Filtering and grouping findings (console) - AWS Security Hub

Filtering and grouping findings (console)

When you display a list of findings from the Findings page, the Integrations page, or the Insights page, the list is always filtered based on the record state and workflow status. This is in addition to the filters for an insight or integration.

The record state indicates whether the finding is active or archived. A finding can be archived by the finding provider. AWS Security Hub also automatically archives findings for controls if the associated resource is deleted. By default, a finding list only shows active findings.

The workflow status indicates the status of the investigation into the finding. The workflow status can only be updated by the Security Hub customer or a system that is operating on the customer's behalf. By default, a finding list only shows findings with a workflow status of NEW or NOTIFIED. The default finding list for a control also includes RESOLVED findings.

If you enabled finding aggregation, then on the Findings and Insights pages, you can filter the findings by Region.

For information on working with the finding list for a control, see Filtering, sorting, and downloading the control finding list.

Adding filters

To change the scope of the list, you can add filters to it.

You can filter by up to 10 attributes. For each attribute, you can provide up to 20 filter values.

When filtering the finding list, Security Hub applies AND logic to the set of filters. In other words, a finding only matches if it matches all of the provided filters. For example, if you add GuardDuty as a filter for product name, and AwsS3Bucket as a filter for resource type, then matching findings must match both of these criteria.

However, Security Hub applies OR logic to filters that use the same attribute but different values. For example, you add both GuardDuty and Amazon Inspector as filter values for product name. In that case, a finding matches if it was generated by either GuardDuty or Amazon Inspector.

To add a filter to the finding list

  1. Open the AWS Security Hub console at https://console.aws.amazon.com/securityhub/.

  2. To display a finding list, do one of the following:

    • In the Security Hub navigation pane, choose Findings.

    • In the Security Hub navigation pane, choose Insights. Choose an insight. Then on the results list, choose an insight result.

    • In the Security Hub navigation pane, choose Integrations. Choose See findings for an integration.

  3. Choose the Add filters box.

  4. In the menu, under Filters, choose a filter.

    Note that when you filter by Company name or Product name, Security Hub uses the top-level CompanyName and ProductName fields. The API uses the values that are in ProductFields.

  5. Choose the filter match type.

    For a string filter, you can choose from the following comparison options:

    • is – Find a value that exactly matches the filter value.

    • starts with – Find a value that starts with the filter value.

    • is not – Find a value that does not match the filter value.

    • does not start with – Find a value that does not start with the filter value.

    For a numeric filter, you can choose whether to provide a single number (Simple) or a range of numbers (Range).

    For a date or time filter, you can choose whether to provide a length of time from the current date time (Rolling window) or a date range (Fixed range).

    Adding multiple filters has the following interactions:

    • is and starts with filters are joined by OR. A value matches if it contains any of the filter values. For example, if you specify Severity label is CRITICAL and Severity label is HIGH, the results include both critical and high severity findings.

    • is not and does not start with filters are joined by AND. A value matches only if it does not contain any of those filter values. For example, if you specify Severity label is not LOW and Severity label is not MEDIUM, the results do not include either low or medium severity findings.

    If you have an is filter on a field, you cannot have a is not or a does not start with filter on the same field.

  6. Specify the filter value.

    Note that for string filters, the filter value is case sensitive.

    For example, for findings from Security Hub, Product name is Security Hub. If you use the EQUALS operator to see findings from Security Hub, you must enter Security Hub as the filter value. If you enter security hub, no findings are displayed.

    Similarly, if you use the PREFIX operator, and enter Sec, Security Hub findings are displayed. If you enter sec, no Security Hub findings are displayed.

  7. Choose Apply.

Grouping findings

In addition to changing the filters, you can group the findings based on the values of a selected attribute.

When you group the findings, the list of findings is replaced with a list of values for the selected attribute in the matching findings. For each value, the list displays the number of findings that match the other filter criteria.

For example, if you group the findings by AWS account ID, you see a list of account identifiers, with the number of matching findings for each account.

Note that Security Hub can only display 100 values. If there are more than 100 grouping values, you only see the first 100.

When you choose an attribute value, the list of matching findings for that value is displayed.

To group the findings in a findings list

  1. On the finding list, choose the Add filters box.

  2. In the menu, under Grouping, choose Group by.

  3. In the list, choose the attribute to use for the grouping.

  4. Choose Apply.

Changing a filter value or grouping attribute

For an existing filter, you can change the filter value. You can also change the grouping attribute.

For example, you can change the Record state filter to look for ARCHIVED findings instead of ACTIVE findings.

To edit a filter or grouping attribute

  1. On a filtered finding list, choose the filter or grouping attribute.

  2. For Group by, choose the new attribute, then choose Apply.

  3. For a filter, choose the new value, and then choose Apply.

Deleting a filter or grouping attribute

To delete a filter or grouping attribute, choose the x icon.

The list is updated automatically to reflect the change. When you remove the grouping attribute, the list changes from the list of field values back to a list of findings.