AWS CLI Command Reference

[ aws . securityhub ]

get-findings-v2

Description

Return a list of findings that match the specified criteria. GetFindings and GetFindingsV2 both use securityhub:GetFindings in the Action element of an IAM policy statement. You must have permission to perform the securityhub:GetFindings action. This API is in public preview and subject to change.

See also: AWS API Documentation

get-findings-v2 uses document type values. Document types follow the JSON data model where valid values are: strings, numbers, booleans, null, arrays, and objects. For command input, options and nested parameters that are labeled with the type document must be provided as JSON. Shorthand syntax does not support document types.

get-findings-v2 is a paginated operation. Multiple API calls may be issued in order to retrieve the entire data set of results. You can disable pagination by providing the --no-paginate argument. When using --output text and the --query argument on a paginated response, the --query argument must extract data from the results of the following query expressions: Findings

Synopsis

  get-findings-v2
[--filters <value>]
[--sort-criteria <value>]
[--cli-input-json | --cli-input-yaml]
[--starting-token <value>]
[--page-size <value>]
[--max-items <value>]
[--generate-cli-skeleton <value>]
[--debug]
[--endpoint-url <value>]
[--no-verify-ssl]
[--no-paginate]
[--output <value>]
[--query <value>]
[--profile <value>]
[--region <value>]
[--version <value>]
[--color <value>]
[--no-sign-request]
[--ca-bundle <value>]
[--cli-read-timeout <value>]
[--cli-connect-timeout <value>]
[--cli-binary-format <value>]
[--no-cli-pager]
[--cli-auto-prompt]
[--no-cli-auto-prompt]

Options

--filters (structure)

The finding attributes used to define a condition to filter the returned OCSF findings. You can filter up to 10 composite filters. For each filter type inside of a composite filter, you can provide up to 20 filters.

CompositeFilters -> (list)

Enables the creation of complex filtering conditions by combining filter criteria.

(structure)

Enables the creation of filtering criteria for security findings.

StringFilters -> (list)

Enables filtering based on string field values.

(structure)

Enables filtering of security findings based on string field values in OCSF.

FieldName -> (string)

The name of the field.

Possible values:

  • metadata.uid
  • activity_name
  • cloud.account.uid
  • cloud.provider
  • cloud.region
  • compliance.assessments.category
  • compliance.assessments.name
  • compliance.control
  • compliance.status
  • compliance.standards
  • finding_info.desc
  • finding_info.src_url
  • finding_info.title
  • finding_info.types
  • finding_info.uid
  • finding_info.related_events.uid
  • finding_info.related_events.product.uid
  • finding_info.related_events.title
  • metadata.product.name
  • metadata.product.uid
  • metadata.product.vendor_name
  • remediation.desc
  • remediation.references
  • resources.cloud_partition
  • resources.region
  • resources.type
  • resources.uid
  • severity
  • status
  • comment
  • vulnerabilities.fix_coverage
  • class_name
  • databucket.encryption_details.algorithm
  • databucket.encryption_details.key_uid
  • databucket.file.data_classifications.classifier_details.type
  • evidences.actor.user.account.uid
  • evidences.api.operation
  • evidences.api.response.error_message
  • evidences.api.service.name
  • evidences.connection_info.direction
  • evidences.connection_info.protocol_name
  • evidences.dst_endpoint.autonomous_system.name
  • evidences.dst_endpoint.location.city
  • evidences.dst_endpoint.location.country
  • evidences.src_endpoint.autonomous_system.name
  • evidences.src_endpoint.hostname
  • evidences.src_endpoint.location.city
  • evidences.src_endpoint.location.country
  • finding_info.analytic.name
  • malware.name
  • malware_scan_info.uid
  • malware.severity
  • resources.cloud_function.layers.uid_alt
  • resources.cloud_function.runtime
  • resources.cloud_function.user.uid
  • resources.device.encryption_details.key_uid
  • resources.device.image.uid
  • resources.image.architecture
  • resources.image.registry_uid
  • resources.image.repository_name
  • resources.image.uid
  • resources.subnet_info.uid
  • resources.vpc_uid
  • vulnerabilities.affected_code.file.path
  • vulnerabilities.affected_packages.name
  • vulnerabilities.cve.epss.score
  • vulnerabilities.cve.uid
  • vulnerabilities.related_vulnerabilities
  • cloud.account.name

Filter -> (structure)

A string filter for filtering Security Hub findings.

Value -> (string)

The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter value, there’s no match.

Constraints:

  • pattern: .*\S.*

Comparison -> (string)

The condition to apply to a string value when filtering Security Hub findings.

