Reviewing finding details and finding history in Security Hub - AWS Security Hub

Reviewing finding details and finding history in Security Hub

In AWS Security Hub, a finding is an observable record of a security check or security-related detection. Security Hub generates a finding when it completes a security check of a control and when it ingests a finding from an integrated AWS service or third-party product. Each finding includes a history of changes and other details, such as a severity rating and information about the affected resources.

You can review finding history and other finding details on the Security Hub console and programmatically through the Security Hub API and AWS CLI.

To help you streamline your analysis, the Security Hub console opens a finding panel when you select a specific finding. The panel includes different menus and tabs for viewing different finding details.

Actions menu

From this menu, you can review the complete JSON of a finding or add notes. A finding can have no more than one note attached to it at a time. This menu also provides options to set the workflow status of a finding or send a finding to a custom action in Amazon EventBridge.

Investigate menu

From this menu, you can investigate a finding in Amazon Detective. Detective extracts entities, such as IP addresses and AWS users, from a finding and visualizes their activity. You can use the entity activity as a starting point to investigate the cause and impact of a finding.

Overview tab

This tab provides a summary of the finding. For example, you can see when the finding was created and last updated, in which account it exists, the source of the finding (for example, from a control check or an integration), and a link to remediation instructions in the Security Hub documentation.

On the Resources snapshot within the Overview tab, you can get a brief overview of the resources involved in a finding. For some resources, we include an option to Open resource and directly view an impacted resource in the relevant AWS service console. The History snapshot shows up to two changes made to the finding on the most recent date for which history is being tracked. The date must fall within the last 90 days. As an example, if you made one change yesterday and one today, the snapshot shows only today's change. To view earlier entries, switch to the History tab.

The Compliance row expands to show more details. For example, for controls that include parameters, you can see the current parameter values that Security Hub uses when conducting security checks.

Resources tab

This tab provides details about the resources involved in a finding. If you're signed in to the account that owns a resource, you can view the resource in the relevant AWS service console. If you're not the owner of a resource, the console displays the AWS account ID of the owner.

The Details row shows resource-specific details about the finding by displaying the ResourceDetails section of the finding JSON.

The Tags row shows tag key and value information for the resources involved in a finding. Resources that are supported by the GetResources operation of the AWS Resource Groups Tagging API can be tagged. Security Hub calls this operation through the service-linked role when processing new or updated findings and retrieves the resource tags if the AWS Security Finding Format (ASFF) Resource.Id field is populated with the AWS resource ARN. Security Hub ignores invalid resource IDs. For more information about the inclusion of resource tags in findings, see Tags.

Finding history tab

This tab tracks the history of a finding in the last 90 days. Finding history is available for active and archived findings. It provides an immutable trail of changes made to a finding over time, including what AWS Security Finding Format (ASFF) field changed, when the change occurred, and by which user. More recent changes are displayed first. If you're signed in to a Security Hub administrator account, the finding history shown is for the administrator account and all member accounts.

Finding history includes changes that a user made manually or automatically through Security Hub automation rules. However, finding history doesn't include changes to top-level timestamp fields, such as CreatedAt and UpdatedAt.

Threat tab

This tab includes data from the Action, Malware, and ProcessDetails objects of the ASFF, including the type of threat and whether a resource is the target or actor. This object typically applies to findings that originate in Amazon GuardDuty.

Vulnerabilities tab

This tab displays data from the Vulnerability object of the ASFF, including whether there are exploits or available fixes associated with a finding. This object typically applies to findings that originate in Amazon Inspector.

The rows in each tab include a copy or filter option. For example, if you're on the panel for a finding that has a workflow status of Notified, you can choose the filter option next to the Workflow status row. If you choose Show all findings with this value filters the finding list so that it displays only findings with the same workflow status.

Review the following section to understand how to access these details for a finding.

Instructions for reviewing finding details and history

Choose your preferred method, and follow the steps to view finding details in Security Hub.

