Table Of Contents

Feedback

User Guide

First time using the AWS CLI? See the User Guide for help getting started.

[ aws . securityhub ]

get-findings

Description

Lists and describes Security Hub-aggregated findings that are specified by filter attributes.

See also: AWS API Documentation

See 'aws help' for descriptions of global parameters.

get-findings is a paginated operation. Multiple API calls may be issued in order to retrieve the entire data set of results. You can disable pagination by providing the --no-paginate argument. When using --output text and the --query argument on a paginated response, the --query argument must extract data from the results of the following query expressions: Findings

Synopsis

  get-findings
[--filters <value>]
[--sort-criteria <value>]
[--cli-input-json <value>]
[--starting-token <value>]
[--page-size <value>]
[--max-items <value>]
[--generate-cli-skeleton <value>]

Options

--filters (structure)

A collection of attributes that is use for querying findings.

JSON Syntax:

{
  "ProductArn": [
    {
      "Value": "string",
      "Comparison": "EQUALS"|"CONTAINS"|"PREFIX"
    }
    ...
  ],
  "AwsAccountId": [
    {
      "Value": "string",
      "Comparison": "EQUALS"|"CONTAINS"|"PREFIX"
    }
    ...
  ],
  "Id": [
    {
      "Value": "string",
      "Comparison": "EQUALS"|"CONTAINS"|"PREFIX"
    }
    ...
  ],
  "GeneratorId": [
    {
      "Value": "string",
      "Comparison": "EQUALS"|"CONTAINS"|"PREFIX"
    }
    ...
  ],
  "Type": [
    {
      "Value": "string",
      "Comparison": "EQUALS"|"CONTAINS"|"PREFIX"
    }
    ...
  ],
  "FirstObservedAt": [
    {
      "Start": "string",
      "End": "string",
      "DateRange": {
        "Value": integer,
        "Unit": "DAYS"
      }
    }
    ...
  ],
  "LastObservedAt": [
    {
      "Start": "string",
      "End": "string",
      "DateRange": {
        "Value": integer,
        "Unit": "DAYS"
      }
    }
    ...
  ],
  "CreatedAt": [
    {
      "Start": "string",
      "End": "string",
      "DateRange": {
        "Value": integer,
        "Unit": "DAYS"
      }
    }
    ...
  ],
  "UpdatedAt": [
    {
      "Start": "string",
      "End": "string",
      "DateRange": {
        "Value": integer,
        "Unit": "DAYS"
      }
    }
    ...
  ],
  "SeverityProduct": [
    {
      "Gte": double,
      "Lte": double,
      "Eq": double
    }
    ...
  ],
  "SeverityNormalized": [
    {
      "Gte": double,
      "Lte": double,
      "Eq": double
    }
    ...
  ],
  "SeverityLabel": [
    {
      "Value": "string",
      "Comparison": "EQUALS"|"CONTAINS"|"PREFIX"
    }
    ...
  ],
  "Confidence": [
    {
      "Gte": double,
      "Lte": double,
      "Eq": double
    }
    ...
  ],
  "Criticality": [
    {
      "Gte": double,
      "Lte": double,
      "Eq": double
    }
    ...
  ],
  "Title": [
    {
      "Value": "string",
      "Comparison": "EQUALS"|"CONTAINS"|"PREFIX"
    }
    ...
  ],
  "Description": [
    {
      "Value": "string",
      "Comparison": "EQUALS"|"CONTAINS"|"PREFIX"
    }
    ...
  ],
  "RecommendationText": [
    {
      "Value": "string",
      "Comparison": "EQUALS"|"CONTAINS"|"PREFIX"
    }
    ...
  ],
  "SourceUrl": [
    {
      "Value": "string",
      "Comparison": "EQUALS"|"CONTAINS"|"PREFIX"
    }
    ...
  ],
  "ProductFields": [
    {
      "Key": "string",
      "Value": "string",
      "Comparison": "CONTAINS"
    }
    ...
  ],
  "ProductName": [
    {
      "Value": "string",
      "Comparison": "EQUALS"|"CONTAINS"|"PREFIX"
    }
    ...
  ],
  "CompanyName": [
    {
      "Value": "string",
      "Comparison": "EQUALS"|"CONTAINS"|"PREFIX"
    }
    ...
  ],
  "UserDefinedFields": [
    {
      "Key": "string",
      "Value": "string",
      "Comparison": "CONTAINS"
    }
    ...
  ],
  "MalwareName": [
    {
      "Value": "string",