To search for values that have the filter value, use one of the following comparison operators:

  • To search for values that include the filter value, use CONTAINS . For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
  • To search for values that exactly match the filter value, use EQUALS . For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012 .
  • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us . A ResourceRegion that starts with a different value, such as af , ap , or ca , doesn’t match.
CONTAINS , EQUALS , and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront , CloudWatch , or both strings in the title.

To search for values that don’t have the filter value, use one of the following comparison operators:

  • To search for values that exclude the filter value, use NOT_CONTAINS . For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
  • To search for values other than the filter value, use NOT_EQUALS . For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012 .
  • To search for values that don’t start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us .
NOT_CONTAINS , NOT_EQUALS , and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.

You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can’t provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.

You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

For example, for the following filters, Security Hub first identifies findings that have resource types that start with either AwsIam or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

  • ResourceType PREFIX AwsIam
  • ResourceType PREFIX AwsEc2
  • ResourceType NOT_EQUALS AwsIamPolicy
  • ResourceType NOT_EQUALS AwsEc2NetworkInterface
CONTAINS and NOT_CONTAINS operators can be used only with automation rules V1. CONTAINS_WORD operator is only supported in GetFindingsV2 , GetFindingStatisticsV2 , GetResourcesV2 , and GetResourceStatisticsV2 APIs. For more information, see Automation rules in the Security Hub User Guide .

Possible values:

  • EQUALS
  • PREFIX
  • NOT_EQUALS
  • PREFIX_NOT_EQUALS
  • CONTAINS
  • NOT_CONTAINS
  • CONTAINS_WORD

DateFilters -> (list)

Enables filtering based on date and timestamp fields.

(structure)

Enables filtering of security findings based on date and timestamp fields in OCSF.

FieldName -> (string)

The name of the field.

Possible values:

  • finding_info.created_time_dt
  • finding_info.first_seen_time_dt
  • finding_info.last_seen_time_dt
  • finding_info.modified_time_dt
  • resources.image.created_time_dt
  • resources.image.last_used_time_dt
  • resources.modified_time_dt

Filter -> (structure)

A date filter for querying findings.

Start -> (string)

A timestamp that provides the start date for the date filter.

For more information about the validation and formatting of timestamp fields in Security Hub, see Timestamps .

Constraints:

  • pattern: .*\S.*

End -> (string)

A timestamp that provides the end date for the date filter.

For more information about the validation and formatting of timestamp fields in Security Hub, see Timestamps .

Constraints:

  • pattern: .*\S.*

DateRange -> (structure)

A date range for the date filter.

Value -> (integer)

A date range value for the date filter.

Unit -> (string)

A date range unit for the date filter.

Possible values:

  • DAYS

BooleanFilters -> (list)

Enables filtering based on boolean field values.

(structure)

Enables filtering of security findings based on boolean field values in OCSF.

FieldName -> (string)

The name of the field.

Possible values:

  • compliance.assessments.meets_criteria
  • vulnerabilities.is_exploit_available
  • vulnerabilities.is_fix_available

Filter -> (structure)

Boolean filter for querying findings.

Value -> (boolean)

The value of the boolean.

NumberFilters -> (list)

Enables filtering based on numerical field values.

(structure)

Enables filtering of security findings based on numerical field values in OCSF.

FieldName -> (string)

The name of the field.

Possible values:

  • activity_id
  • compliance.status_id
  • confidence_score
  • severity_id
  • status_id
  • finding_info.related_events_count
  • evidences.api.response.code
  • evidences.dst_endpoint.autonomous_system.number
  • evidences.dst_endpoint.port
  • evidences.src_endpoint.autonomous_system.number
  • evidences.src_endpoint.port
  • resources.image.in_use_count

Filter -> (structure)

A number filter for querying findings.

Gte -> (double)

The greater-than-equal condition to be applied to a single field when querying for findings.

Lte -> (double)

The less-than-equal condition to be applied to a single field when querying for findings.

Eq -> (double)

The equal-to condition to be applied to a single field when querying for findings.

Gt -> (double)

The greater-than condition to be applied to a single field when querying for findings.

Lt -> (double)

The less-than condition to be applied to a single field when querying for findings.

MapFilters -> (list)

Enables filtering based on map field values.

(structure)

Enables filtering of security findings based on map field values in OCSF.

FieldName -> (string)

The name of the field.

Possible values:

  • resources.tags
  • compliance.control_parameters
  • databucket.tags
  • finding_info.tags

Filter -> (structure)

A map filter for filtering Security Hub findings. Each map filter provides the field to check for, the value to check for, and the comparison operator.

