- Navigation GuideYou are on a Command (operation) page with structural examples. Use the navigation breadcrumb if you would like to return to the Client landing page.
CreateInsightCommand
Creates a custom insight in Security Hub. An insight is a consolidation of findings that relate to a security issue that requires attention or remediation.
To group the related findings in the insight, use the GroupByAttribute.
Example Syntax
Use a bare-bones client and the command you need to make an API call.
import { SecurityHubClient, CreateInsightCommand } from "@aws-sdk/client-securityhub"; // ES Modules import
// const { SecurityHubClient, CreateInsightCommand } = require("@aws-sdk/client-securityhub"); // CommonJS import
const client = new SecurityHubClient(config);
const input = { // CreateInsightRequest
Name: "STRING_VALUE", // required
Filters: { // AwsSecurityFindingFilters
ProductArn: [ // StringFilterList
{ // StringFilter
Value: "STRING_VALUE",
Comparison: "EQUALS" || "PREFIX" || "NOT_EQUALS" || "PREFIX_NOT_EQUALS" || "CONTAINS" || "NOT_CONTAINS",
},
],
AwsAccountId: [
{
Value: "STRING_VALUE",
Comparison: "EQUALS" || "PREFIX" || "NOT_EQUALS" || "PREFIX_NOT_EQUALS" || "CONTAINS" || "NOT_CONTAINS",
},
],
Id: [
{
Value: "STRING_VALUE",
Comparison: "EQUALS" || "PREFIX" || "NOT_EQUALS" || "PREFIX_NOT_EQUALS" || "CONTAINS" || "NOT_CONTAINS",
},
],
GeneratorId: [
{
Value: "STRING_VALUE",
Comparison: "EQUALS" || "PREFIX" || "NOT_EQUALS" || "PREFIX_NOT_EQUALS" || "CONTAINS" || "NOT_CONTAINS",
},
],
Region: [
{
Value: "STRING_VALUE",
Comparison: "EQUALS" || "PREFIX" || "NOT_EQUALS" || "PREFIX_NOT_EQUALS" || "CONTAINS" || "NOT_CONTAINS",
},
],
Type: "<StringFilterList>",
FirstObservedAt: [ // DateFilterList
{ // DateFilter
Start: "STRING_VALUE",
End: "STRING_VALUE",
DateRange: { // DateRange
Value: Number("int"),
Unit: "DAYS",
},
},
],
LastObservedAt: [
{
Start: "STRING_VALUE",
End: "STRING_VALUE",
DateRange: {
Value: Number("int"),
Unit: "DAYS",
},
},
],
CreatedAt: [
{
Start: "STRING_VALUE",
End: "STRING_VALUE",
DateRange: {
Value: Number("int"),
Unit: "DAYS",
},
},
],
UpdatedAt: [
{
Start: "STRING_VALUE",
End: "STRING_VALUE",
DateRange: {
Value: Number("int"),
Unit: "DAYS",
},
},
],
SeverityProduct: [ // NumberFilterList
{ // NumberFilter
Gte: Number("double"),
Lte: Number("double"),
Eq: Number("double"),
Gt: Number("double"),
Lt: Number("double"),
},
],
SeverityNormalized: [
{
Gte: Number("double"),
Lte: Number("double"),
Eq: Number("double"),
Gt: Number("double"),
Lt: Number("double"),
},
],
SeverityLabel: "<StringFilterList>",
Confidence: [
{
Gte: Number("double"),
Lte: Number("double"),
Eq: Number("double"),
Gt: Number("double"),
Lt: Number("double"),
},
],
Criticality: [
{
Gte: Number("double"),
Lte: Number("double"),
Eq: Number("double"),
Gt: Number("double"),
Lt: Number("double"),
},
],
Title: "<StringFilterList>",
Description: "<StringFilterList>",
RecommendationText: "<StringFilterList>",
SourceUrl: "<StringFilterList>",
ProductFields: [ // MapFilterList
{ // MapFilter
Key: "STRING_VALUE",
Value: "STRING_VALUE",
Comparison: "EQUALS" || "NOT_EQUALS" || "CONTAINS" || "NOT_CONTAINS",
},
],
ProductName: "<StringFilterList>",
CompanyName: "<StringFilterList>",
UserDefinedFields: [
{
Key: "STRING_VALUE",
Value: "STRING_VALUE",
Comparison: "EQUALS" || "NOT_EQUALS" || "CONTAINS" || "NOT_CONTAINS",
},
],
MalwareName: "<StringFilterList>",
MalwareType: "<StringFilterList>",
MalwarePath: "<StringFilterList>",
MalwareState: "<StringFilterList>",
NetworkDirection: "<StringFilterList>",
NetworkProtocol: "<StringFilterList>",
NetworkSourceIpV4: [ // IpFilterList
