

Keep in mind that multiple resources might be assessed during evidence collection. As a result, evidence can include one or more related resources. In evidence finder, results are shown at the resource level, with one row for each resource. You can preview a summary of each resource without leaving the page.

After you review the search results, you can generate an assessment report that includes that evidence. You can also export your search results into a comma-separated values (CSV) file.

Important

We recommend that you keep evidence finder open until you finished exploring your search results. Your search results are discarded when you navigate away from the View Results table. If needed, you can view your recent results in the CloudTrail console at https://console.aws.amazon.com/cloudtrail/. Here, the results of your search queries are preserved for seven days. However, keep in mind that you can't generate an assessment report from your search results in the CloudTrail console.

Viewing the grouped results

If you grouped your results, you can review the groupings before you dive deeper into the evidence.

Note

If you didn't group results, evidence finder doesn’t display the Group by results table. Instead, you're taken directly to the View results table.

Use the Group by results table to learn the breadth of the matching evidence and how it's distributed across a specific dimension. Results are grouped by the value that you selected. For example, if you grouped by Resource type, the table shows a list of AWS resource types. The Total evidence column shows the number of matching results for each resource type.

The group by results table in evidence finder.
To get the results for a group
  1. From the Group by results table, select the row for the results that you want to get.

  2. Choose Get results. This starts a new search query, and redirects you to the View results table where you can see the results for that group.

Viewing the search results

The View results table displays your search results. From here, you can take the following actions:

Manage your viewing preferences

Your viewing preferences control what you see on the results page.

To manage your viewing preferences
  1. Choose the settings icon (⚙) at the top of the View results table.

  2. Review and change the following settings as needed:

    1. Select visible table columns – Use the toggle option to change which columns are displayed.

    2. Page size – Select a radio button to specify how many results are shown on each page.

    3. Wrap text – Select the check box to wrap long lines of text for better readability.

  3. Choose Confirm to save your preferences.

Preview resource summaries

You can preview the related resources for the evidence that matched your search query. This helps you determine if the search query returned the intended results, or if you need to adjust your filters and re-run the search query.

Keep in mind that evidence can have one or more related resources. Evidence finder shows results at the resource level (with one row for each resource).

Note

Evidence finder returns results for automated and manual evidence. However, you can only preview resource summaries for automated evidence. This is because Audit Manager doesn’t perform resource assessments for manual evidence, and as a result, no resource summary is available.

To see details about manual evidence, choose the evidence name to open the evidence details page. If you generate an assessment report from your evidence finder results, the manual evidence details are included in the assessment report.

To preview resource summaries
  1. Select the radio button next to a result. This opens a resource summary panel on the current page.

  2. (Optional) To see the full details of the related evidence, choose the evidence name.

  3. (Optional) Use the horizontal lines (=) to drag and resize the resource summary pane.

  4. Choose (x) to close the resource summary pane.

An example resource summary on the view results page in evidence finder.

Generate an assessment report from your search results

After you're satisfied with the search results, generate an assessment report.

To generate an assessment report from your search results
  1. At the top of the View results table, choose Generate assessment report.

  2. Enter a name and a description for your assessment report, and review the assessment report details.

  3. Choose Generate assessment report.

It takes a few minutes for your assessment report to be generated. You can navigate away from evidence finder while this happens, and a green success notification will confirm when the report is ready. You can then go to the Audit Manager download center and download your assessment report.

Note

Audit Manager generates a one-time report using only the evidence from the search results. This report doesn't include any evidence that was manually added to a report from the assessment page.

Limits apply to how much evidence can be included in an assessment report. For more information, see Troubleshooting evidence finder.

Export your search results

You might need a portable version of your evidence finder search results. If this is the case, you can export your search results into a CSV file.

After you export your search results, the CSV file is available in the Audit Manager download center for seven days. A copy of the CSV file is also delivered to your preferred S3 bucket, which is known as an export destination. Your CSV file remains available in this bucket until you delete that file.

Audit Manager uses CloudTrail Lake functionality to export and deliver CSV files from evidence finder. The following factors define how the CSV export process works:

  • All of your search results are included in the CSV file. If you want to include only specific search results, we recommend that you edit your search filters. This way, you can narrow down your results to target only the evidence that you want to export.

  • CSV files are exported in compressed GZIP format. The default CSV file name is queryID/result.csv.gz, where queryID is the ID of your search query.