If you enable cross-Region aggregation and sign in to the aggregation Region, finding data includes data from the aggregation Region and linked Regions. In other Regions, finding data is specific to that Region only. For more information about cross-Region aggregation, see Understanding cross-Region aggregation in Security Hub.

Security Hub console
Reviewing finding details and history (console)
  1. Open the AWS Security Hub console at https://console.aws.amazon.com/securityhub/.

  2. To display a finding list, take one of the following actions:

    • In the Security Hub navigation pane, choose Findings. Add search filters as necessary to narrow down the finding list.

    • In the Security Hub navigation pane, choose Insights. Choose an insight. Then on the results list, choose an insight result.

    • In the Security Hub navigation pane, choose Integrations. Choose See findings for an integration.

    • In the Security Hub navigation pane, choose Controls.

  3. Select a finding title.

  4. On the finding panel, do one of the following:

    • Choose the Actions menu to take action on the finding.

    • Choose the Investigate menu to investigate the finding in Amazon Detective.

    • Select a tab to view more details about the finding.

Note

If you integrate with AWS Organizations and the account you're signed in to is an organization member account, the finding panel includes the account name. For member accounts that are invited manually rather than through Organizations, the finding panel only includes the account ID.

Security Hub API

Reviewing finding details and history (API)

Use the GetFindings operation of the Security Hub API, or if you're using the AWS CLI, run the get-findings command.

You can provide one or more values for the Filters parameter to narrow the findings that you want to retrieve.

If the volume of results is too large, you can use the MaxResults parameter to limit the findings to a specified number and the NextToken parameter to paginate findings. Use the SortCriteria parameter to sort the findings by a specific field.

If you've enabled cross-Region aggregation and invoke this operation from the aggregation Region, the results include findings from the aggregation and linked Regions.

The following CLI command retrieves the findings that match the provided filters and sorts them in descending order of the LastObservedAt field. This example is formatted for Linux, macOS, or Unix, and it uses the backslash (\) line-continuation character to improve readability.

$ aws securityhub get-findings \ --filters '{"GeneratorId":[{"Value": "aws-foundational","Comparison":"PREFIX"}],"WorkflowStatus": [{"Value": "NEW","Comparison":"EQUALS"}],"Confidence": [{"Gte": 85}]}' --sort-criteria '{"Field": "LastObservedAt","SortOrder": "desc"}' --page-size 5 --max-items 100

To review finding history, use the GetFindingHistory operation. If you're using the AWS CLI, run the get-finding-history command.

Identify the finding that you want to get history for with the ProductArn and Id fields. For more information about these fields, see AwsSecurityFindingIdentifier. You can only get history for one finding per request.

The following CLI command retrieves history for the specified finding. This example is formatted for Linux, macOS, or Unix, and it uses the backslash (\) line-continuation character to improve readability.

$ aws securityhub get-finding-history \ --region us-west-2 \ --finding-identifier Id="a1b2c3d4-5678-90ab-cdef-EXAMPLE11111",ProductArn="arn:aws:securityhub:us-west-2:123456789012:product/123456789012/default" \ --max-results 2 \ --start-time "2021-09-30T15:53:35.573Z" \ --end-time "2021-09-31T15:53:35.573Z"
PowerShell

Reviewing finding details (PowerShell)

Use the Get-SHUBFinding cmdlet.

Optionally, populate the Filter parameter to narrow the findings that you want to retrieve.

The following cmdlet retrieves the findings that match the provided filters

Get-SHUBFinding -Filter @{AwsAccountId = [Amazon.SecurityHub.Model.StringFilter]@{Comparison = "EQUALS"; Value = "XXX"};ComplianceStatus = [Amazon.SecurityHub.Model.StringFilter]@{Comparison = "EQUALS"; Value = 'FAILED'}}
Note

When you filter findings by CompanyName or ProductName, Security Hub uses the values that are part of the ProductFields ASFF object. Security Hub doesn't use the top-level CompanyName and ProductName fields.