{ // IpFilter
Cidr: "STRING_VALUE",
},
],
NetworkSourceIpV6: [
{
Cidr: "STRING_VALUE",
},
],
NetworkSourcePort: [
{
Gte: Number("double"),
Lte: Number("double"),
Eq: Number("double"),
Gt: Number("double"),
Lt: Number("double"),
},
],
NetworkSourceDomain: "<StringFilterList>",
NetworkSourceMac: "<StringFilterList>",
NetworkDestinationIpV4: [
{
Cidr: "STRING_VALUE",
},
],
NetworkDestinationIpV6: [
{
Cidr: "STRING_VALUE",
},
],
NetworkDestinationPort: "<NumberFilterList>",
NetworkDestinationDomain: "<StringFilterList>",
ProcessName: "<StringFilterList>",
ProcessPath: "<StringFilterList>",
ProcessPid: "<NumberFilterList>",
ProcessParentPid: "<NumberFilterList>",
ProcessLaunchedAt: [
{
Start: "STRING_VALUE",
End: "STRING_VALUE",
DateRange: {
Value: Number("int"),
Unit: "DAYS",
},
},
],
ProcessTerminatedAt: "<DateFilterList>",
ThreatIntelIndicatorType: "<StringFilterList>",
ThreatIntelIndicatorValue: "<StringFilterList>",
ThreatIntelIndicatorCategory: "<StringFilterList>",
ThreatIntelIndicatorLastObservedAt: "<DateFilterList>",
ThreatIntelIndicatorSource: "<StringFilterList>",
ThreatIntelIndicatorSourceUrl: "<StringFilterList>",
ResourceType: "<StringFilterList>",
ResourceId: "<StringFilterList>",
ResourcePartition: "<StringFilterList>",
ResourceRegion: "<StringFilterList>",
ResourceTags: [
{
Key: "STRING_VALUE",
Value: "STRING_VALUE",
Comparison: "EQUALS" || "NOT_EQUALS" || "CONTAINS" || "NOT_CONTAINS",
},
],
ResourceAwsEc2InstanceType: "<StringFilterList>",
ResourceAwsEc2InstanceImageId: "<StringFilterList>",
ResourceAwsEc2InstanceIpV4Addresses: [
{
Cidr: "STRING_VALUE",
},
],
ResourceAwsEc2InstanceIpV6Addresses: "<IpFilterList>",
ResourceAwsEc2InstanceKeyName: "<StringFilterList>",
ResourceAwsEc2InstanceIamInstanceProfileArn: "<StringFilterList>",
ResourceAwsEc2InstanceVpcId: "<StringFilterList>",
ResourceAwsEc2InstanceSubnetId: "<StringFilterList>",
ResourceAwsEc2InstanceLaunchedAt: "<DateFilterList>",
ResourceAwsS3BucketOwnerId: "<StringFilterList>",
ResourceAwsS3BucketOwnerName: "<StringFilterList>",
ResourceAwsIamAccessKeyUserName: "<StringFilterList>",
ResourceAwsIamAccessKeyPrincipalName: "<StringFilterList>",
ResourceAwsIamAccessKeyStatus: "<StringFilterList>",
ResourceAwsIamAccessKeyCreatedAt: "<DateFilterList>",
ResourceAwsIamUserUserName: "<StringFilterList>",
ResourceContainerName: "<StringFilterList>",
ResourceContainerImageId: "<StringFilterList>",
ResourceContainerImageName: "<StringFilterList>",
ResourceContainerLaunchedAt: "<DateFilterList>",
ResourceDetailsOther: [
{
Key: "STRING_VALUE",
Value: "STRING_VALUE",
Comparison: "EQUALS" || "NOT_EQUALS" || "CONTAINS" || "NOT_CONTAINS",
},
],
ComplianceStatus: "<StringFilterList>",
VerificationState: "<StringFilterList>",
WorkflowState: "<StringFilterList>",
WorkflowStatus: "<StringFilterList>",
RecordState: "<StringFilterList>",
RelatedFindingsProductArn: "<StringFilterList>",
RelatedFindingsId: "<StringFilterList>",
NoteText: "<StringFilterList>",
NoteUpdatedAt: "<DateFilterList>",
NoteUpdatedBy: "<StringFilterList>",
Keyword: [ // KeywordFilterList
{ // KeywordFilter
Value: "STRING_VALUE",
},
],
FindingProviderFieldsConfidence: "<NumberFilterList>",
FindingProviderFieldsCriticality: "<NumberFilterList>",
FindingProviderFieldsRelatedFindingsId: "<StringFilterList>",
FindingProviderFieldsRelatedFindingsProductArn: "<StringFilterList>",
FindingProviderFieldsSeverityLabel: "<StringFilterList>",
FindingProviderFieldsSeverityOriginal: "<StringFilterList>",
FindingProviderFieldsTypes: "<StringFilterList>",
Sample: [ // BooleanFilterList
{ // BooleanFilter