      "Comparison": "EQUALS"|"CONTAINS"|"PREFIX"
    }
    ...
  ],
  "MalwareType": [
    {
      "Value": "string",
      "Comparison": "EQUALS"|"CONTAINS"|"PREFIX"
    }
    ...
  ],
  "MalwarePath": [
    {
      "Value": "string",
      "Comparison": "EQUALS"|"CONTAINS"|"PREFIX"
    }
    ...
  ],
  "MalwareState": [
    {
      "Value": "string",
      "Comparison": "EQUALS"|"CONTAINS"|"PREFIX"
    }
    ...
  ],
  "NetworkDirection": [
    {
      "Value": "string",
      "Comparison": "EQUALS"|"CONTAINS"|"PREFIX"
    }
    ...
  ],
  "NetworkProtocol": [
    {
      "Value": "string",
      "Comparison": "EQUALS"|"CONTAINS"|"PREFIX"
    }
    ...
  ],
  "NetworkSourceIpV4": [
    {
      "Cidr": "string"
    }
    ...
  ],
  "NetworkSourceIpV6": [
    {
      "Cidr": "string"
    }
    ...
  ],
  "NetworkSourcePort": [
    {
      "Gte": double,
      "Lte": double,
      "Eq": double
    }
    ...
  ],
  "NetworkSourceDomain": [
    {
      "Value": "string",
      "Comparison": "EQUALS"|"CONTAINS"|"PREFIX"
    }
    ...
  ],
  "NetworkSourceMac": [
    {
      "Value": "string",
      "Comparison": "EQUALS"|"CONTAINS"|"PREFIX"
    }
    ...
  ],
  "NetworkDestinationIpV4": [
    {
      "Cidr": "string"
    }
    ...
  ],
  "NetworkDestinationIpV6": [
    {
      "Cidr": "string"
    }
    ...
  ],
  "NetworkDestinationPort": [
    {
      "Gte": double,
      "Lte": double,
      "Eq": double
    }
    ...
  ],
  "NetworkDestinationDomain": [
    {
      "Value": "string",
      "Comparison": "EQUALS"|"CONTAINS"|"PREFIX"
    }
    ...
  ],
  "ProcessName": [
    {
      "Value": "string",
      "Comparison": "EQUALS"|"CONTAINS"|"PREFIX"
    }
    ...
  ],
  "ProcessPath": [
    {
      "Value": "string",
      "Comparison": "EQUALS"|"CONTAINS"|"PREFIX"
    }
    ...
  ],
  "ProcessPid": [
    {
      "Gte": double,
      "Lte": double,
      "Eq": double
    }
    ...
  ],
  "ProcessParentPid": [
    {
      "Gte": double,
      "Lte": double,
      "Eq": double
    }
    ...
  ],
  "ProcessLaunchedAt": [
    {
      "Start": "string",
      "End": "string",
      "DateRange": {
        "Value": integer,
        "Unit": "DAYS"
      }
    }
    ...
  ],
  "ProcessTerminatedAt": [
    {
      "Start": "string",
      "End": "string",
      "DateRange": {
        "Value": integer,
        "Unit": "DAYS"
      }
    }
    ...
  ],
  "ThreatIntelIndicatorType": [
    {
      "Value": "string",
      "Comparison": "EQUALS"|"CONTAINS"|"PREFIX"
    }
    ...
  ],
  "ThreatIntelIndicatorValue": [
    {
      "Value": "string",
      "Comparison": "EQUALS"|"CONTAINS"|"PREFIX"
    }
    ...
  ],
  "ThreatIntelIndicatorCategory": [
    {
      "Value": "string",
      "Comparison": "EQUALS"|"CONTAINS"|"PREFIX"
    }
    ...
  ],
  "ThreatIntelIndicatorLastObservedAt": [
    {
      "Start": "string",
      "End": "string",
      "DateRange": {
        "Value": integer,
        "Unit": "DAYS"
      }
    }
    ...
  ],
  "ThreatIntelIndicatorSource": [
    {
      "Value": "string",
      "Comparison": "EQUALS"|"CONTAINS"|"PREFIX"
    }
    ...
  ],
  "ThreatIntelIndicatorSourceUrl": [
    {
      "Value": "string",
      "Comparison": "EQUALS"|"CONTAINS"|"PREFIX"
    }
    ...
  ],
  "ResourceType": [
    {
      "Value": "string",
      "Comparison": "EQUALS"|"CONTAINS"|"PREFIX"
    }
    ...
  ],
  "ResourceId": [
    {
      "Value": "string",
      "Comparison": "EQUALS"|"CONTAINS"|"PREFIX"
    }
    ...
  ],
  "ResourcePartition": [
    {
      "Value": "string",
      "Comparison": "EQUALS"|"CONTAINS"|"PREFIX"
    }
    ...
  ],
  "ResourceRegion": [
    {
      "Value": "string",
      "Comparison": "EQUALS"|"CONTAINS"|"PREFIX"
    }
    ...
  ],
  "ResourceTags": [
    {
      "Key": "string",
      "Value": "string",
      "Comparison": "CONTAINS"
    }
    ...
  ],
