Table Of Contents

Feedback

User Guide

First time using the AWS CLI? See the User Guide for help getting started.

[ aws . securityhub ]

get-findings

Description

Returns a list of findings that match the specified criteria.

See also: AWS API Documentation

See 'aws help' for descriptions of global parameters.

get-findings is a paginated operation. Multiple API calls may be issued in order to retrieve the entire data set of results. You can disable pagination by providing the --no-paginate argument. When using --output text and the --query argument on a paginated response, the --query argument must extract data from the results of the following query expressions: Findings

Synopsis

  get-findings
[--filters <value>]
[--sort-criteria <value>]
[--cli-input-json <value>]
[--starting-token <value>]
[--page-size <value>]
[--max-items <value>]
[--generate-cli-skeleton <value>]

Options

--filters (structure)

The findings attributes used to define a condition to filter the findings returned.

JSON Syntax:

{
  "ProductArn": [
    {
      "Value": "string",
      "Comparison": "EQUALS"|"PREFIX"
    }
    ...
  ],
  "AwsAccountId": [
    {
      "Value": "string",
      "Comparison": "EQUALS"|"PREFIX"
    }
    ...
  ],
  "Id": [
    {
      "Value": "string",
      "Comparison": "EQUALS"|"PREFIX"
    }
    ...
  ],
  "GeneratorId": [
    {
      "Value": "string",
      "Comparison": "EQUALS"|"PREFIX"
    }
    ...
  ],
  "Type": [
    {
      "Value": "string",
      "Comparison": "EQUALS"|"PREFIX"
    }
    ...
  ],
  "FirstObservedAt": [
    {
      "Start": "string",
      "End": "string",
      "DateRange": {
        "Value": integer,
        "Unit": "DAYS"
      }
    }
    ...
  ],
  "LastObservedAt": [
    {
      "Start": "string",
      "End": "string",
      "DateRange": {
        "Value": integer,
        "Unit": "DAYS"
      }
    }
    ...
  ],
  "CreatedAt": [
    {
      "Start": "string",
      "End": "string",
      "DateRange": {
        "Value": integer,
        "Unit": "DAYS"
      }
    }
    ...
  ],
  "UpdatedAt": [
    {
      "Start": "string",
      "End": "string",
      "DateRange": {
        "Value": integer,
        "Unit": "DAYS"
      }
    }
    ...
  ],
  "SeverityProduct": [
    {
      "Gte": double,
      "Lte": double,
      "Eq": double
    }
    ...
  ],
  "SeverityNormalized": [
    {
      "Gte": double,
      "Lte": double,
      "Eq": double
    }
    ...
  ],
  "SeverityLabel": [
    {
      "Value": "string",
      "Comparison": "EQUALS"|"PREFIX"
    }
    ...
  ],
  "Confidence": [
    {
      "Gte": double,
      "Lte": double,
      "Eq": double
    }
    ...
  ],
  "Criticality": [
    {
      "Gte": double,
      "Lte": double,
      "Eq": double
    }
    ...
  ],
  "Title": [
    {
      "Value": "string",
      "Comparison": "EQUALS"|"PREFIX"
    }
    ...
  ],
  "Description": [
    {
      "Value": "string",
      "Comparison": "EQUALS"|"PREFIX"
    }
    ...
  ],
  "RecommendationText": [
    {
      "Value": "string",
      "Comparison": "EQUALS"|"PREFIX"
    }
    ...
  ],
  "SourceUrl": [
    {
      "Value": "string",
      "Comparison": "EQUALS"|"PREFIX"
    }
    ...
  ],
  "ProductFields": [
    {
      "Key": "string",
      "Value": "string",
      "Comparison": "EQUALS"
    }
    ...
  ],
  "ProductName": [
    {
      "Value": "string",
      "Comparison": "EQUALS"|"PREFIX"
    }
    ...
  ],
  "CompanyName": [
    {
      "Value": "string",
      "Comparison": "EQUALS"|"PREFIX"
    }
    ...
  ],
  "UserDefinedFields": [
    {
      "Key": "string",
      "Value": "string",
      "Comparison": "EQUALS"
    }
    ...
