Viewing finding details - AWS Security Hub

Viewing finding details

From a finding list on the Security Hub console, you can display a details pane for a finding. You can also get finding details programmatically.

Viewing finding details (console)

Follow the steps to view finding details on the Security Hub console.

To view the findings detail pane
  1. Open the AWS Security Hub console at https://console.aws.amazon.com/securityhub/.

  2. To display a finding list, do one of the following:

    • In the Security Hub navigation pane, choose Findings.

    • In the Security Hub navigation pane, choose Insights. Choose an insight. Then on the results list, choose an insight result.

    • In the Security Hub navigation pane, choose Integrations. Choose See findings for an integration.

  3. Select a finding title.

The top of the finding details pane contains overview information about the finding, including the account, severity, dates, and status. If the account you're signed in to is an organization member account, then the information includes the account name. For accounts that are invited manually, the information only includes the account ID.

Vulnerability Details contains information about the source of a vulnerability and affected packages. This is an expandable section for a single vulnerability and a paginated section for multiple vulnerabilities. This section only applies to findings that Amazon Inspector sends to Security Hub.

Types and Related Findings contains information about the finding type.

Resources contains information about the affected resource.

Remediation displays for control findings. It provides a link to the instructions for remediating the issue that triggered the finding.

Finding Provider Fields displays the values from the finding provider for confidence, criticality, related findings, severity, and finding type.

From the finding details pane, you can view more details and add field values to the filter.

  • To display the complete JSON for the finding, choose the finding ID. From Finding JSON, you can download the finding JSON to a file.

  • To add a field value to the finding list filter, choose the search icon next to the field.

  • For findings that are based on AWS Config rules, to display a list of the applicable rules, choose Rules.

Retrieving finding details (programmatic)

Choose your preferred method, and follow the steps to programmatically get a list of Security Hub findings. You can specify filters to narrow down the list of findings to a specific subset.

The following tabs include instructions in a few languages for retrieving findings. For support in additional languages, see Using Security Hub with an AWS SDK.

Note

When you filter by CompanyName or ProductName, Security Hub uses the values that are in ProductFields. It doesn't use the top-level CompanyName and ProductName fields.

Security Hub API
  1. Run GetFindings.

  2. Optionally, populate the Filters parameter to narrow the findings that you want to retrieve.

  3. Optionally, populate the MaxResults parameter to limit the findings to a specified number and the NextToken parameter to paginate findings.

  4. Optionally, populate the SortCriteria parameter to sort the findings by a specific field.

If you've enabled cross-region aggregation and call this API from the aggregation Region, the results include findings from the aggregation and linked Regions.

AWS CLI
  1. At the command line, run the get-findings command.

  2. Optionally, populate the filters parameter to narrow the findings that you want to retrieve.

  3. Optionally, populate the max-items parameter to limit the findings to a specified number and the page-size parameter to paginate findings.

  4. Optionally, populate the sort-criteria parameter to sort the findings by a specific field.

get-findings --filters <filter criteria JSON> --sort-criteria <sort criteria> --page-size <findings per page> --max-items <maximum number of results>

Example

aws securityhub get-findings --filters '{"GeneratorId":[{"Value": "aws-foundational","Comparison":"PREFIX"}],"WorkflowStatus": [{"Value": "NEW","Comparison":"EQUALS"}],"Confidence": [{"Gte": 85}]}' --sort-criteria '{"Field": "LastObservedAt","SortOrder": "desc"}' --page-size 5 --max-items 100

If you've enabled cross-region aggregation and call this API from the aggregation Region, the results include findings from the aggregation and linked Regions.

PowerShell
  1. Use the Get-SHUBFinding cmdlet.

  2. Optionally, populate the Filter parameter to narrow the findings that you want to retrieve.

Example

Get-SHUBFinding -Filter @{AwsAccountId = [Amazon.SecurityHub.Model.StringFilter]@{Comparison = "EQUALS"; Value = "XXX"};ComplianceStatus = [Amazon.SecurityHub.Model.StringFilter]@{Comparison = "EQUALS"; Value = 'FAILED'}}