  "ResourceAwsEc2InstanceType": [
    {
      "Value": "string",
      "Comparison": "EQUALS"|"CONTAINS"|"PREFIX"
    }
    ...
  ],
  "ResourceAwsEc2InstanceImageId": [
    {
      "Value": "string",
      "Comparison": "EQUALS"|"CONTAINS"|"PREFIX"
    }
    ...
  ],
  "ResourceAwsEc2InstanceIpV4Addresses": [
    {
      "Cidr": "string"
    }
    ...
  ],
  "ResourceAwsEc2InstanceIpV6Addresses": [
    {
      "Cidr": "string"
    }
    ...
  ],
  "ResourceAwsEc2InstanceKeyName": [
    {
      "Value": "string",
      "Comparison": "EQUALS"|"CONTAINS"|"PREFIX"
    }
    ...
  ],
  "ResourceAwsEc2InstanceIamInstanceProfileArn": [
    {
      "Value": "string",
      "Comparison": "EQUALS"|"CONTAINS"|"PREFIX"
    }
    ...
  ],
  "ResourceAwsEc2InstanceVpcId": [
    {
      "Value": "string",
      "Comparison": "EQUALS"|"CONTAINS"|"PREFIX"
    }
    ...
  ],
  "ResourceAwsEc2InstanceSubnetId": [
    {
      "Value": "string",
      "Comparison": "EQUALS"|"CONTAINS"|"PREFIX"
    }
    ...
  ],
  "ResourceAwsEc2InstanceLaunchedAt": [
    {
      "Start": "string",
      "End": "string",
      "DateRange": {
        "Value": integer,
        "Unit": "DAYS"
      }
    }
    ...
  ],
  "ResourceAwsS3BucketOwnerId": [
    {
      "Value": "string",
      "Comparison": "EQUALS"|"CONTAINS"|"PREFIX"
    }
    ...
  ],
  "ResourceAwsS3BucketOwnerName": [
    {
      "Value": "string",
      "Comparison": "EQUALS"|"CONTAINS"|"PREFIX"
    }
    ...
  ],
  "ResourceAwsIamAccessKeyUserName": [
    {
      "Value": "string",
      "Comparison": "EQUALS"|"CONTAINS"|"PREFIX"
    }
    ...
  ],
  "ResourceAwsIamAccessKeyStatus": [
    {
      "Value": "string",
      "Comparison": "EQUALS"|"CONTAINS"|"PREFIX"
    }
    ...
  ],
  "ResourceAwsIamAccessKeyCreatedAt": [
    {
      "Start": "string",
      "End": "string",
      "DateRange": {
        "Value": integer,
        "Unit": "DAYS"
      }
    }
    ...
  ],
  "ResourceContainerName": [
    {
      "Value": "string",
      "Comparison": "EQUALS"|"CONTAINS"|"PREFIX"
    }
    ...
  ],
  "ResourceContainerImageId": [
    {
      "Value": "string",
      "Comparison": "EQUALS"|"CONTAINS"|"PREFIX"
    }
    ...
  ],
  "ResourceContainerImageName": [
    {
      "Value": "string",
      "Comparison": "EQUALS"|"CONTAINS"|"PREFIX"
    }
    ...
  ],
  "ResourceContainerLaunchedAt": [
    {
      "Start": "string",
      "End": "string",
      "DateRange": {
        "Value": integer,
        "Unit": "DAYS"
      }
    }
    ...
  ],
  "ResourceDetailsOther": [
    {
      "Key": "string",
      "Value": "string",
      "Comparison": "CONTAINS"
    }
    ...
  ],
  "ComplianceStatus": [
    {
      "Value": "string",
      "Comparison": "EQUALS"|"CONTAINS"|"PREFIX"
    }
    ...
  ],
  "VerificationState": [
    {
      "Value": "string",
      "Comparison": "EQUALS"|"CONTAINS"|"PREFIX"
    }
    ...
  ],
  "WorkflowState": [
    {
      "Value": "string",
      "Comparison": "EQUALS"|"CONTAINS"|"PREFIX"
    }
    ...
  ],
  "RecordState": [
    {
      "Value": "string",
      "Comparison": "EQUALS"|"CONTAINS"|"PREFIX"
    }
    ...
  ],
  "RelatedFindingsProductArn": [
    {
      "Value": "string",
      "Comparison": "EQUALS"|"CONTAINS"|"PREFIX"
    }
    ...
  ],
  "RelatedFindingsId": [
    {
      "Value": "string",
      "Comparison": "EQUALS"|"CONTAINS"|"PREFIX"
    }
    ...
  ],
  "NoteText": [
    {
      "Value": "string",
      "Comparison": "EQUALS"|"CONTAINS"|"PREFIX"
    }
    ...
  ],
  "NoteUpdatedAt": [
    {
      "Start": "string",
      "End": "string",
      "DateRange": {
        "Value": integer,
        "Unit": "DAYS"
      }
    }
    ...
  ],
  "NoteUpdatedBy": [
    {
      "Value": "string",
      "Comparison": "EQUALS"|"CONTAINS"|"PREFIX"
    }
    ...
  ],
  "Keyword": [
    {
      "Value": "string"
    }
    ...
  ]
}