  • The maximum file size for a CSV export is 1 TB. If you’re exporting over 1 TB of data, your results are split into more than one file. Each CSV file is named result_number.csv.gz. The number of CSV files that you get depends on the total size of your search results. For example, exporting 2 TB of data provides you with two query result files: result_1.csv.gz and result_2.csv.gz.

  • In addition to the CSV file, a JSON sign file is delivered to your S3 bucket. This file acts as a checksum to verify that the information within the CSV file is accurate. To learn more, see CloudTrail sign file structure in the AWS CloudTrail Developer Guide. To determine whether the query results were modified, deleted, or unchanged after they were delivered, you can use the CloudTrail query results integrity validation. For instructions, see Validate saved query results in the AWS CloudTrail Developer Guide.

Note

Manual evidence text responses are not currently included in evidence finder previews or CSV exports. To see text response data, choose the manual evidence name in your evidence finder results to open the evidence details page. If you need to view text response data outside of the Audit Manager console, we recommend that you generate an assessment report from your evidence finder results. All manual evidence details, including text responses, are included in assessment reports.

Follow these steps to export your search results for the first time. This procedure gives you the option to specify a default export destination for all of your future exports. If you don't want to save a default export destination right now, you can do so later by updating your export destination settings.

Important

Before you start, make sure that you have an S3 bucket available to use as your export destination. You can use one of your existing S3 buckets, or you can create a new bucket in Amazon S3. In addition, your S3 bucket must have the required permissions policy to allow CloudTrail to write the export files to it. More specifically, the bucket policy must include an s3:PutObject action and the bucket ARN, and list CloudTrail as the service principal. We provide an example permission policy that you can use. For instructions on how to attach this policy to your S3 bucket, see Adding a bucket policy by using the Amazon S3 console.

For more tips, see configuration tips for your export destination. If you encounter any issues when exporting a CSV file, see Troubleshooting evidence finder CSV exports.

To export your search results (first-run experience)
  1. At the top of the View results table, choose Export CSV.

  2. Specify the S3 bucket that you want to export your file to.

    • Choose Browse S3 to select from your list of buckets.

    • Alternatively, you can enter the bucket URI in this format: s3://bucketname/prefix

    Tip

    To keep your destination bucket organized, you can create an optional folder for your CSV exports. To do so, append a slash (/) and a prefix to the value in the Resource URI box (for example, /evidenceFinderExports). Audit Manager then includes this prefix when it adds the CSV file to the bucket, and Amazon S3 generates the path specified by the prefix. For more information about prefixes in Amazon S3, see Organizing objects in the Amazon S3 console in the Amazon Simple Storage Service User Guide.

  3. (Optional) If you don't want to save this bucket as your default export destination, clear the check box that says Save this bucket as the default export destination in my evidence finder settings.

  4. Choose Export.

After you've saved a default S3 bucket as your default export destination, you can follow these steps moving forward.

To export your search results (after you saved a default export destination)
  1. At the top of the View results table, choose Export CSV.

  2. In the prompt that appears, review the default S3 bucket where your exported file will be saved.

    1. (Optional) To continue using this bucket and hide this message moving forward, check the Don't remind me again box.

    2. (Optional) To change this bucket, follow the procedure to update your export destination settings.

  3. Choose Confirm.

Depending on how much data you’re exporting, the export process can take a few minutes to complete. You can navigate away from evidence finder while the export is in progress. When you navigate away from evidence finder, your search is stopped and your search results are discarded in the console. However, the CSV export process continues in the background. The CSV file will contain the complete set of search results that matched your query.

Viewing your results after you've exported them

To find your CSV file and check its status, go to the Audit Manager download center. When the exported file is ready, you can download your CSV file from the download center.

You can also find and download the CSV file from your export destination S3 bucket.

To find your CSV file and sign file in the Amazon S3 console
  1. Open the Amazon S3 console.

  2. Choose the export destination bucket that you specified when you exported your CSV file.

  3. Navigate through the object hierarchy until you find the CSV file and the sign file. The CSV file has a .csv.gz extension and the sign file has a .json extension.

You will navigate through an object hierarchy that is similar to the following example, but with a different export destination bucket name, account ID, date, and query ID.

All Buckets Export_Destination_Bucket_Name AWSLogs Account_ID; CloudTrail-Lake Query YYYY MM DD Query_ID