  ],
  "MalwareName": [
    {
      "Value": "string",
      "Comparison": "EQUALS"|"PREFIX"
    }
    ...
  ],
  "MalwareType": [
    {
      "Value": "string",
      "Comparison": "EQUALS"|"PREFIX"
    }
    ...
  ],
  "MalwarePath": [
    {
      "Value": "string",
      "Comparison": "EQUALS"|"PREFIX"
    }
    ...
  ],
  "MalwareState": [
    {
      "Value": "string",
      "Comparison": "EQUALS"|"PREFIX"
    }
    ...
  ],
  "NetworkDirection": [
    {
      "Value": "string",
      "Comparison": "EQUALS"|"PREFIX"
    }
    ...
  ],
  "NetworkProtocol": [
    {
      "Value": "string",
      "Comparison": "EQUALS"|"PREFIX"
    }
    ...
  ],
  "NetworkSourceIpV4": [
    {
      "Cidr": "string"
    }
    ...
  ],
  "NetworkSourceIpV6": [
    {
      "Cidr": "string"
    }
    ...
  ],
  "NetworkSourcePort": [
    {
      "Gte": double,
      "Lte": double,
      "Eq": double
    }
    ...
  ],
  "NetworkSourceDomain": [
    {
      "Value": "string",
      "Comparison": "EQUALS"|"PREFIX"
    }
    ...
  ],
  "NetworkSourceMac": [
    {
      "Value": "string",
      "Comparison": "EQUALS"|"PREFIX"
    }
    ...
  ],
  "NetworkDestinationIpV4": [
    {
      "Cidr": "string"
    }
    ...
  ],
  "NetworkDestinationIpV6": [
    {
      "Cidr": "string"
    }
    ...
  ],
  "NetworkDestinationPort": [
    {
      "Gte": double,
      "Lte": double,
      "Eq": double
    }
    ...
  ],
  "NetworkDestinationDomain": [
    {
      "Value": "string",
      "Comparison": "EQUALS"|"PREFIX"
    }
    ...
  ],
  "ProcessName": [
    {
      "Value": "string",
      "Comparison": "EQUALS"|"PREFIX"
    }
    ...
  ],
  "ProcessPath": [
    {
      "Value": "string",
      "Comparison": "EQUALS"|"PREFIX"
    }
    ...
  ],
  "ProcessPid": [
    {
      "Gte": double,
      "Lte": double,
      "Eq": double
    }
    ...
  ],
  "ProcessParentPid": [
    {
      "Gte": double,
      "Lte": double,
      "Eq": double
    }
    ...
  ],
  "ProcessLaunchedAt": [
    {
      "Start": "string",
      "End": "string",
      "DateRange": {
        "Value": integer,
        "Unit": "DAYS"
      }
    }
    ...
  ],
  "ProcessTerminatedAt": [
    {
      "Start": "string",
      "End": "string",
      "DateRange": {
        "Value": integer,
        "Unit": "DAYS"
      }
    }
    ...
  ],
  "ThreatIntelIndicatorType": [
    {
      "Value": "string",
      "Comparison": "EQUALS"|"PREFIX"
    }
    ...
  ],
  "ThreatIntelIndicatorValue": [
    {
      "Value": "string",
      "Comparison": "EQUALS"|"PREFIX"
    }
    ...
  ],
  "ThreatIntelIndicatorCategory": [
    {
      "Value": "string",
      "Comparison": "EQUALS"|"PREFIX"
    }
    ...
  ],
  "ThreatIntelIndicatorLastObservedAt": [
    {
      "Start": "string",
      "End": "string",
      "DateRange": {
        "Value": integer,
        "Unit": "DAYS"
      }
    }
    ...
  ],
  "ThreatIntelIndicatorSource": [
    {
      "Value": "string",
      "Comparison": "EQUALS"|"PREFIX"
    }
    ...
  ],
  "ThreatIntelIndicatorSourceUrl": [
    {
      "Value": "string",
      "Comparison": "EQUALS"|"PREFIX"
    }
    ...
  ],
  "ResourceType": [
    {
      "Value": "string",
      "Comparison": "EQUALS"|"PREFIX"
    }
    ...
  ],
  "ResourceId": [
    {
      "Value": "string",
      "Comparison": "EQUALS"|"PREFIX"
    }
    ...
  ],
  "ResourcePartition": [
    {
      "Value": "string",
      "Comparison": "EQUALS"|"PREFIX"
    }
    ...
  ],
  "ResourceRegion": [
    {
      "Value": "string",
      "Comparison": "EQUALS"|"PREFIX"
    }
    ...
  ],
  "ResourceTags": [
    {
      "Key": "string",
      "Value": "string",
      "Comparison": "EQUALS"