Value: true || false,
},
],
ComplianceSecurityControlId: "<StringFilterList>",
ComplianceAssociatedStandardsId: "<StringFilterList>",
VulnerabilitiesExploitAvailable: "<StringFilterList>",
VulnerabilitiesFixAvailable: "<StringFilterList>",
ComplianceSecurityControlParametersName: "<StringFilterList>",
ComplianceSecurityControlParametersValue: "<StringFilterList>",
AwsAccountName: "<StringFilterList>",
ResourceApplicationName: "<StringFilterList>",
ResourceApplicationArn: "<StringFilterList>",
},
GroupByAttribute: "STRING_VALUE", // required
};
const command = new CreateInsightCommand(input);
const response = await client.send(command);
// { // CreateInsightResponse
// InsightArn: "STRING_VALUE", // required
// };
Example Usage
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
// The following example creates a custom insight in Security Hub. An insight is a collection of findings that
relate to a security issue.
const input = {
"Filters": {
"ResourceType": [
{
"Comparison": "EQUALS",
"Value": "AwsIamRole"
}
],
"SeverityLabel": [
{
"Comparison": "EQUALS",
"Value": "CRITICAL"
}
]
},
"GroupByAttribute": "ResourceId",
"Name": "Critical role findings"
};
const command = new CreateInsightCommand(input);
const response = await client.send(command);
/* response ==
{
"InsightArn": "arn:aws:securityhub:us-west-1:123456789012:insight/123456789012/custom/a1b2c3d4-5678-90ab-cdef
-EXAMPLE11111"
}
*\/
// example id: to-create-a-custom-insight-1675354046628
הההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההה
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
JavaScriptLn 1, Col 1
Errors: 0 Warnings: 0Errors: 0 Warnings: 0
JavaScriptLn 1, Col 1
Errors: 0 Warnings: 0Errors: 0 Warnings: 0
CreateInsightCommand Input
See CreateInsightCommandInput for more details
Parameter | Type | Description |
|---|
Parameter | Type | Description |
|---|---|---|
FiltersRequired | AwsSecurityFindingFilters | undefined | One or more attributes used to filter the findings included in the insight. The insight only includes findings that match the criteria defined in the filters. |
GroupByAttributeRequired | string | undefined | The attribute used to group the findings for the insight. The grouping attribute identifies the type of item that the insight applies to. For example, if an insight is grouped by resource identifier, then the insight produces a list of resource identifiers. |
NameRequired | string | undefined | The name of the custom insight to create. |
CreateInsightCommand Output
See CreateInsightCommandOutput for details
Parameter | Type | Description |
|---|
Parameter | Type | Description |
|---|---|---|
$metadataRequired | ResponseMetadata | Metadata pertaining to this request. |
InsightArnRequired | string | undefined | The ARN of the insight created. |
Throws
Name | Fault | Details |
|---|
Name | Fault | Details |
|---|---|---|
| InternalException | server | Internal server error. |
| InvalidAccessException | client | The account doesn't have permission to perform this action. |
| InvalidInputException | client | The request was rejected because you supplied an invalid or out-of-range value for an input parameter. |
| LimitExceededException | client | The request was rejected because it attempted to create resources beyond the current Amazon Web Services account or throttling limits. The error code describes the limit exceeded. |
| ResourceConflictException | client | The resource specified in the request conflicts with an existing resource. |
| SecurityHubServiceException | Base exception class for all service exceptions from SecurityHub service. |