Custom insights

In addition to the AWS Security Hub managed insights, you can create custom insights in Security Hub to track issues that are specific to your environment. Custom insights provide a way to track a curated subset of issues.

Here are some examples of custom insights that may be useful to set up:

• If you own an administrator account, you can set up a custom insight to track critical and high severity findings that are affecting member accounts.

• If you rely on a specific integrated AWS service, you can set up a custom insight to track critical and high severity findings from that service.

• If you rely on a third party integration, you can set up a custom insight to track critical and high severity findings from that integrated product.

You can create completely new custom insights, or start from an existing custom or managed insight.

Each insight is configured with the following options.

• Grouping attribute – The grouping attribute determines which items are displayed in the insight results list. For example, if the grouping attribute is Product name, then the insight results display the number of findings that are associated with each finding provider.

• Optional filters – The filters narrow down the matching findings for the insight.

  When querying your findings, Security Hub applies Boolean AND logic to the set of filters. In other words, a finding only matches if it matches all of the provided filters. For example, if the filters are "Product name is GuardDuty" and "Resource type is AwsS3Bucket," then matching findings must match both of these criteria.

  However, Security Hub applies Boolean OR logic to filters that use the same attribute but different values. For example, if the filters are "Product name is GuardDuty" and "Product name is Amazon Inspector," then a finding matches if it was generated by either GuardDuty or Amazon Inspector.

Note that if you use the resource identifier or resource type as the grouping attribute, then the insight results include all of the resources that are in the matching findings. The list is not limited to resources that match a resource type filter. For example, an insight identifies findings that are associated with S3 buckets, and groups those findings by resource identifier. A matching finding contains both an S3 bucket resource and an IAM access key resource. The insight results include both resources.

Creating a custom insight (console)

From the console, you can create a completely new insight.

To create a custom insight

1. Open the AWS Security Hub console at https://console.aws.amazon.com/securityhub/.

2. In the navigation pane, choose Insights.

3. Choose Create insight.

4. To select the grouping attribute for the insight:

   1. Choose the search box to display the filter options.

   2. Choose Group by.

   3. Select the attribute to use to group the findings that are associated with this insight.

   4. Choose Apply.

5. (Optional) Choose any additional filters to use for this insight. For each filter, define the filter criteria, and then choose Apply.

6. Choose Create insight.

7. Enter an Insight name, then choose Create insight.

Creating a custom insight (programmatic)

Choose your preferred method, and follow the steps to programmatically create a custom insight in Security Hub. You can specify filters to narrow down the collection of findings in the insight to a specific subset.

The following tabs include instructions in a few languages for creating a custom insight. For support in additional languages, see Tools to Build on AWS.

Security Hub API

1. Run the CreateInsight operation.

2. Populate the Name parameter with a name for your custom insight.

3. Populate the Filters parameter to specify which findings to include in the insight.

4. Populate the GroupByAttribute parameter to specify which attribute is used to group the findings that are included in the insight.

5. Optionally, populate the SortCriteria parameter to sort the findings by a specific field.

If you've enabled cross-region aggregation and call this API from the aggregation Region, the insight applies to matching findings in the aggregation and linked Regions.

AWS CLI

1. At the command line, run the create-insight command.

2. Populate the name parameter with a name for your custom insight.

3. Populate the filters parameter to specify which findings to include in the insight.

4. Populate the group-by-attribute parameter to specify which attribute is used to group the findings that are included in the insight.

If you've enabled cross-region aggregation and run this command from the aggregation Region, the insight applies to matching findings from the aggregation and linked Regions.

aws securityhub create-insight --name <insight name> --filters <filter values> --group-by-attribute <attribute name>

Example

aws securityhub create-insight --name "Critical role findings" --filters '{"ResourceType": [{ "Comparison": "EQUALS", "Value": "AwsIamRole"}], "SeverityLabel": [{"Comparison": "EQUALS", "Value": "CRITICAL"}]}' --group-by-attribute "ResourceId"

PowerShell

1. Use the New-SHUBInsight cmdlet.

2. Populate the Name parameter with a name for your custom insight.

3. Populate the Filter parameter to specify which findings to include in the insight.

4. Populate the GroupByAttribute parameter to specify which attribute is used to group the findings that are included in the insight.

If you've enabled cross-region aggregation and use this cmdlet from the aggregation Region, the insight applies to matching findings from the aggregation and linked Regions.

Example

$Filter = @{
    AwsAccountId = [Amazon.SecurityHub.Model.StringFilter]@{
        Comparison = "EQUALS"
        Value = "XXX"
    }
    ComplianceStatus = [Amazon.SecurityHub.Model.StringFilter]@{
        Comparison = "EQUALS"
        Value = 'FAILED'
    }
}
New-SHUBInsight -Filter $Filter -Name TestInsight -GroupByAttribute ResourceId

Modifying a custom insight (console)

You can modify an existing custom insight to change the grouping value and filters. After you make the changes, you can save the updates to the original insight, or save the updated version as a new insight.