Key -> (string)

The key of the map filter. For example, for ResourceTags , Key identifies the name of the tag. For UserDefinedFields , Key is the name of the field.

Constraints:

  • pattern: .*\S.*

Value -> (string)

The value for the key in the map filter. Filter values are case sensitive. For example, one of the values for a tag called Department might be Security . If you provide security as the filter value, then there’s no match.

Constraints:

  • pattern: .*\S.*

Comparison -> (string)

The condition to apply to the key value when filtering Security Hub findings with a map filter.

To search for values that have the filter value, use one of the following comparison operators:

  • To search for values that include the filter value, use CONTAINS . For example, for the ResourceTags field, the filter Department CONTAINS Security matches findings that include the value Security for the Department tag. In the same example, a finding with a value of Security team for the Department tag is a match.
  • To search for values that exactly match the filter value, use EQUALS . For example, for the ResourceTags field, the filter Department EQUALS Security matches findings that have the value Security for the Department tag.
CONTAINS and EQUALS filters on the same field are joined by OR . A finding matches if it matches any one of those filters. For example, the filters Department CONTAINS Security OR Department CONTAINS Finance match a finding that includes either Security , Finance , or both values.

To search for values that don’t have the filter value, use one of the following comparison operators:

  • To search for values that exclude the filter value, use NOT_CONTAINS . For example, for the ResourceTags field, the filter Department NOT_CONTAINS Finance matches findings that exclude the value Finance for the Department tag.
  • To search for values other than the filter value, use NOT_EQUALS . For example, for the ResourceTags field, the filter Department NOT_EQUALS Finance matches findings that don’t have the value Finance for the Department tag.

NOT_CONTAINS and NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters. For example, the filters Department NOT_CONTAINS Security AND Department NOT_CONTAINS Finance match a finding that excludes both the Security and Finance values.

CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.

You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can’t have both an EQUALS filter and a NOT_EQUALS filter on the same field. Combining filters in this way returns an error.

CONTAINS and NOT_CONTAINS operators can be used only with automation rules. For more information, see Automation rules in the Security Hub User Guide .

Possible values:

  • EQUALS
  • NOT_EQUALS
  • CONTAINS
  • NOT_CONTAINS

IpFilters -> (list)

A list of IP address filters that allowing you to filter findings based on IP address properties.

(structure)

The structure for filtering findings based on IP address attributes.

FieldName -> (string)

The name of the IP address field to filter on.

Possible values:

  • evidences.dst_endpoint.ip
  • evidences.src_endpoint.ip

Filter -> (structure)

The IP filter for querying findings.

Cidr -> (string)

A finding’s CIDR value.

Constraints:

  • pattern: .*\S.*

NestedCompositeFilters -> (list)

Provides an additional level of filtering, creating a three-layer nested structure. The first layer is a CompositeFilters array with a CompositeOperator (AND /OR ). The second layer is a CompositeFilter object that contains direct filters and NestedCompositeFilters . The third layer is NestedCompositeFilters , which contains additional filter conditions.

(structure)

Enables the creation of filtering criteria for security findings.

StringFilters -> (list)

Enables filtering based on string field values.

(structure)

Enables filtering of security findings based on string field values in OCSF.

FieldName -> (string)

The name of the field.

Possible values:

  • metadata.uid
  • activity_name
  • cloud.account.uid
  • cloud.provider
  • cloud.region
  • compliance.assessments.category
  • compliance.assessments.name
  • compliance.control
  • compliance.status
  • compliance.standards
  • finding_info.desc
  • finding_info.src_url
  • finding_info.title
  • finding_info.types
  • finding_info.uid
  • finding_info.related_events.uid
  • finding_info.related_events.product.uid
  • finding_info.related_events.title
  • metadata.product.name
  • metadata.product.uid
  • metadata.product.vendor_name
  • remediation.desc
  • remediation.references
  • resources.cloud_partition
  • resources.region
  • resources.type
  • resources.uid
  • severity
  • status
  • comment
  • vulnerabilities.fix_coverage
  • class_name
  • databucket.encryption_details.algorithm
  • databucket.encryption_details.key_uid
  • databucket.file.data_classifications.classifier_details.type
  • evidences.actor.user.account.uid
  • evidences.api.operation
  • evidences.api.response.error_message
  • evidences.api.service.name
  • evidences.connection_info.direction
  • evidences.connection_info.protocol_name
  • evidences.dst_endpoint.autonomous_system.name
  • evidences.dst_endpoint.location.city
  • evidences.dst_endpoint.location.country
  • evidences.src_endpoint.autonomous_system.name
  • evidences.src_endpoint.hostname
  • evidences.src_endpoint.location.city
  • evidences.src_endpoint.location.country
  • finding_info.analytic.name
  • malware.name
  • malware_scan_info.uid
  • malware.severity
  • resources.cloud_function.layers.uid_alt
  • resources.cloud_function.runtime
  • resources.cloud_function.user.uid
  • resources.device.encryption_details.key_uid
  • resources.device.image.uid
  • resources.image.architecture
  • resources.image.registry_uid
  • resources.image.repository_name
  • resources.image.uid
  • resources.subnet_info.uid
  • resources.vpc_uid
  • vulnerabilities.affected_code.file.path
  • vulnerabilities.affected_packages.name
  • vulnerabilities.cve.epss.score
  • vulnerabilities.cve.uid
  • vulnerabilities.related_vulnerabilities
  • cloud.account.name