    }
    ...
  ],
  "ResourceAwsEc2InstanceType": [
    {
      "Value": "string",
      "Comparison": "EQUALS"|"PREFIX"
    }
    ...
  ],
  "ResourceAwsEc2InstanceImageId": [
    {
      "Value": "string",
      "Comparison": "EQUALS"|"PREFIX"
    }
    ...
  ],
  "ResourceAwsEc2InstanceIpV4Addresses": [
    {
      "Cidr": "string"
    }
    ...
  ],
  "ResourceAwsEc2InstanceIpV6Addresses": [
    {
      "Cidr": "string"
    }
    ...
  ],
  "ResourceAwsEc2InstanceKeyName": [
    {
      "Value": "string",
      "Comparison": "EQUALS"|"PREFIX"
    }
    ...
  ],
  "ResourceAwsEc2InstanceIamInstanceProfileArn": [
    {
      "Value": "string",
      "Comparison": "EQUALS"|"PREFIX"
    }
    ...
  ],
  "ResourceAwsEc2InstanceVpcId": [
    {
      "Value": "string",
      "Comparison": "EQUALS"|"PREFIX"
    }
    ...
  ],
  "ResourceAwsEc2InstanceSubnetId": [
    {
      "Value": "string",
      "Comparison": "EQUALS"|"PREFIX"
    }
    ...
  ],
  "ResourceAwsEc2InstanceLaunchedAt": [
    {
      "Start": "string",
      "End": "string",
      "DateRange": {
        "Value": integer,
        "Unit": "DAYS"
      }
    }
    ...
  ],
  "ResourceAwsS3BucketOwnerId": [
    {
      "Value": "string",
      "Comparison": "EQUALS"|"PREFIX"
    }
    ...
  ],
  "ResourceAwsS3BucketOwnerName": [
    {
      "Value": "string",
      "Comparison": "EQUALS"|"PREFIX"
    }
    ...
  ],
  "ResourceAwsIamAccessKeyUserName": [
    {
      "Value": "string",
      "Comparison": "EQUALS"|"PREFIX"
    }
    ...
  ],
  "ResourceAwsIamAccessKeyStatus": [
    {
      "Value": "string",
      "Comparison": "EQUALS"|"PREFIX"
    }
    ...
  ],
  "ResourceAwsIamAccessKeyCreatedAt": [
    {
      "Start": "string",
      "End": "string",
      "DateRange": {
        "Value": integer,
        "Unit": "DAYS"
      }
    }
    ...
  ],
  "ResourceContainerName": [
    {
      "Value": "string",
      "Comparison": "EQUALS"|"PREFIX"
    }
    ...
  ],
  "ResourceContainerImageId": [
    {
      "Value": "string",
      "Comparison": "EQUALS"|"PREFIX"
    }
    ...
  ],
  "ResourceContainerImageName": [
    {
      "Value": "string",
      "Comparison": "EQUALS"|"PREFIX"
    }
    ...
  ],
  "ResourceContainerLaunchedAt": [
    {
      "Start": "string",
      "End": "string",
      "DateRange": {
        "Value": integer,
        "Unit": "DAYS"
      }
    }
    ...
  ],
  "ResourceDetailsOther": [
    {
      "Key": "string",
      "Value": "string",
      "Comparison": "EQUALS"
    }
    ...
  ],
  "ComplianceStatus": [
    {
      "Value": "string",
      "Comparison": "EQUALS"|"PREFIX"
    }
    ...
  ],
  "VerificationState": [
    {
      "Value": "string",
      "Comparison": "EQUALS"|"PREFIX"
    }
    ...
  ],
  "WorkflowState": [
    {
      "Value": "string",
      "Comparison": "EQUALS"|"PREFIX"
    }
    ...
  ],
  "RecordState": [
    {
      "Value": "string",
      "Comparison": "EQUALS"|"PREFIX"
    }
    ...
  ],
  "RelatedFindingsProductArn": [
    {
      "Value": "string",
      "Comparison": "EQUALS"|"PREFIX"
    }
    ...
  ],
  "RelatedFindingsId": [
    {
      "Value": "string",
      "Comparison": "EQUALS"|"PREFIX"
    }
    ...
  ],
  "NoteText": [
    {
      "Value": "string",
      "Comparison": "EQUALS"|"PREFIX"
    }
    ...
  ],
  "NoteUpdatedAt": [
    {
      "Start": "string",
      "End": "string",
      "DateRange": {
        "Value": integer,
        "Unit": "DAYS"
      }
    }
    ...
  ],
  "NoteUpdatedBy": [
    {
      "Value": "string",
      "Comparison": "EQUALS"|"PREFIX"
    }
    ...
  ],
  "Keyword": [
    {
      "Value": "string"
    }
    ...
  ]
}

