AWS::SecurityHub::Insight
The AWS::SecurityHub::Insight resource creates a custom insight in AWS Security Hub. An insight
is a collection of findings that relate to a security issue that requires attention or remediation. For more information,
see Insights in AWS Security Hub in the
AWS Security Hub User Guide.
Tags aren't supported for this resource.
Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:
JSON
{ "Type" : "AWS::SecurityHub::Insight", "Properties" : { "Filters" :AwsSecurityFindingFilters, "GroupByAttribute" :String, "Name" :String} }
YAML
Type: AWS::SecurityHub::Insight Properties: Filters:AwsSecurityFindingFiltersGroupByAttribute:StringName:String
Properties
Filters-
One or more attributes used to filter the findings included in the insight. The insight only includes findings that match the criteria defined in the filters. You can filter by up to ten finding attributes. For each attribute, you can provide up to 20 filter values.
Required: Yes
Type: AwsSecurityFindingFilters
Update requires: No interruption
GroupByAttribute-
The grouping attribute for the insight's findings. Indicates how to group the matching findings, and identifies the type of item that the insight applies to. For example, if an insight is grouped by resource identifier, then the insight produces a list of resource identifiers.
Required: Yes
Type: String
Minimum:
1Update requires: No interruption
Name-
The name of a Security Hub insight.
Required: Yes
Type: String
Minimum:
1Maximum:
128Update requires: No interruption
Return values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the Amazon Resource Name (ARN) of a Security Hub insight. For example, arn:aws:securityhub:us-west-1:123456789012:insight/123456789012/custom/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111.
For more information about using the Ref function, see Ref.
Fn::GetAtt
The Fn::GetAtt intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values.
For more information about using the Fn::GetAtt intrinsic function, see Fn::GetAtt.
InsightArn-
The ARN of a Security Hub insight.
Examples
Creating a Security Hub insight
The following example creates a custom Security Hub insight. The insight includes findings that match the specified filters.
JSON
{ "Description": "Example template to create a Security Hub insight", "Resources": { "SecurityHubInsight": { "Type": "AWS::SecurityHub::Insight", "Properties": { "Name": "Example insight name", "GroupByAttribute": "ResourceId", "Filters": { "CompanyName": [ { "Comparison": "EQUALS", "Value": "AWS" } ], "CreatedAt": [ { "DateRange": { "Unit": "DAYS", "Value": 5 } } ], "Criticality": [ { "Gte": 50, "Lte": 95 } ], "Id": [ { "Comparison": "EQUALS", "Value": "example-id" } ], "RecordState": [ { "Comparison": "EQUALS", "Value": "ACTIVE" } ], "ResourceTags": [ { "Comparison": "EQUALS", "Key": "department", "Value": "security" }, { "Comparison": "EQUALS", "Key": "department", "Value": "operations" } ], "SeverityLabel": [ { "Comparison": "EQUALS", "Value": "LOW" }, { "Comparison": "EQUALS", "Value": "HIGH" } ], "UpdatedAt": [ { "Start": "2023-04-25T17:05:54.832Z", "End": "2023-05-25T17:05:54.832Z" } ] } } } } }
YAML
Description: Example template to create a Security Hub insight Resources: SecurityHubInsight: Type: "AWS::SecurityHub::Insight" Properties: Name: "Example insight name" GroupByAttribute: "ResourceId" Filters: CompanyName: - Comparison: EQUALS Value: AWS CreatedAt: - DateRange: Unit: DAYS Value: 5 Criticality: - Gte: 50 Lte: 95 Id: - Comparison: EQUALS Value: example-id RecordState: - Comparison: EQUALS Value: ACTIVE ResourceTags: - Comparison: EQUALS Key: department Value: security - Comparison: EQUALS Key: department Value: operations SeverityLabel: - Comparison: EQUALS Value: LOW - Comparison: EQUALS Value: HIGH UpdatedAt: - Start: "2023-04-25T17:05:54.832Z" End: "2023-05-25T17:05:54.832Z"