Filter -> (structure)

A string filter for filtering Security Hub findings.

Value -> (string)

The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter value, there’s no match.

Constraints:

  • pattern: .*\S.*

Comparison -> (string)

The condition to apply to a string value when filtering Security Hub findings.

To search for values that have the filter value, use one of the following comparison operators:

  • To search for values that include the filter value, use CONTAINS . For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
  • To search for values that exactly match the filter value, use EQUALS . For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012 .
  • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us . A ResourceRegion that starts with a different value, such as af , ap , or ca , doesn’t match.
CONTAINS , EQUALS , and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront , CloudWatch , or both strings in the title.

To search for values that don’t have the filter value, use one of the following comparison operators:

  • To search for values that exclude the filter value, use NOT_CONTAINS . For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
  • To search for values other than the filter value, use NOT_EQUALS . For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012 .
  • To search for values that don’t start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us .
NOT_CONTAINS , NOT_EQUALS , and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.

You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can’t provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.

You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

For example, for the following filters, Security Hub first identifies findings that have resource types that start with either AwsIam or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

  • ResourceType PREFIX AwsIam
  • ResourceType PREFIX AwsEc2
  • ResourceType NOT_EQUALS AwsIamPolicy
  • ResourceType NOT_EQUALS AwsEc2NetworkInterface
CONTAINS and NOT_CONTAINS operators can be used only with automation rules V1. CONTAINS_WORD operator is only supported in GetFindingsV2 , GetFindingStatisticsV2 , GetResourcesV2 , and GetResourceStatisticsV2 APIs. For more information, see Automation rules in the Security Hub User Guide .

Possible values:

  • EQUALS
  • PREFIX
  • NOT_EQUALS
  • PREFIX_NOT_EQUALS
  • CONTAINS
  • NOT_CONTAINS
  • CONTAINS_WORD

DateFilters -> (list)

Enables filtering based on date and timestamp fields.

(structure)

Enables filtering of security findings based on date and timestamp fields in OCSF.

FieldName -> (string)

The name of the field.

Possible values:

  • finding_info.created_time_dt
  • finding_info.first_seen_time_dt
  • finding_info.last_seen_time_dt
  • finding_info.modified_time_dt
  • resources.image.created_time_dt
  • resources.image.last_used_time_dt
  • resources.modified_time_dt

Filter -> (structure)

A date filter for querying findings.

Start -> (string)

A timestamp that provides the start date for the date filter.

For more information about the validation and formatting of timestamp fields in Security Hub, see Timestamps .

Constraints:

  • pattern: .*\S.*

End -> (string)

A timestamp that provides the end date for the date filter.

For more information about the validation and formatting of timestamp fields in Security Hub, see Timestamps .

Constraints:

  • pattern: .*\S.*

DateRange -> (structure)

A date range for the date filter.

Value -> (integer)

A date range value for the date filter.

Unit -> (string)

A date range unit for the date filter.

Possible values:

  • DAYS

BooleanFilters -> (list)

Enables filtering based on boolean field values.

(structure)

Enables filtering of security findings based on boolean field values in OCSF.

FieldName -> (string)

The name of the field.

Possible values:

  • compliance.assessments.meets_criteria
  • vulnerabilities.is_exploit_available
  • vulnerabilities.is_fix_available

Filter -> (structure)

Boolean filter for querying findings.

Value -> (boolean)

The value of the boolean.

NumberFilters -> (list)

Enables filtering based on numerical field values.

(structure)

Enables filtering of security findings based on numerical field values in OCSF.

FieldName -> (string)

The name of the field.

