AWS Security Hub
AWS Security Hub (API Version 2018-10-26)

GetFindings

Returns a list of findings that match the specified criteria.

Request Syntax

POST /findings HTTP/1.1 Content-type: application/json { "Filters": { "AwsAccountId": [ { "Comparison": "string", "Value": "string" } ], "CompanyName": [ { "Comparison": "string", "Value": "string" } ], "ComplianceStatus": [ { "Comparison": "string", "Value": "string" } ], "Confidence": [ { "Eq": number, "Gte": number, "Lte": number } ], "CreatedAt": [ { "DateRange": { "Unit": "string", "Value": number }, "End": "string", "Start": "string" } ], "Criticality": [ { "Eq": number, "Gte": number, "Lte": number } ], "Description": [ { "Comparison": "string", "Value": "string" } ], "FirstObservedAt": [ { "DateRange": { "Unit": "string", "Value": number }, "End": "string", "Start": "string" } ], "GeneratorId": [ { "Comparison": "string", "Value": "string" } ], "Id": [ { "Comparison": "string", "Value": "string" } ], "Keyword": [ { "Value": "string" } ], "LastObservedAt": [ { "DateRange": { "Unit": "string", "Value": number }, "End": "string", "Start": "string" } ], "MalwareName": [ { "Comparison": "string", "Value": "string" } ], "MalwarePath": [ { "Comparison": "string", "Value": "string" } ], "MalwareState": [ { "Comparison": "string", "Value": "string" } ], "MalwareType": [ { "Comparison": "string", "Value": "string" } ], "NetworkDestinationDomain": [ { "Comparison": "string", "Value": "string" } ], "NetworkDestinationIpV4": [ { "Cidr": "string" } ], "NetworkDestinationIpV6": [ { "Cidr": "string" } ], "NetworkDestinationPort": [ { "Eq": number, "Gte": number, "Lte": number } ], "NetworkDirection": [ { "Comparison": "string", "Value": "string" } ], "NetworkProtocol": [ { "Comparison": "string", "Value": "string" } ], "NetworkSourceDomain": [ { "Comparison": "string", "Value": "string" } ], "NetworkSourceIpV4": [ { "Cidr": "string" } ], "NetworkSourceIpV6": [ { "Cidr": "string" } ], "NetworkSourceMac": [ { "Comparison": "string", "Value": "string" } ], "NetworkSourcePort": [ { "Eq": number, "Gte": number, "Lte": number } ], "NoteText": [ { "Comparison": "string", "Value": "string" } ], "NoteUpdatedAt": [ { "DateRange": { "Unit": "string", "Value": number }, "End": "string", "Start": "string" } ], "NoteUpdatedBy": [ { "Comparison": "string", "Value": "string" } ], "ProcessLaunchedAt": [ { "DateRange": { "Unit": "string", "Value": number }, "End": "string", "Start": "string" } ], "ProcessName": [ { "Comparison": "string", "Value": "string" } ], "ProcessParentPid": [ { "Eq": number, "Gte": number, "Lte": number } ], "ProcessPath": [ { "Comparison": "string", "Value": "string" } ], "ProcessPid": [ { "Eq": number, "Gte": number, "Lte": number } ], "ProcessTerminatedAt": [ { "DateRange": { "Unit": "string", "Value": number }, "End": "string", "Start": "string" } ], "ProductArn": [ { "Comparison": "string", "Value": "string" } ], "ProductFields": [ { "Comparison": "string", "Key": "string", "Value": "string" } ], "ProductName": [ { "Comparison": "string", "Value": "string" } ], "RecommendationText": [ { "Comparison": "string", "Value": "string" } ], "RecordState": [ { "Comparison": "string", "Value": "string" } ], "RelatedFindingsId": [ { "Comparison": "string", "Value": "string" } ], "RelatedFindingsProductArn": [ { "Comparison": "string", "Value": "string" } ], "ResourceAwsEc2InstanceIamInstanceProfileArn": [ { "Comparison": "string", "Value": "string" } ], "ResourceAwsEc2InstanceImageId": [ { "Comparison": "string", "Value": "string" } ], "ResourceAwsEc2InstanceIpV4Addresses": [ { "Cidr": "string" } ], "ResourceAwsEc2InstanceIpV6Addresses": [ { "Cidr": "string" } ], "ResourceAwsEc2InstanceKeyName": [ { "Comparison": "string", "Value": "string" } ], "ResourceAwsEc2InstanceLaunchedAt": [ { "DateRange": { "Unit": "string", "Value": number }, "End": "string", "Start": "string" } ], "ResourceAwsEc2InstanceSubnetId": [ { "Comparison": "string", "Value": "string" } ], "ResourceAwsEc2InstanceType": [ { "Comparison": "string", "Value": "string" } ], "ResourceAwsEc2InstanceVpcId": [ { "Comparison": "string", "Value": "string" } ], "ResourceAwsIamAccessKeyCreatedAt": [ { "DateRange": { "Unit": "string", "Value": number }, "End": "string", "Start": "string" } ], "ResourceAwsIamAccessKeyStatus": [ { "Comparison": "string", "Value": "string" } ], "ResourceAwsIamAccessKeyUserName": [ { "Comparison": "string", "Value": "string" } ], "ResourceAwsS3BucketOwnerId": [ { "Comparison": "string", "Value": "string" } ], "ResourceAwsS3BucketOwnerName": [ { "Comparison": "string", "Value": "string" } ], "ResourceContainerImageId": [ { "Comparison": "string", "Value": "string" } ], "ResourceContainerImageName": [ { "Comparison": "string", "Value": "string" } ], "ResourceContainerLaunchedAt": [ { "DateRange": { "Unit": "string", "Value": number }, "End": "string", "Start": "string" } ], "ResourceContainerName": [ { "Comparison": "string", "Value": "string" } ], "ResourceDetailsOther": [ { "Comparison": "string", "Key": "string", "Value": "string" } ], "ResourceId": [ { "Comparison": "string", "Value": "string" } ], "ResourcePartition": [ { "Comparison": "string", "Value": "string" } ], "ResourceRegion": [ { "Comparison": "string", "Value": "string" } ], "ResourceTags": [ { "Comparison": "string", "Key": "string", "Value": "string" } ], "ResourceType": [ { "Comparison": "string", "Value": "string" } ], "SeverityLabel": [ { "Comparison": "string", "Value": "string" } ], "SeverityNormalized": [ { "Eq": number, "Gte": number, "Lte": number } ], "SeverityProduct": [ { "Eq": number, "Gte": number, "Lte": number } ], "SourceUrl": [ { "Comparison": "string", "Value": "string" } ], "ThreatIntelIndicatorCategory": [ { "Comparison": "string", "Value": "string" } ], "ThreatIntelIndicatorLastObservedAt": [ { "DateRange": { "Unit": "string", "Value": number }, "End": "string", "Start": "string" } ], "ThreatIntelIndicatorSource": [ { "Comparison": "string", "Value": "string" } ], "ThreatIntelIndicatorSourceUrl": [ { "Comparison": "string", "Value": "string" } ], "ThreatIntelIndicatorType": [ { "Comparison": "string", "Value": "string" } ], "ThreatIntelIndicatorValue": [ { "Comparison": "string", "Value": "string" } ], "Title": [ { "Comparison": "string", "Value": "string" } ], "Type": [ { "Comparison": "string", "Value": "string" } ], "UpdatedAt": [ { "DateRange": { "Unit": "string", "Value": number }, "End": "string", "Start": "string" } ], "UserDefinedFields": [ { "Comparison": "string", "Key": "string", "Value": "string" } ], "VerificationState": [ { "Comparison": "string", "Value": "string" } ], "WorkflowState": [ { "Comparison": "string", "Value": "string" } ] }, "MaxResults": number, "NextToken": "string", "SortCriteria": [ { "Field": "string", "SortOrder": "string" } ] }

URI Request Parameters

The request does not use any URI parameters.

