HEX
Server: Apache/2.4.41 (Ubuntu)
System: Linux ip-172-31-42-149 5.15.0-1084-aws #91~20.04.1-Ubuntu SMP Fri May 2 07:00:04 UTC 2025 aarch64
User: ubuntu (1000)
PHP: 7.4.33
Disabled: pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,pcntl_unshare,
Upload Files
File: //proc/self/root/usr/local/aws-cli/v2/dist/awscli/examples/guardduty/list-findings.rst
**Example 1: To list all findings for the current region**

The following ``list-findings`` example displays a list of all findingIds for the current region sorted by severity from highest to lowest. ::

    aws guardduty list-findings \
        --detector-id 12abc34d567e8fa901bc2d34eexample \ 
        --sort-criteria '{"AttributeName": "severity","OrderBy":"DESC"}'

Output::
    
    {
        "FindingIds": [
            "04b8ab50fd29c64fc771b232dexample",
            "5ab8ab50fd21373735c826d3aexample",
            "90b93de7aba69107f05bbe60bexample",
            ...
        ]
    }

For more information, see `Findings <https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html>`__ in the GuardDuty User Guide.

**Example 2: To list findings for the current region matching a specfic finding criteria**

The following ``list-findings`` example displays a list of all findingIds that match a specified finding type. ::

    aws guardduty list-findings \
        --detector-id 12abc34d567e8fa901bc2d34eexample \ 
        --finding-criteria  '{"Criterion":{"type": {"Eq":["UnauthorizedAccess:EC2/SSHBruteForce"]}}}'

Output::
    
    {
        "FindingIds": [
            "90b93de7aba69107f05bbe60bexample",
            "6eb9430d7023d30774d6f05e3example",
            "2eb91a2d060ac9a21963a5848example",
            "44b8ab50fd2b0039a9e48f570example",
            "9eb8ab4cd2b7e5b66ba4f5e96example",
            "e0b8ab3a38e9b0312cc390ceeexample"
        ]
    }

For more information, see `Findings <https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html>`__ in the GuardDuty User Guide.

**Example 3: To list findings for the current region matching a specfic set of finding criteria defined within a JSON file**

The following ``list-findings`` example displays a list of all findingIds that are not archived, and involve the IAM user named "testuser", as specified in a JSON file. ::

    aws guardduty list-findings \
        --detector-id 12abc34d567e8fa901bc2d34eexample \ 
        --finding-criteria  file://myfile.json

Contents of ``myfile.json``::

    {"Criterion": {
        "resource.accessKeyDetails.userName":{
                    "Eq":[
                        "testuser"
                        ]
                    },
        "service.archived": {
                    "Eq": [
                        "false"
                    ]
                }
            }
    }

Output::
    
    {
        "FindingIds": [
            "1ab92989eaf0e742df4a014d5example"
        ]
    }

For more information, see `Findings <https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html>`__ in the GuardDuty User Guide.