Possible values:

  • activity_id
  • compliance.status_id
  • confidence_score
  • severity_id
  • status_id
  • finding_info.related_events_count
  • evidences.api.response.code
  • evidences.dst_endpoint.autonomous_system.number
  • evidences.dst_endpoint.port
  • evidences.src_endpoint.autonomous_system.number
  • evidences.src_endpoint.port
  • resources.image.in_use_count

Filter -> (structure)

A number filter for querying findings.

Gte -> (double)

The greater-than-equal condition to be applied to a single field when querying for findings.

Lte -> (double)

The less-than-equal condition to be applied to a single field when querying for findings.

Eq -> (double)

The equal-to condition to be applied to a single field when querying for findings.

Gt -> (double)

The greater-than condition to be applied to a single field when querying for findings.

Lt -> (double)

The less-than condition to be applied to a single field when querying for findings.

MapFilters -> (list)

Enables filtering based on map field values.

(structure)

Enables filtering of security findings based on map field values in OCSF.

FieldName -> (string)

The name of the field.

Possible values:

  • resources.tags
  • compliance.control_parameters
  • databucket.tags
  • finding_info.tags

Filter -> (structure)

A map filter for filtering Security Hub findings. Each map filter provides the field to check for, the value to check for, and the comparison operator.

Key -> (string)

The key of the map filter. For example, for ResourceTags , Key identifies the name of the tag. For UserDefinedFields , Key is the name of the field.

Constraints:

  • pattern: .*\S.*

Value -> (string)

The value for the key in the map filter. Filter values are case sensitive. For example, one of the values for a tag called Department might be Security . If you provide security as the filter value, then there’s no match.

Constraints:

  • pattern: .*\S.*

Comparison -> (string)

The condition to apply to the key value when filtering Security Hub findings with a map filter.

To search for values that have the filter value, use one of the following comparison operators:

  • To search for values that include the filter value, use CONTAINS . For example, for the ResourceTags field, the filter Department CONTAINS Security matches findings that include the value Security for the Department tag. In the same example, a finding with a value of Security team for the Department tag is a match.
  • To search for values that exactly match the filter value, use EQUALS . For example, for the ResourceTags field, the filter Department EQUALS Security matches findings that have the value Security for the Department tag.
CONTAINS and EQUALS filters on the same field are joined by OR . A finding matches if it matches any one of those filters. For example, the filters Department CONTAINS Security OR Department CONTAINS Finance match a finding that includes either Security , Finance , or both values.

To search for values that don’t have the filter value, use one of the following comparison operators:

  • To search for values that exclude the filter value, use NOT_CONTAINS . For example, for the ResourceTags field, the filter Department NOT_CONTAINS Finance matches findings that exclude the value Finance for the Department tag.
  • To search for values other than the filter value, use NOT_EQUALS . For example, for the ResourceTags field, the filter Department NOT_EQUALS Finance matches findings that don’t have the value Finance for the Department tag.

NOT_CONTAINS and NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters. For example, the filters Department NOT_CONTAINS Security AND Department NOT_CONTAINS Finance match a finding that excludes both the Security and Finance values.

CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.

You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can’t have both an EQUALS filter and a NOT_EQUALS filter on the same field. Combining filters in this way returns an error.

CONTAINS and NOT_CONTAINS operators can be used only with automation rules. For more information, see Automation rules in the Security Hub User Guide .

Possible values:

  • EQUALS
  • NOT_EQUALS
  • CONTAINS
  • NOT_CONTAINS

IpFilters -> (list)

A list of IP address filters that allowing you to filter findings based on IP address properties.

(structure)

The structure for filtering findings based on IP address attributes.

FieldName -> (string)

The name of the IP address field to filter on.

Possible values:

  • evidences.dst_endpoint.ip
  • evidences.src_endpoint.ip

Filter -> (structure)

The IP filter for querying findings.

Cidr -> (string)

A finding’s CIDR value.

Constraints:

  • pattern: .*\S.*

Operator -> (string)

The logical operator used to combine multiple filter conditions.

Possible values:

  • AND
  • OR

Operator -> (string)

The logical operator used to combine multiple filter conditions.

Possible values:

  • AND
  • OR

CompositeOperator -> (string)

The logical operators used to combine the filtering on multiple CompositeFilters .