--sort-criteria (list)

Findings attributes used to sort the list of findings returned.

Shorthand Syntax:

Field=string,SortOrder=string ...

JSON Syntax:

[
  {
    "Field": "string",
    "SortOrder": "asc"|"desc"
  }
  ...
]

--cli-input-json (string) Performs service operation based on the JSON string provided. The JSON string follows the format provided by --generate-cli-skeleton. If other arguments are provided on the command line, the CLI values will override the JSON-provided values. It is not possible to pass arbitrary binary values using a JSON-provided value as the string will be taken literally.

--starting-token (string)

A token to specify where to start paginating. This is the NextToken from a previously truncated response.

For usage examples, see Pagination in the AWS Command Line Interface User Guide .

--page-size (integer)

The size of each page to get in the AWS service call. This does not affect the number of items returned in the command's output. Setting a smaller page size results in more calls to the AWS service, retrieving fewer items in each call. This can help prevent the AWS service calls from timing out.

For usage examples, see Pagination in the AWS Command Line Interface User Guide .

--max-items (integer)

The total number of items to return in the command's output. If the total number of items available is more than the value specified, a NextToken is provided in the command's output. To resume pagination, provide the NextToken value in the starting-token argument of a subsequent command. Do not use the NextToken response element directly outside of the AWS CLI.

For usage examples, see Pagination in the AWS Command Line Interface User Guide .

--generate-cli-skeleton (string) Prints a JSON skeleton to standard output without sending an API request. If provided with no value or the value input, prints a sample input JSON that can be used as an argument for --cli-input-json. If provided with the value output, it validates the command inputs and returns a sample output JSON for that command.

See 'aws help' for descriptions of global parameters.

Output

Findings -> (list)

The findings that matched the filters specified in the request.

(structure)

Provides consistent format for the contents of the Security Hub-aggregated findings. AwsSecurityFinding format enables you to share findings between AWS security services and third-party solutions, and compliance checks.

Note

A finding is a potential security issue generated either by AWS services (Amazon GuardDuty, Amazon Inspector, and Amazon Macie) or by the integrated third-party solutions and compliance checks.

SchemaVersion -> (string)

The schema version that a finding is formatted for.

Id -> (string)

The security findings provider-specific identifier for a finding.