To modify an insight

1. Open the AWS Security Hub console at https://console.aws.amazon.com/securityhub/.

2. In the navigation pane, choose Insights.

3. Choose the custom insight to modify.

4. Edit the insight configuration as needed.

   • To change the attribute used to group findings in the insight:

     1. To remove the existing grouping, choose the X next to the Group by setting.

     2. Choose the search box.

     3. Select the attribute to use for grouping.

     4. Choose Apply.

   • To remove a filter from the insight, choose the circled X next to the filter.

   • To add a filter to the insight:

     1. Choose the search box.

     2. Select the attribute and value to use as a filter.

     3. Choose Apply.

5. When you complete the updates, choose Save insight.

6. When prompted, do one of the following:

   • To update the existing insight to reflect your changes, choose Update <Insight_Name> and then choose Save insight.

   • To create a new insight with the updates, choose Save new insight. Enter an Insight name, and then choose Save insight.

Modifying a custom insight (programmatic)

To modify a custom insight, choose your preferred method, and follow the instructions.

Security Hub API

1. Run the UpdateInsight operation.

2. To identify the custom insight, provide the insight's Amazon Resource Name (ARN). To get the ARN of a custom insight, run the GetInsights operation.

3. Update the Name, Filters, and GroupByAttribute parameters as needed.

AWS CLI

1. At the command line, run the update-insight command.

2. To identify the custom insight, provide the insight's Amazon Resource Name (ARN). To get the ARN of a custom insight, run the get-insights command.

3. Update the name, filters, and group-by-attribute parameters as needed.

aws securityhub update-insight --insight-arn <insight ARN> [--name <new name>] [--filters <new filters>] [--group-by-attribute <new grouping attribute>]

Example

aws securityhub update-insight --insight-arn "arn:aws:securityhub:us-west-1:123456789012:insight/123456789012/custom/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" --filters '{"ResourceType": [{ "Comparison": "EQUALS", "Value": "AwsIamRole"}], "SeverityLabel": [{"Comparison": "EQUALS", "Value": "HIGH"}]}' --name "High severity role findings"

PowerShell

1. Use the Update-SHUBInsight cmdlet.

2. To identify the custom insight, provide the insight's Amazon Resource Name (ARN). To get the ARN of a custom insight, use the Get-SHUBInsight cmdlet.

3. Update the Name, Filter, and GroupByAttribute parameters as needed.

Example

$Filter = @{
    ResourceType = [Amazon.SecurityHub.Model.StringFilter]@{
        Comparison = "EQUALS"
        Value = "AwsIamRole"
    }
    SeverityLabel = [Amazon.SecurityHub.Model.StringFilter]@{
        Comparison = "EQUALS"
        Value = "HIGH"
    }
}

Update-SHUBInsight -InsightArn "arn:aws:securityhub:us-west-1:123456789012:insight/123456789012/custom/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" -Filter $Filter -Name "High severity role findings"

Creating a new custom insight from a managed insight (console)

You cannot save changes to or delete a managed insight. You can use a managed insight as the basis for a new custom insight.

To create a new custom insight from a managed insight

1. Open the AWS Security Hub console at https://console.aws.amazon.com/securityhub/.

2. In the navigation pane, choose Insights.

3. Choose the managed insight to work from.

4. Edit the insight configuration as needed.

   • To change the attribute used to group findings in the insight:

     1. To remove the existing grouping, choose the X next to the Group by setting.

     2. Choose the search box.

     3. Select the attribute to use for grouping.

     4. Choose Apply.

   • To remove a filter from the insight, choose the circled X next to the filter.

   • To add a filter to the insight:

     1. Choose the search box.

     2. Select the attribute and value to use as a filter.

     3. Choose Apply.

5. When your updates are complete, choose Create insight.

6. When prompted, enter an Insight name, and then choose Create insight.

Deleting a custom insight (console)

When you no longer want a custom insight, you can delete it. You cannot delete managed insights.

To delete a custom insight

1. Open the AWS Security Hub console at https://console.aws.amazon.com/securityhub/.

2. In the navigation pane, choose Insights.

3. Locate the custom insight to delete.

4. For that insight, choose the more options icon (the three dots in the top-right corner of the card).

5. Choose Delete.

Deleting a custom insight (programmatic)

To delete a custom insight, choose your preferred method, and follow the instructions.

Security Hub API

1. Run the DeleteInsight operation.

2. To identify the custom insight to delete, provide the insight's ARN. To get the ARN of a custom insight, run the GetInsights operation.

AWS CLI

1. At the command line, run the delete-insight command.

2. To identify the custom insight, provide the insight's ARN. To get the ARN of a custom insight, run the get-insights command.

aws securityhub delete-insight --insight-arn <insight ARN>

Example

aws securityhub delete-insight --insight-arn "arn:aws:securityhub:us-west-1:123456789012:insight/123456789012/custom/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"

PowerShell

1. Use the Remove-SHUBInsight cmdlet.

2. To identify the custom insight, provide the insight's ARN. To get the ARN of a custom insight, use the Get-SHUBInsight cmdlet.

Example

-InsightArn "arn:aws:securityhub:us-west-1:123456789012:insight/123456789012/custom/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"