Possible values:

  • AND
  • OR

JSON Syntax:

{
  "CompositeFilters": [
    {
      "StringFilters": [
        {
          "FieldName": "metadata.uid"|"activity_name"|"cloud.account.uid"|"cloud.provider"|"cloud.region"|"compliance.assessments.category"|"compliance.assessments.name"|"compliance.control"|"compliance.status"|"compliance.standards"|"finding_info.desc"|"finding_info.src_url"|"finding_info.title"|"finding_info.types"|"finding_info.uid"|"finding_info.related_events.uid"|"finding_info.related_events.product.uid"|"finding_info.related_events.title"|"metadata.product.name"|"metadata.product.uid"|"metadata.product.vendor_name"|"remediation.desc"|"remediation.references"|"resources.cloud_partition"|"resources.region"|"resources.type"|"resources.uid"|"severity"|"status"|"comment"|"vulnerabilities.fix_coverage"|"class_name"|"databucket.encryption_details.algorithm"|"databucket.encryption_details.key_uid"|"databucket.file.data_classifications.classifier_details.type"|"evidences.actor.user.account.uid"|"evidences.api.operation"|"evidences.api.response.error_message"|"evidences.api.service.name"|"evidences.connection_info.direction"|"evidences.connection_info.protocol_name"|"evidences.dst_endpoint.autonomous_system.name"|"evidences.dst_endpoint.location.city"|"evidences.dst_endpoint.location.country"|"evidences.src_endpoint.autonomous_system.name"|"evidences.src_endpoint.hostname"|"evidences.src_endpoint.location.city"|"evidences.src_endpoint.location.country"|"finding_info.analytic.name"|"malware.name"|"malware_scan_info.uid"|"malware.severity"|"resources.cloud_function.layers.uid_alt"|"resources.cloud_function.runtime"|"resources.cloud_function.user.uid"|"resources.device.encryption_details.key_uid"|"resources.device.image.uid"|"resources.image.architecture"|"resources.image.registry_uid"|"resources.image.repository_name"|"resources.image.uid"|"resources.subnet_info.uid"|"resources.vpc_uid"|"vulnerabilities.affected_code.file.path"|"vulnerabilities.affected_packages.name"|"vulnerabilities.cve.epss.score"|"vulnerabilities.cve.uid"|"vulnerabilities.related_vulnerabilities"|"cloud.account.name",
          "Filter": {
            "Value": "string",
            "Comparison": "EQUALS"|"PREFIX"|"NOT_EQUALS"|"PREFIX_NOT_EQUALS"|"CONTAINS"|"NOT_CONTAINS"|"CONTAINS_WORD"
          }
        }
        ...
      ],
      "DateFilters": [
        {
          "FieldName": "finding_info.created_time_dt"|"finding_info.first_seen_time_dt"|"finding_info.last_seen_time_dt"|"finding_info.modified_time_dt"|"resources.image.created_time_dt"|"resources.image.last_used_time_dt"|"resources.modified_time_dt",
          "Filter": {
            "Start": "string",
            "End": "string",
            "DateRange": {
              "Value": integer,
              "Unit": "DAYS"
            }
          }
        }
        ...
      ],
      "BooleanFilters": [
        {
          "FieldName": "compliance.assessments.meets_criteria"|"vulnerabilities.is_exploit_available"|"vulnerabilities.is_fix_available",
          "Filter": {
            "Value": true|false
          }
        }
        ...
      ],
      "NumberFilters": [
        {
          "FieldName": "activity_id"|"compliance.status_id"|"confidence_score"|"severity_id"|"status_id"|"finding_info.related_events_count"|"evidences.api.response.code"|"evidences.dst_endpoint.autonomous_system.number"|"evidences.dst_endpoint.port"|"evidences.src_endpoint.autonomous_system.number"|"evidences.src_endpoint.port"|"resources.image.in_use_count",
          "Filter": {
            "Gte": double,
            "Lte": double,
            "Eq": double,
            "Gt": double,
            "Lt": double
          }
        }
        ...
      ],
      "MapFilters": [
        {
          "FieldName": "resources.tags"|"compliance.control_parameters"|"databucket.tags"|"finding_info.tags",
          "Filter": {
            "Key": "string",
            "Value": "string",
            "Comparison": "EQUALS"|"NOT_EQUALS"|"CONTAINS"|"NOT_CONTAINS"
          }
        }
        ...
      ],
      "IpFilters": [
        {
          "FieldName": "evidences.dst_endpoint.ip"|"evidences.src_endpoint.ip",
          "Filter": {
            "Cidr": "string"
          }
        }
        ...
      ],
      "NestedCompositeFilters": [
        {
          "StringFilters": [
            {