Request Body

The request accepts the following data in JSON format.

Filters

The findings attributes used to define a condition to filter the findings returned.

Type: AwsSecurityFindingFilters object

Required: No

MaxResults

The maximum number of findings to return.

Type: Integer

Valid Range: Minimum value of 1. Maximum value of 100.

Required: No

NextToken

Paginates results. On your first call to the GetFindings operation, set the value of this parameter to NULL. For subsequent calls to the operation, fill nextToken in the request with the value of nextToken from the previous response to continue listing data.

Type: String

Required: No

SortCriteria

Findings attributes used to sort the list of findings returned.

Type: Array of SortCriterion objects

Required: No

Response Syntax

HTTP/1.1 200 Content-type: application/json { "Findings": [ { "AwsAccountId": "string", "Compliance": { "Status": "string" }, "Confidence": number, "CreatedAt": "string", "Criticality": number, "Description": "string", "FirstObservedAt": "string", "GeneratorId": "string", "Id": "string", "LastObservedAt": "string", "Malware": [ { "Name": "string", "Path": "string", "State": "string", "Type": "string" } ], "Network": { "DestinationDomain": "string", "DestinationIpV4": "string", "DestinationIpV6": "string", "DestinationPort": number, "Direction": "string", "Protocol": "string", "SourceDomain": "string", "SourceIpV4": "string", "SourceIpV6": "string", "SourceMac": "string", "SourcePort": number }, "Note": { "Text": "string", "UpdatedAt": "string", "UpdatedBy": "string" }, "Process": { "LaunchedAt": "string", "Name": "string", "ParentPid": number, "Path": "string", "Pid": number, "TerminatedAt": "string" }, "ProductArn": "string", "ProductFields": { "string" : "string" }, "RecordState": "string", "RelatedFindings": [ { "Id": "string", "ProductArn": "string" } ], "Remediation": { "Recommendation": { "Text": "string", "Url": "string" } }, "Resources": [ { "Details": { "AwsEc2Instance": { "IamInstanceProfileArn": "string", "ImageId": "string", "IpV4Addresses": [ "string" ], "IpV6Addresses": [ "string" ], "KeyName": "string", "LaunchedAt": "string", "SubnetId": "string", "Type": "string", "VpcId": "string" }, "AwsIamAccessKey": { "CreatedAt": "string", "Status": "string", "UserName": "string" }, "AwsS3Bucket": { "OwnerId": "string", "OwnerName": "string" }, "Container": { "ImageId": "string", "ImageName": "string", "LaunchedAt": "string", "Name": "string" }, "Other": { "string" : "string" } }, "Id": "string", "Partition": "string", "Region": "string", "Tags": { "string" : "string" }, "Type": "string" } ], "SchemaVersion": "string", "Severity": { "Normalized": number, "Product": number }, "SourceUrl": "string", "ThreatIntelIndicators": [ { "Category": "string", "LastObservedAt": "string", "Source": "string", "SourceUrl": "string", "Type": "string", "Value": "string" } ], "Title": "string", "Types": [ "string" ], "UpdatedAt": "string", "UserDefinedFields": { "string" : "string" }, "VerificationState": "string", "WorkflowState": "string" } ], "NextToken": "string" }

Response Elements

If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

Findings

The findings that matched the filters specified in the request.

Type: Array of AwsSecurityFinding objects

NextToken

The token that is required for pagination.

Type: String

Errors

For information about the errors that are common to all actions, see Common Errors.

InternalException

Internal server error.

HTTP Status Code: 500

InvalidAccessException

AWS Security Hub isn't enabled for the account used to make this request.

HTTP Status Code: 401

InvalidInputException

The request was rejected because you supplied an invalid or out-of-range value for an input parameter.

HTTP Status Code: 400

LimitExceededException

The request was rejected because it attempted to create resources beyond the current AWS account limits. The error code describes the limit exceeded.

HTTP Status Code: 429

See Also

For more information about using this API in one of the language-specific AWS SDKs, see the following: