AWS Security Hub
User Guide

Custom Insights

Important

Currently, AWS Security Hub is in Preview release.

Use the following procedure to create custom Security Hub insights to track security issues that are unique to your AWS environment and usage.

  1. Open the Security Hub console at https://console.aws.amazon.com/securityhub/.

  2. In the navigation pane, choose Insights.

  3. To start creating an insight, either you can choose Create insight, or you can select one of your existing managed or custom insights. If you choose Create insight, you can use the currently empty Filter field to specify the Group by aggregator and the optional filters that will define what findings are to be included in this insight. If you choose an existing insight, you can use the Filter field to edit the Group by aggregator and the optional filters that will define what findings are to be included in this insight. You can then save these changes as the new custom insight.

    Note

    For optional filters, AND logic is applied to your specified collection of filters to query your findings. However, OR logic is applied to multiple filters that use the same attribute set to different values.

  4. After you complete the previous step, you can use the Filter field to select one attribute for the Group by aggregator for this insight, and one or more attributes from the available attribute list as the optional filters for this insight. Choose Apply for every filter that you select.

    You can use one of the following attributes as the Group by aggregator:

    Important

    You can only have one Group by aggregator (one attribute/value pair) in a Security Hub insight.

    • AwsAccountId

    • CompanyName

    • ComplianceStatus

    • GeneratorId

    • MalwareName

    • ProcessName

    • ThreatIntelIndicatorType

    • ProductArn

    • ProductName

    • RecordState

    • ResourceAwsEc2InstanceImageId

    • ResourceAwsEc2InstanceIpV4Addresses

    • ResourceAwsEc2InstanceIpV6Addresses

    • ResourceAwsEc2InstanceKeyName

    • ResourceAwsEc2InstanceSubnetId

    • ResourceAwsEc2InstanceType

    • ResourceAwsEc2InstanceVpcId

    • ResourceAwsIamAccessKeyUserName

    • ResourceAwsS3BucketOwnerName

    • ResourceContainerImageId

    • ResourceContainerImageName

    • ResourceContainerName

    • ResourceId

    • ResourceType

    • SeverityLabel

    • SourceUrl

    • Type

    • VerificationState

    • WorkflowState

    You can use all of the AWS Security Finding format's attributes as optional filters for your insights.

    For the complete list of AWS Security Finding format attributes and their descriptions, see AWS Security Finding Format.

  5. After you have selected the Group by aggregator and optional filters for your insight, choose Create insight.

  6. Specify the name for the new insight and choose Ok.

Note

You can also save the changes that you made to an existing custom or managed insight as a new custom insight. For more information, see To manage custom insights procedure in Insights in AWS Security Hub.