              "FieldName": "metadata.uid"|"activity_name"|"cloud.account.uid"|"cloud.provider"|"cloud.region"|"compliance.assessments.category"|"compliance.assessments.name"|"compliance.control"|"compliance.status"|"compliance.standards"|"finding_info.desc"|"finding_info.src_url"|"finding_info.title"|"finding_info.types"|"finding_info.uid"|"finding_info.related_events.uid"|"finding_info.related_events.product.uid"|"finding_info.related_events.title"|"metadata.product.name"|"metadata.product.uid"|"metadata.product.vendor_name"|"remediation.desc"|"remediation.references"|"resources.cloud_partition"|"resources.region"|"resources.type"|"resources.uid"|"severity"|"status"|"comment"|"vulnerabilities.fix_coverage"|"class_name"|"databucket.encryption_details.algorithm"|"databucket.encryption_details.key_uid"|"databucket.file.data_classifications.classifier_details.type"|"evidences.actor.user.account.uid"|"evidences.api.operation"|"evidences.api.response.error_message"|"evidences.api.service.name"|"evidences.connection_info.direction"|"evidences.connection_info.protocol_name"|"evidences.dst_endpoint.autonomous_system.name"|"evidences.dst_endpoint.location.city"|"evidences.dst_endpoint.location.country"|"evidences.src_endpoint.autonomous_system.name"|"evidences.src_endpoint.hostname"|"evidences.src_endpoint.location.city"|"evidences.src_endpoint.location.country"|"finding_info.analytic.name"|"malware.name"|"malware_scan_info.uid"|"malware.severity"|"resources.cloud_function.layers.uid_alt"|"resources.cloud_function.runtime"|"resources.cloud_function.user.uid"|"resources.device.encryption_details.key_uid"|"resources.device.image.uid"|"resources.image.architecture"|"resources.image.registry_uid"|"resources.image.repository_name"|"resources.image.uid"|"resources.subnet_info.uid"|"resources.vpc_uid"|"vulnerabilities.affected_code.file.path"|"vulnerabilities.affected_packages.name"|"vulnerabilities.cve.epss.score"|"vulnerabilities.cve.uid"|"vulnerabilities.related_vulnerabilities"|"cloud.account.name",
              "Filter": {
                "Value": "string",
                "Comparison": "EQUALS"|"PREFIX"|"NOT_EQUALS"|"PREFIX_NOT_EQUALS"|"CONTAINS"|"NOT_CONTAINS"|"CONTAINS_WORD"
              }
            }
            ...
          ],
          "DateFilters": [
            {
              "FieldName": "finding_info.created_time_dt"|"finding_info.first_seen_time_dt"|"finding_info.last_seen_time_dt"|"finding_info.modified_time_dt"|"resources.image.created_time_dt"|"resources.image.last_used_time_dt"|"resources.modified_time_dt",
              "Filter": {
                "Start": "string",
                "End": "string",
                "DateRange": {
                  "Value": integer,
                  "Unit": "DAYS"
                }
              }
            }
            ...
          ],
          "BooleanFilters": [
            {
              "FieldName": "compliance.assessments.meets_criteria"|"vulnerabilities.is_exploit_available"|"vulnerabilities.is_fix_available",
              "Filter": {
                "Value": true|false
              }
            }
            ...
          ],
          "NumberFilters": [
            {
              "FieldName": "activity_id"|"compliance.status_id"|"confidence_score"|"severity_id"|"status_id"|"finding_info.related_events_count"|"evidences.api.response.code"|"evidences.dst_endpoint.autonomous_system.number"|"evidences.dst_endpoint.port"|"evidences.src_endpoint.autonomous_system.number"|"evidences.src_endpoint.port"|"resources.image.in_use_count",
              "Filter": {
                "Gte": double,
                "Lte": double,
                "Eq": double,
                "Gt": double,
                "Lt": double
              }
            }
            ...
          ],
          "MapFilters": [
            {
              "FieldName": "resources.tags"|"compliance.control_parameters"|"databucket.tags"|"finding_info.tags",
              "Filter": {
                "Key": "string",
                "Value": "string",
                "Comparison": "EQUALS"|"NOT_EQUALS"|"CONTAINS"|"NOT_CONTAINS"
              }
            }
            ...
          ],
          "IpFilters": [
            {
              "FieldName": "evidences.dst_endpoint.ip"|"evidences.src_endpoint.ip",
              "Filter": {
                "Cidr": "string"
              }
            }
            ...
          ],
          "NestedCompositeFilters": ,
          "Operator": "AND"|"OR"
        }
        ...
      ],
      "Operator": "AND"|"OR"
    }
    ...
  ],
  "CompositeOperator": "AND"|"OR"
}

