Searching for evidence in evidence finder
You can use evidence finder to perform targeted searches and quickly surface relevant evidence for review.
On this page, you'll learn how to filter your searches by criteria like assessment, date range, resource compliance status, and additional attributes. Applying these filters narrows your search scope to just the evidence you need. You can also group your results by certain fields to better analyze patterns.
Prerequisites
Make sure that you completed the steps to enable evidence finder in your Audit Manager settings. For instructions, see Enabling evidence finder.
In addition, make sure that you have permissions to perform search queries in evidence finder. For an example permission policy that you can use, see Allow users to run search queries in evidence finder.
Procedure
Follow these steps to search for evidence in the Audit Manager console.
Note
You can also use the CloudTrail API to query your evidence data. For more information, see StartQuery in the AWS CloudTrail API Reference. If you prefer to use the AWS CLI, see Start a query in the AWS CloudTrail User Guide.
Performing a search query
Follow these steps to perform a search query in evidence finder.
To search for evidence
Open the AWS Audit Manager console at https://console.aws.amazon.com/auditmanager/home
. In the navigation pane, choose Evidence finder.
-
Next, apply filters to narrow the scope of your search.
-
For Assessment, choose an assessment.
For Date range, select a range.
For Resource compliance, select an evaluation status.
-
(Optional) Choose Additional filters - optional to narrow the search even further.
Choose Add criteria, select a criteria, and then select one or more values for that criteria.
Continue to build more filters in the same way.
To remove an unwanted filter, choose Remove.
Under Grouping, specify whether you want to group the search results.
If you want to group the results, select a value to group the results by.
If you don’t want to group the results, proceed to step 6.
Choose Search.
Your search might take a few minutes, depending on the amount of evidence data that you have. Feel free to navigate away from evidence finder while the search is in progress. A flash bar notifies you when the search results are ready.
Stopping a search query
If you want to stop a search query for any reason, follow these steps.
Note
Stopping a search query can still result in charges. You're charged for the amount of evidence data that was scanned before you stopped the search query. After it's stopped, you can view the partial results that were returned.
To stop an in-progress search query
In the blue progress flash bar at the top of the screen, choose Stop search.
(Optional) Review the partial results that were returned before you stopped the search query.
If you're on the evidence finder page, the partial results are displayed on the screen.
-
If you navigated away from evidence finder, choose View partial results in the green confirmation flash bar.
Editing search filters
Follow these steps to return to your most recent search query and adjust the filters as needed.
Note
When you edit your filters and choose Search, this starts a new search query.
To edit a recent search query
From the View results page, choose Evidence finder from the breadcrumb navigation menu.
Choose Filters and grouping to expand the filter selection.
Next, edit your filters or start a new search.
To edit filters, adjust or remove the current filters and grouping selection.
To start over, choose Clear filters and apply the filters and grouping selection of your choice.
When you’re done, choose Search.
Next steps
After your search is finished, you can view the results that matched your search criteria. For instructions, see Viewing results in evidence finder.