Managing custom insights - AWS Security Hub

Managing custom insights

In addition to the AWS Security Hub managed insights, you can create custom insights to track issues and resources that are specific to your environment.

You can create completely new custom insights, or start from an existing custom or managed insight.

Each insight is configured with the following options.

  • The grouping attribute. The grouping attribute determines the items that are displayed in the insight results list. For example, if the grouping attribute is Product name, then the insight results display the number of findings associated with each finding provider.

  • Optional filters. The filters narrow down the matching findings for the insight.

    When querying your findings, Security Hub applies AND logic to the set of filters. In other words, a finding only matches if it matches all of the provided filters. For example, if the filters are "Product name is GuardDuty" and "Resource type is AwsS3Bucket," then matching findings must match both of these criteria.

    However, Security Hub applies OR logic to filters that use the same attribute but different values. For example, if the filters are "Product name is GuardDuty" and "Product name is Amazon Inspector", then a finding matches if it was generated by either GuardDuty or Amazon Inspector.

Creating a new custom insight (Console)

From the console, you can create a completely new insight.

To create an insight

  1. Open the AWS Security Hub console at https://console.aws.amazon.com/securityhub/.

  2. In the navigation pane, choose Insights.

  3. Choose Create insight.

  4. To select the grouping attribute for the insight:

    1. Choose the Add filter field.

    2. Choose Group by.

    3. Select the attribute to use to group the findings associated with this insight.

    4. Choose Apply.

  5. (Optional) Choose any additional filters to use for this insight. For each filter, define the filter criteria, then choose Apply.

  6. Choose Create insight.

  7. Enter an Insight name, then choose Create insight.

Creating a new custom insight (API)

To create a new custom insight from the Security Hub API, use the CreateInsight operation.

Modifying a custom insight (Console)

You can modify an existing custom insight to change the grouping value and filters. After you make the changes, you can save the updates to the original insight, or save the updated version as a new insight.

To modify an insight

  1. Open the AWS Security Hub console at https://console.aws.amazon.com/securityhub/.

  2. In the navigation pane, choose Insights.

  3. Choose the custom insight to modify.

  4. To change the attribute used to group findings in the insight:

    1. Remove the existing grouping. To do this, choose the circled X next to Group by.

    2. Choose Add filter.

    3. Select the attribute to use for grouping.

    4. Choose Apply.

  5. To remove a filter from the insight, choose the circled X next to the filter.

  6. To add a filter to the insight:

    1. Choose Add filter.

    2. Select the attribute and value to use as a filter.

    3. Choose Apply.

  7. When you complete the updates, choose Save insight.

  8. When prompted, do one of the following:

    • To update the existing insight to reflect your changes, choose Update <Insight_Name> and then choose Save insight.

    • To create a new insight with the updates, choose Save new insight. Enter an Insight name, and then choose Save insight.

Modifying a custom insight (API)

To update the configuration of a custom insight, use the UpdateInsight operation.

Creating a new custom insight from a managed insight (Console)

You cannot save changes to or delete a managed insight. You can use a managed insight as the basis for a new custom insight.

To create a new custom insight from a managed insight

  1. Open the AWS Security Hub console at https://console.aws.amazon.com/securityhub/.

  2. In the navigation pane, choose Insights.

  3. Choose the managed insight to work from.

  4. To change the attribute used to group findings in the insight:

    1. Remove the existing grouping. To do this, choose the circled X next to Group by.

    2. Choose Add filter.

    3. Select the attribute to use for grouping.

    4. Choose Apply.

  5. To remove a filter from the insight, choose the circled X next to the filter.

  6. To add a filter to the insight:

    1. Choose Add filter.

    2. Select the attribute to use as a filter.

    3. Choose Apply.

  7. When your updates are complete, choose Create insight.

  8. When prompted, enter an Insight name, then choose Create insight.

Deleting a custom insight (Console)

When you no longer want a custom insight, you can delete it. You cannot delete managed insights.

To delete a custom insight

  1. Open the AWS Security Hub console at https://console.aws.amazon.com/securityhub/.

  2. In the navigation pane, choose Insights.

  3. Locate the custom insight to delete.

  4. For that insight, choose the more options icon (the three dots in the top-left corner of the card).

  5. Choose Delete.

Deleting a custom insight (API)

To delete a custom insight from the Security Hub API, use the DeleteInsight operation.