--sort-criteria (list)

A collection of attributes used for sorting findings.

Shorthand Syntax:

Field=string,SortOrder=string ...

JSON Syntax:

[
  {
    "Field": "string",
    "SortOrder": "asc"|"desc"
  }
  ...
]

--cli-input-json (string) Performs service operation based on the JSON string provided. The JSON string follows the format provided by --generate-cli-skeleton. If other arguments are provided on the command line, the CLI values will override the JSON-provided values. It is not possible to pass arbitrary binary values using a JSON-provided value as the string will be taken literally.

--starting-token (string)

A token to specify where to start paginating. This is the NextToken from a previously truncated response.

For usage examples, see Pagination in the AWS Command Line Interface User Guide .

--page-size (integer)

The size of each page to get in the AWS service call. This does not affect the number of items returned in the command's output. Setting a smaller page size results in more calls to the AWS service, retrieving fewer items in each call. This can help prevent the AWS service calls from timing out.

For usage examples, see Pagination in the AWS Command Line Interface User Guide .

--max-items (integer)

The total number of items to return in the command's output. If the total number of items available is more than the value specified, a NextToken is provided in the command's output. To resume pagination, provide the NextToken value in the starting-token argument of a subsequent command. Do not use the NextToken response element directly outside of the AWS CLI.

For usage examples, see Pagination in the AWS Command Line Interface User Guide .

--generate-cli-skeleton (string) Prints a JSON skeleton to standard output without sending an API request. If provided with no value or the value input, prints a sample input JSON that can be used as an argument for --cli-input-json. If provided with the value output, it validates the command inputs and returns a sample output JSON for that command.

See 'aws help' for descriptions of global parameters.

Output

Findings -> (list)

Findings details returned by the operation.

