

AWS Audit Manager is no longer open to new customers. Existing customers can continue to use the service as normal. For more information, see [AWS Audit Manager availability change](https://docs.aws.amazon.com/audit-manager/latest/userguide/audit-manager-availability-change.html). 

# Filter and grouping options for evidence finder
<a name="evidence-finder-filters-and-groups"></a>



On this page, you can see a list of the filter and grouping options that are available for you to use in evidence finder.

## Filter reference
<a name="filters"></a>

You can use the following filters to find evidence that matches specific criteria, such as an assessment, control, or AWS service.

**Topics**
+ [Required filters](#required-filters)
+ [Additional filters (optional)](#additional-filters)
+ [Combining filters](#combining-filters)

### Required filters
<a name="required-filters"></a>

Use these filters to get started with a high-level overview of the evidence in an assessment.


| Filter name | Description | Notes | 
| --- | --- | --- | 
| **Assessment** | Returns evidence for a specific assessment. | You can filter by one assessment only. | 
| **Date range** | Returns evidence for a specific time period. | Either, you can use a *Relative range* to define a range that’s relative to today’s date (for example, **Last 30 days**). <br />Or, you can use an *Absolute range* to specify a specific date range (for example, **June 27th – July 4th**). | 
| Resource compliance | Returns resources with a specific compliance check evaluation.  | Audit Manager collects [compliance check evidence](https://docs.aws.amazon.com/audit-manager/latest/userguide/concepts.html#evidence) for controls that use AWS Config and Security Hub CSPM as a data source type. Multiple resources might be assessed during evidence collection. As a result, a single piece of compliance check evidence can include one or more resources. You can use this filter to explore compliance status at the resource level.<br />You can choose one or more of the following options: [See the AWS documentation website for more details](http://docs.aws.amazon.com/audit-manager/latest/userguide/evidence-finder-filters-and-groups.html) | 

### Additional filters (optional)
<a name="additional-filters"></a>

Use these filters to narrow the scope of your search query. For example, use **Service** to see all evidence that's related to Amazon S3. Use **Resource type** to focus just on S3 buckets. Or, use **Resource ARN** to target a specific S3 bucket.

You can create additional filters using one or more of the following criteria.


| Criteria name | Description | When to use this criteria | 
| --- | --- | --- | 
| Account ID | Drill down by AWS account. | Use this criteria to find evidence that's related to a specific AWS account. | 
| Control | Drill down by control name. | Use this criteria to find evidence that's related to a specific control. | 
| Control domain | Drill down by control domain. | Use this criteria to focus on a specific subject area as you prepare for an audit. You can filter by control domain if you're querying an assessment that was created from a standard framework. <br />Examples of control domains include network security, identity and access management, and data protection.<br />Some control domains might be marked as **Outdated** following Audit Manager's transition to a new set of control domains provided by AWS Control Catalog. For more information, see [I see that a control domain is marked as “outdated”. What does this mean?](evidence-finder-issues.md#outdated-control-domains). | 
| Data source type | Drill down by the type of data source. | Use this criteria to focus on a specific data source. <br />Set the value to `Manual` to find evidence that you uploaded manually. Otherwise, you can filter automated evidence based on where it came from (for example, `AWS Config`, `CloudTrail`, `Security Hub CSPM`, or `AWS API calls`). | 
| Event name | Drill down by event name. | Use this criteria to focus on a specific event that the evidence is related to. An event is a record of an activity in an AWS account. <br />For example, you can search for the name of an API call, such as the IAM `AttachRolePolicy` operation that's used to configure permissions. Or, search for a CloudTrail keyword, such as the `ConsoleLogin` event that's logged by CloudTrail when a user signs in to your account. | 
| Resource ARN | Drill down by Amazon Resource Name (ARN). | Use this criteria to find evidence that's related to a specific AWS resource. | 
| Resource type | Drill down by resource type. | Use this criteria to focus on the type of resource that's being assessed, such as an Amazon EC2 instance or an S3 bucket. | 
| Service | Drill down by AWS service name. | Use this criteria to find evidence that's related to a specific AWS service, such as Amazon EC2, Amazon S3, or AWS Config. | 
| Service category | Drill down by AWS service category. | Use this criteria to focus on a specific category of AWS service. Examples include security, identity and compliance, database, and storage. | 

### Combining filters
<a name="combining-filters"></a>



#### Criteria behavior
<a name="criteria-behavior"></a>

When you specify more than one criteria, Audit Manager applies the `AND` operator to your selections. This means that all of the criteria are grouped into a single query, and the results must match all of the combined criteria. 

**Example**  
In the following filter setup, evidence finder returns non-compliant resources from the last 7 days for the assessment that’s called **MySOC2Assessment**. Additionally, the results relate to both an IAM policy and the specified control.

![A selection of applied filters, with the AND operator highlighted.](http://docs.aws.amazon.com/audit-manager/latest/userguide/images/evidence-finder-filter_description-console.png)


#### Criteria value behavior
<a name="criteria-value-behavior"></a>

When you specify more than one criteria value, the values are linked with an `OR` operator. Evidence finder returns results that match any of these criteria values. 

**Example**  
In the following filter setup, evidence finder returns search results that come from either AWS CloudTrail, AWS Config, or AWS Security Hub CSPM.

![An example filter setup that shows multiple values defined for a single criteria.](http://docs.aws.amazon.com/audit-manager/latest/userguide/images/evidence-finder-filter_description-multiple_values-console.png)


## Grouping reference
<a name="groups"></a>

You can group your search results for quicker navigation. Grouping shows you the breadth of your search results, and how they're distributed across a specific dimension.

You can use any of the following group by values.


| Group by | Description  | 
| --- | --- | 
| Account ID | Group results by AWS account. | 
| Control | Group results by control name. | 
| Data source type | Group results by the type of data source where the evidence came from. | 
| Event name | Group results by an event name. | 
| Resource ARN | Group results by Amazon Resource Name (ARN). | 
| Resource type | Group results by resource type. | 
| Service | Group results by AWS service name. | 
| Service category | Group results by AWS service category. | 