--sort-criteria (list)

The finding attributes used to sort the list of returned findings.

(structure)

A collection of finding attributes used to sort findings.

Field -> (string)

The finding attribute used to sort findings.

Constraints:

  • pattern: .*\S.*

SortOrder -> (string)

The order used to sort findings.

Possible values:

  • asc
  • desc

Shorthand Syntax:

Field=string,SortOrder=string ...

JSON Syntax:

[
  {
    "Field": "string",
    "SortOrder": "asc"|"desc"
  }
  ...
]

--cli-input-json | --cli-input-yaml (string) Reads arguments from the JSON string provided. The JSON string follows the format provided by --generate-cli-skeleton. If other arguments are provided on the command line, those values will override the JSON-provided values. It is not possible to pass arbitrary binary values using a JSON-provided value as the string will be taken literally. This may not be specified along with --cli-input-yaml.

--starting-token (string)

A token to specify where to start paginating. This is the NextToken from a previously truncated response.

For usage examples, see Pagination in the AWS Command Line Interface User Guide .

--page-size (integer)

The size of each page to get in the AWS service call. This does not affect the number of items returned in the command’s output. Setting a smaller page size results in more calls to the AWS service, retrieving fewer items in each call. This can help prevent the AWS service calls from timing out.

For usage examples, see Pagination in the AWS Command Line Interface User Guide .

--max-items (integer)

The total number of items to return in the command’s output. If the total number of items available is more than the value specified, a NextToken is provided in the command’s output. To resume pagination, provide the NextToken value in the starting-token argument of a subsequent command. Do not use the NextToken response element directly outside of the AWS CLI.

For usage examples, see Pagination in the AWS Command Line Interface User Guide .

--generate-cli-skeleton (string) Prints a JSON skeleton to standard output without sending an API request. If provided with no value or the value input, prints a sample input JSON that can be used as an argument for --cli-input-json. Similarly, if provided yaml-input it will print a sample input YAML that can be used with --cli-input-yaml. If provided with the value output, it validates the command inputs and returns a sample output JSON for that command. The generated JSON skeleton is not stable between versions of the AWS CLI and there are no backwards compatibility guarantees in the JSON skeleton generated.

Global Options

--debug (boolean)

Turn on debug logging.

--endpoint-url (string)

Override command’s default URL with the given URL.

--no-verify-ssl (boolean)

By default, the AWS CLI uses SSL when communicating with AWS services. For each SSL connection, the AWS CLI will verify SSL certificates. This option overrides the default behavior of verifying SSL certificates.

--no-paginate (boolean)

Disable automatic pagination. If automatic pagination is disabled, the AWS CLI will only make one call, for the first page of results.

--output (string)

The formatting style for command output.

  • json
  • text
  • table
  • yaml
  • yaml-stream

--query (string)

A JMESPath query to use in filtering the response data.

--profile (string)

Use a specific profile from your credential file.

--region (string)

The region to use. Overrides config/env settings.

--version (string)

Display the version of this tool.

--color (string)

Turn on/off color output.

  • on
  • off
  • auto

--no-sign-request (boolean)

Do not sign requests. Credentials will not be loaded if this argument is provided.

--ca-bundle (string)

The CA certificate bundle to use when verifying SSL certificates. Overrides config/env settings.

--cli-read-timeout (int)

The maximum socket read time in seconds. If the value is set to 0, the socket read will be blocking and not timeout. The default value is 60 seconds.

--cli-connect-timeout (int)

The maximum socket connect time in seconds. If the value is set to 0, the socket connect will be blocking and not timeout. The default value is 60 seconds.

--cli-binary-format (string)

The formatting style to be used for binary blobs. The default format is base64. The base64 format expects binary blobs to be provided as a base64 encoded string. The raw-in-base64-out format preserves compatibility with AWS CLI V1 behavior and binary values must be passed literally. When providing contents from a file that map to a binary blob fileb:// will always be treated as binary and use the file contents directly regardless of the cli-binary-format setting. When using file:// the file contents will need to properly formatted for the configured cli-binary-format.

  • base64
  • raw-in-base64-out

--no-cli-pager (boolean)

Disable cli pager for output.

--cli-auto-prompt (boolean)

Automatically prompt for CLI input parameters.

--no-cli-auto-prompt (boolean)

Disable automatically prompt for CLI input parameters.

Output

Findings -> (list)

An array of security findings returned by the operation.

(document)

NextToken -> (string)

The pagination token to use to request the next page of results. Otherwise, this parameter is null.
© Copyright 2025, Amazon Web Services. Created using Sphinx.