Reviewing finding details and finding history in Security Hub
In AWS Security Hub, a finding is an observable record of a security check or security-related detection. Security Hub generates a finding when it completes a security check of a control and when it ingests a finding from an integrated AWS service or third-party product. Each finding includes a history of changes and other details, such as a severity rating and information about the affected resources.
You can review finding history and other finding details on the Security Hub console and programmatically through the Security Hub API and AWS CLI.
To help you streamline your analysis, the Security Hub console opens a finding panel when you select a specific finding. The panel includes different menus and tabs for viewing different finding details.
- Actions menu
From this menu, you can review the complete JSON of a finding or add notes. A finding can have no more than one note attached to it at a time. This menu also provides options to set the workflow status of a finding or send a finding to a custom action in Amazon EventBridge.
- Investigate menu
From this menu, you can investigate a finding in Amazon Detective. Detective extracts entities, such as IP addresses and AWS users, from a finding and visualizes their activity. You can use the entity activity as a starting point to investigate the cause and impact of a finding.
- Overview tab
This tab provides a summary of the finding. For example, you can see when the finding was created and last updated, in which account it exists, the source of the finding (for example, from a control check or an integration), and a link to remediation instructions in the Security Hub documentation.
On the Resources snapshot within the Overview tab, you can get a brief overview of the resources involved in a finding. For some resources, we include an option to Open resource and directly view an impacted resource in the relevant AWS service console. The History snapshot shows up to two changes made to the finding on the most recent date for which history is being tracked. The date must fall within the last 90 days. As an example, if you made one change yesterday and one today, the snapshot shows only today's change. To view earlier entries, switch to the History tab.
The Compliance row expands to show more details. For example, for controls that include parameters, you can see the current parameter values that Security Hub uses when conducting security checks.
- Resources tab
This tab provides details about the resources involved in a finding. If you're signed in to the account that owns a resource, you can view the resource in the relevant AWS service console. If you're not the owner of a resource, the console displays the AWS account ID of the owner.
The Details row shows resource-specific details about the finding by displaying the ResourceDetails section of the finding JSON.
The Tags row shows tag key and value information for the resources involved in a finding. Resources that are supported by the GetResources operation of the AWS Resource Groups Tagging API can be tagged. Security Hub calls this operation through the service-linked role when processing new or updated findings and retrieves the resource tags if the AWS Security Finding Format (ASFF)
Resource.Id
field is populated with the AWS resource ARN. Security Hub ignores invalid resource IDs. For more information about the inclusion of resource tags in findings, see Tags.- Finding history tab
This tab tracks the history of a finding in the last 90 days. Finding history is available for active and archived findings. It provides an immutable trail of changes made to a finding over time, including what AWS Security Finding Format (ASFF) field changed, when the change occurred, and by which user. More recent changes are displayed first. If you're signed in to a Security Hub administrator account, the finding history shown is for the administrator account and all member accounts.
Finding history includes changes that a user made manually or automatically through Security Hub automation rules. However, finding history doesn't include changes to top-level timestamp fields, such as
CreatedAt
andUpdatedAt
.- Threat tab
This tab includes data from the Action, Malware, and ProcessDetails objects of the ASFF, including the type of threat and whether a resource is the target or actor. This object typically applies to findings that originate in Amazon GuardDuty.
- Vulnerabilities tab
This tab displays data from the Vulnerability object of the ASFF, including whether there are exploits or available fixes associated with a finding. This object typically applies to findings that originate in Amazon Inspector.
The rows in each tab include a copy or filter option. For example, if you're on the panel for a finding that has a workflow status of Notified, you can choose the filter option next to the Workflow status row. If you choose Show all findings with this value filters the finding list so that it displays only findings with the same workflow status.
Review the following section to understand how to access these details for a finding.
Instructions for reviewing finding details and history
Choose your preferred method, and follow the steps to view finding details in Security Hub.
If you enable cross-Region aggregation and sign in to the aggregation Region, finding data includes data from the aggregation Region and linked Regions. In other Regions, finding data is specific to that Region only. For more information about cross-Region aggregation, see Understanding cross-Region aggregation in Security Hub.
Note
When you filter findings by CompanyName
or ProductName
, Security Hub
uses the values that are part of the ProductFields
ASFF object. Security Hub doesn't use the top-level
CompanyName
and ProductName
fields.