(structure)

Provides consistent format for the contents of the Security Hub-aggregated findings. AwsSecurityFinding format enables you to share findings between AWS security services and third-party solutions, and compliance checks.

Note

A finding is a potential security issue generated either by AWS services (GuardDuty, Inspector, Macie) or by the integrated third-party solutions and compliance checks.

SchemaVersion -> (string)

The schema version for which a finding is formatted.

Id -> (string)

The security findings provider-specific identifier for a finding.

ProductArn -> (string)

The ARN generated by Security Hub that uniquely identifies a third-party company (security findings provider) once this provider's product (solution that generates findings) is registered with Security Hub.

GeneratorId -> (string)

This is the identifier for the solution-specific component (a discrete unit of logic) that generated a finding. In various security findings provider's solutions, this generator can be called a rule, a check, a detector, a plug-in, etc.

AwsAccountId -> (string)

The AWS account ID in which a finding is generated.

Types -> (list)

One or more finding types in the format of 'namespace/category/classifier' that classify a finding.

Valid namespace values are: Software and Configuration Checks | TTPs | Effects | Unusual Behaviors | Sensitive Data Identifications

(string)

FirstObservedAt -> (string)

An ISO8601-formatted timestamp that indicates when the potential security issue captured by a finding was first observed by the security findings provider.

LastObservedAt -> (string)

An ISO8601-formatted timestamp that indicates when the potential security issue captured by a finding was most recently observed by the security findings provider.

CreatedAt -> (string)

An ISO8601-formatted timestamp that indicates when the potential security issue captured by a finding was created by the security findings provider.

UpdatedAt -> (string)

An ISO8601-formatted timestamp that indicates when the finding record was last updated by the security findings provider.

Severity -> (structure)

A finding's severity.

Product -> (double)

The native severity as defined by the security findings provider's solution that generated the finding.

Normalized -> (integer)

The normalized severity of a finding.

Confidence -> (integer)

A finding's confidence. Confidence is defined as the likelihood that a finding accurately identifies the behavior or issue that it was intended to identify. Confidence is scored on a 0-100 basis using a ratio scale. 0 equates zero percent confidence and 100 equates to 100 percent confidence.

Criticality -> (integer)

The level of importance assigned to the resources associated with the finding. A score of 0 means the underlying resources have no criticality, and a score of 100 is reserved for the most critical resources.

Title -> (string)

A finding's title.

Note

In this release, Title is a required property.

Description -> (string)

A finding's description.

Note

In this release, Description is a required property.

Remediation -> (structure)

An data type that describes the remediation options for a finding.

Recommendation -> (structure)

Provides a recommendation on how to remediate the issue identified within a finding.

Text -> (string)

The recommendation of what to do about the issue described in a finding.

Url -> (string)

A URL to link to general remediation information for the finding type of a finding.

SourceUrl -> (string)

A URL that links to a page about the current finding in the security findings provider's solution.

ProductFields -> (map)

A data type where security findings providers can include additional solution-specific details that are not part of the defined AwsSecurityFinding format.

key -> (string)

value -> (string)

UserDefinedFields -> (map)

A list of name/value string pairs associated with the finding. These are custom, user-defined fields added to a finding.

key -> (string)

value -> (string)

Malware -> (list)

A list of malware related to a finding.

(structure)

A list of malware related to a finding.

Name -> (string)

The name of the malware that was observed.

Type -> (string)

The type of the malware that was observed.

Path -> (string)

The filesystem path of the malware that was observed.

State -> (string)

The state of the malware that was observed.

Network -> (structure)

The details of network-related information about a finding.

Direction -> (string)

Indicates the direction of network traffic associated with a finding.

Protocol -> (string)

The protocol of network-related information about a finding.

SourceIpV4 -> (string)

The source IPv4 address of network-related information about a finding.

SourceIpV6 -> (string)

The source IPv6 address of network-related information about a finding.

SourcePort -> (integer)

The source port of network-related information about a finding.

SourceDomain -> (string)

The source domain of network-related information about a finding.

SourceMac -> (string)

The source media access control (MAC) address of network-related information about a finding.

DestinationIpV4 -> (string)

The destination IPv4 address of network-related information about a finding.

DestinationIpV6 -> (string)

The destination IPv6 address of network-related information about a finding.

DestinationPort -> (integer)

The destination port of network-related information about a finding.

DestinationDomain -> (string)

The destination domain of network-related information about a finding.

Process -> (structure)

The details of process-related information about a finding.

Name -> (string)

The name of the process.

Path -> (string)

The path to the process executable.

Pid -> (integer)

The process ID.

ParentPid -> (integer)

The parent process ID.

LaunchedAt -> (string)

The date/time that the process was launched.

TerminatedAt -> (string)

The date/time that the process was terminated.

ThreatIntelIndicators -> (list)

Threat intel details related to a finding.

(structure)

Threat intel details related to a finding.

Type -> (string)

The type of a threat intel indicator.

Value -> (string)

The value of a threat intel indicator.

Category -> (string)

The category of a threat intel indicator.

LastObservedAt -> (string)

The date/time of the last observation of a threat intel indicator.

Source -> (string)

The source of the threat intel.

SourceUrl -> (string)

The URL for more details from the source of the threat intel.

Resources -> (list)

A set of resource data types that describe the resources to which the finding refers.

(structure)

A resource data type that describes a resource to which the finding refers.

Type -> (string)

Specifies the type of the resource for which details are provided.

Id -> (string)

The canonical identifier for the given resource type.

Partition -> (string)

The canonical AWS partition name to which the region is assigned.

Region -> (string)

The canonical AWS external region name where this resource is located.

Tags -> (map)

A list of AWS tags associated with a resource at the time the finding was processed.

key -> (string)

value -> (string)

Details -> (structure)

Provides additional details about the resource.

AwsEc2Instance -> (structure)

The details of an AWS EC2 instance.

Type -> (string)

The instance type of the instance.

ImageId -> (string)

The Amazon Machine Image (AMI) ID of the instance.

IpV4Addresses -> (list)

The IPv4 addresses associated with the instance.

(string)

IpV6Addresses -> (list)

The IPv6 addresses associated with the instance.

(string)

KeyName -> (string)

The key name associated with the instance.

IamInstanceProfileArn -> (string)

The IAM profile ARN of the instance.

VpcId -> (string)

The identifier of the VPC in which the instance was launched.

SubnetId -> (string)

The identifier of the subnet in which the instance was launched.

LaunchedAt -> (string)

The date/time the instance was launched.

AwsS3Bucket -> (structure)

The details of an AWS S3 Bucket.

OwnerId -> (string)

The canonical user ID of the owner of the S3 bucket.

OwnerName -> (string)

The display name of the owner of the S3 bucket.

AwsIamAccessKey -> (structure)

AWS IAM access key details related to a finding.

UserName -> (string)

The user associated with the IAM access key related to a finding.

Status -> (string)

The status of the IAM access key related to a finding.

CreatedAt -> (string)

The creation date/time of the IAM access key related to a finding.

Container -> (structure)

Container details related to a finding.

Name -> (string)

The name of the container related to a finding.

ImageId -> (string)

The identifier of the image related to a finding.

ImageName -> (string)

The name of the image related to a finding.

LaunchedAt -> (string)

The date/time that the container was started.

Other -> (map)

The details of a resource that does not have a specific sub-field for the resource type defined.

key -> (string)

value -> (string)

Compliance -> (structure)

This data type is exclusive to findings that are generated as the result of a check run against a specific rule in a supported standard (for example, AWS CIS Foundations). Contains compliance-related finding details.

Status -> (string)

Indicates the result of a compliance check.

VerificationState -> (string)

Indicates the veracity of a finding.

WorkflowState -> (string)

The workflow state of a finding.

RecordState -> (string)

The record state of a finding.

RelatedFindings -> (list)

A list of related findings.

(structure)

Related finding's details.

ProductArn -> (string)

The ARN of the solution that generated a related finding.

Id -> (string)

The solution-generated identifier for a related finding.

Note -> (structure)

A user-defined note added to a finding.

Text -> (string)

The text of a note.

UpdatedBy -> (string)

The principal that created a note.

UpdatedAt -> (string)

The timestamp of when the note was updated.

NextToken -> (string)

The token that is required for pagination.