Viewing finding details
From a finding list on the Security Hub console, you can display a details panel for a finding. The details panel includes the history of the finding during the last 90 days. You can also get finding details and finding history programmatically.
Available finding details
You can get a variety of findings details on the Security Hub console or by calling the GetFindings operation of the Security Hub API. Here is a partial list of the types of finding details you can get.
-
Vulnerability details – Information about a vulnerability that's detected in a finding and affected packages. These details are available if you enable Amazon Inspector for findings that Amazon Inspector sends to Security Hub.
-
Types and related findings – Contains information about the finding type.
-
Parameters – Shows the current parameter values for a security control. Security Hub uses these parameter values when conducting security checks of the control.
-
Resource – Provides information about the AWS resource involved in a finding.
-
Resource tags – Provides tag key and value information for the resources involved in a finding. You can tag resources that are supported by the
GetResources
operation of the AWS Resource Groups Tagging API. For more information about the inclusion of resource tags in findings, see Tags. -
Application metadata – Provides the name and Amazon Resource Name (ARN) of the application involved in a finding if you created an application. and added the AWS application tag to it. We recommend creating applications in AWS Service Catalog AppRegistry.
-
Remediation – Provides a link to the instructions for remediating failed control findings.
-
Finding provider fields – displays the values from the finding provider for confidence, criticality, related findings, severity, and finding type.
-
Finding investigation in Detective (console only) – Provides a link to further investigate a finding in Detective using using automated log collection, security analytics, and AWS service resource exploration tools. This information is only included for Security Hub findings received from other AWS services if you enable Detective.
Review the following sections to understand how to access these details for a finding.
Retrieving finding details (console)
Follow the steps to view finding details on the Security Hub console.
Retrieving finding details (console)
Open the AWS Security Hub console at https://console.aws.amazon.com/securityhub/
. -
To display a finding list, do one of the following:
-
In the Security Hub navigation pane, choose Findings.
-
In the Security Hub navigation pane, choose Insights. Choose an insight. Then on the results list, choose an insight result.
-
In the Security Hub navigation pane, choose Integrations. Choose See findings for an integration.
-
-
Select a finding title to view the details panel for the finding.
The top of the finding details panel contains overview information about the finding, including the account, severity, dates, and status. If you integrate with AWS Organizations and the account you're signed in to is an organization member account, then the details panel includes the account name. For member accounts that are invited manually rather than through the Organizations integration, the details panel only includes the account ID.
To display the complete JSON for the finding, choose the finding ID. From Finding JSON, you can download the finding JSON to a file.
To add a field value to the finding list filter, choose the search icon next to the field.
For findings that are based on AWS Config rules, to display a list of the applicable rules, choose Rules.
Choose the History tab to view up to 90 days of finding history.
Retrieving finding details (programmatic)
Choose your preferred method, and follow the steps to programmatically get a list of Security Hub findings. You can specify filters to narrow down the list of findings to a specific subset.
The following tabs include instructions in a few languages for retrieving findings. For support in additional languages, see
Tools to Build on AWS
Note
When you filter by CompanyName
or ProductName
, Security Hub
uses the values that are in ProductFields
. It doesn't use the top-level
CompanyName
and ProductName
fields.
Finding history
Finding history is a Security Hub feature that lets you track changes made to a finding during the last 90 days. It's available for active and archived findings. Finding history provides an immutable trail of changes made to a finding over time, including what the change was, when it occurred, and by which user.
In particular, you can track changes made to fields in the AWS Security Finding Format (ASFF). Security Hub tracks changes that you make manually and with automation rules.
Finding history is available in the Security Hub console, API, and AWS CLI.
If you're signed in to a Security Hub administrator account, you can get finding history for the administrator account and all member accounts.
Choose your preferred method, and follow the steps to get finding history.