ProductArn -> (string)

The ARN generated by Security Hub that uniquely identifies a third-party company (security-findings provider) after this provider's product (solution that generates findings) is registered with Security Hub.

GeneratorId -> (string)

The identifier for the solution-specific component (a discrete unit of logic) that generated a finding. In various security-findings providers' solutions, this generator can be called a rule, a check, a detector, a plug-in, etc.

AwsAccountId -> (string)

The AWS account ID that a finding is generated in.

Types -> (list)

One or more finding types in the format of namespace/category/classifier that classify a finding.

Valid namespace values are: Software and Configuration Checks | TTPs | Effects | Unusual Behaviors | Sensitive Data Identifications

(string)

FirstObservedAt -> (string)

An ISO8601-formatted timestamp that indicates when the security-findings provider first observed the potential security issue that a finding captured.

LastObservedAt -> (string)

An ISO8601-formatted timestamp that indicates when the security-findings provider most recently observed the potential security issue that a finding captured.

CreatedAt -> (string)

An ISO8601-formatted timestamp that indicates when the security-findings provider created the potential security issue that a finding captured.

UpdatedAt -> (string)

An ISO8601-formatted timestamp that indicates when the security-findings provider last updated the finding record.

Severity -> (structure)

A finding's severity.

Product -> (double)

The native severity as defined by the AWS service or integrated partner product that generated the finding.

Normalized -> (integer)

The normalized severity of a finding.

Confidence -> (integer)

A finding's confidence. Confidence is defined as the likelihood that a finding accurately identifies the behavior or issue that it was intended to identify. Confidence is scored on a 0-100 basis using a ratio scale, where 0 means zero percent confidence and 100 means 100 percent confidence.

Criticality -> (integer)

The level of importance assigned to the resources associated with the finding. A score of 0 means that the underlying resources have no criticality, and a score of 100 is reserved for the most critical resources.

Title -> (string)

A finding's title.

Note

In this release, Title is a required property.

Description -> (string)

A finding's description.

Note

In this release, Description is a required property.

Remediation -> (structure)

A data type that describes the remediation options for a finding.

Recommendation -> (structure)

A recommendation on the steps to take to remediate the issue identified by a finding.

Text -> (string)

Describes the recommended steps to take to remediate an issue identified in a finding.

Url -> (string)

A URL to a page or site that contains information about how to remediate a finding.

SourceUrl -> (string)

A URL that links to a page about the current finding in the security-findings provider's solution.

ProductFields -> (map)

A data type where security-findings providers can include additional solution-specific details that aren't part of the defined AwsSecurityFinding format.

key -> (string)

value -> (string)

UserDefinedFields -> (map)

A list of name/value string pairs associated with the finding. These are custom, user-defined fields added to a finding.

key -> (string)

value -> (string)

Malware -> (list)

A list of malware related to a finding.

(structure)

A list of malware related to a finding.

Name -> (string)

The name of the malware that was observed.

Type -> (string)

The type of the malware that was observed.

Path -> (string)

The file system path of the malware that was observed.

State -> (string)

The state of the malware that was observed.

Network -> (structure)

The details of network-related information about a finding.

Direction -> (string)

The direction of network traffic associated with a finding.

Protocol -> (string)

The protocol of network-related information about a finding.

SourceIpV4 -> (string)

The source IPv4 address of network-related information about a finding.

SourceIpV6 -> (string)

The source IPv6 address of network-related information about a finding.

SourcePort -> (integer)

The source port of network-related information about a finding.

SourceDomain -> (string)

The source domain of network-related information about a finding.

SourceMac -> (string)

The source media access control (MAC) address of network-related information about a finding.

DestinationIpV4 -> (string)

The destination IPv4 address of network-related information about a finding.

DestinationIpV6 -> (string)

The destination IPv6 address of network-related information about a finding.

DestinationPort -> (integer)

The destination port of network-related information about a finding.

DestinationDomain -> (string)

The destination domain of network-related information about a finding.

Process -> (structure)

The details of process-related information about a finding.

Name -> (string)

The name of the process.

Path -> (string)

The path to the process executable.

Pid -> (integer)

The process ID.

ParentPid -> (integer)

The parent process ID.

LaunchedAt -> (string)

The date/time that the process was launched.

TerminatedAt -> (string)

The date and time when the process was terminated.

ThreatIntelIndicators -> (list)

Threat intel details related to a finding.

(structure)

Details about the threat intel related to a finding.

Type -> (string)

The type of a threat intel indicator.

Value -> (string)

The value of a threat intel indicator.

Category -> (string)

The category of a threat intel indicator.

LastObservedAt -> (string)

The date and time when the most recent instance of a threat intel indicator was observed.

Source -> (string)

The source of the threat intel indicator.

SourceUrl -> (string)

The URL to the page or site where you can get more information about the threat intel indicator.

Resources -> (list)

A set of resource data types that describe the resources that the finding refers to.

(structure)

A resource related to a finding.

Type -> (string)

The type of the resource that details are provided for.

Id -> (string)

The canonical identifier for the given resource type.

Partition -> (string)

The canonical AWS partition name that the Region is assigned to.

Region -> (string)

The canonical AWS external Region name where this resource is located.

Tags -> (map)

A list of AWS tags associated with a resource at the time the finding was processed.

key -> (string)

value -> (string)

Details -> (structure)

Additional details about the resource related to a finding.

AwsEc2Instance -> (structure)

Details about an Amazon EC2 instance related to a finding.

Type -> (string)

The instance type of the instance.

ImageId -> (string)

The Amazon Machine Image (AMI) ID of the instance.

IpV4Addresses -> (list)

The IPv4 addresses associated with the instance.

(string)

IpV6Addresses -> (list)

The IPv6 addresses associated with the instance.

(string)

KeyName -> (string)

The key name associated with the instance.

IamInstanceProfileArn -> (string)

The IAM profile ARN of the instance.

VpcId -> (string)

The identifier of the VPC that the instance was launched in.

SubnetId -> (string)

The identifier of the subnet that the instance was launched in.

LaunchedAt -> (string)

The date/time the instance was launched.

AwsS3Bucket -> (structure)

Details about an Amazon S3 Bucket related to a finding.

OwnerId -> (string)

The canonical user ID of the owner of the S3 bucket.

OwnerName -> (string)

The display name of the owner of the S3 bucket.

AwsIamAccessKey -> (structure)

Details about an IAM access key related to a finding.

UserName -> (string)

The user associated with the IAM access key related to a finding.

Status -> (string)

The status of the IAM access key related to a finding.

CreatedAt -> (string)

The creation date/time of the IAM access key related to a finding.

Container -> (structure)

Details about a container resource related to a finding.

Name -> (string)

The name of the container related to a finding.

ImageId -> (string)

The identifier of the image related to a finding.

ImageName -> (string)

The name of the image related to a finding.

LaunchedAt -> (string)

The date and time when the container started.

Other -> (map)

Details about a resource that doesn't have a specific type defined.

key -> (string)

value -> (string)

Compliance -> (structure)

This data type is exclusive to findings that are generated as the result of a check run against a specific rule in a supported standard (for example, CIS AWS Foundations). Contains compliance-related finding details.

Status -> (string)

The result of a compliance check.

VerificationState -> (string)

Indicates the veracity of a finding.

WorkflowState -> (string)

The workflow state of a finding.

RecordState -> (string)

The record state of a finding.

RelatedFindings -> (list)

A list of related findings.

(structure)

Details about a related finding.

ProductArn -> (string)

The ARN of the product that generated a related finding.

Id -> (string)

The product-generated identifier for a related finding.

Note -> (structure)

A user-defined note added to a finding.

Text -> (string)

The text of a note.

UpdatedBy -> (string)

The principal that created a note.

UpdatedAt -> (string)

The timestamp of when the note was updated.

NextToken -> (string)

The token that is required for pagination.