Managing custom insights - AWS Security Hub

Managing custom insights

In addition to the AWS Security Hub managed insights, you can create custom insights to track issues and resources that are specific to your environment.

You can create completely new custom insights, or start from an existing custom or managed insight.

Each insight is configured with the following options.

  • Grouping attribute – The grouping attribute determines which items are displayed in the insight results list. For example, if the grouping attribute is Product name, then the insight results display the number of findings that are associated with each finding provider.

  • Optional filters – The filters narrow down the matching findings for the insight.

    When querying your findings, Security Hub applies Boolean AND logic to the set of filters. In other words, a finding only matches if it matches all of the provided filters. For example, if the filters are "Product name is GuardDuty" and "Resource type is AwsS3Bucket," then matching findings must match both of these criteria.

    However, Security Hub applies Boolean OR logic to filters that use the same attribute but different values. For example, if the filters are "Product name is GuardDuty" and "Product name is Amazon Inspector," then a finding matches if it was generated by either GuardDuty or Amazon Inspector.

Creating a custom insight (console)

From the console, you can create a completely new insight.

To create a custom insight

  1. Open the AWS Security Hub console at https://console.aws.amazon.com/securityhub/.

  2. In the navigation pane, choose Insights.

  3. Choose Create insight.

  4. To select the grouping attribute for the insight:

    1. Choose the search box to display the filter options.

    2. Choose Group by.

    3. Select the attribute to use to group the findings that are associated with this insight.

    4. Choose Apply.

  5. (Optional) Choose any additional filters to use for this insight. For each filter, define the filter criteria, and then choose Apply.

  6. Choose Create insight.

  7. Enter an Insight name, then choose Create insight.

Creating a custom insight (Security Hub API, AWS CLI)

To create a custom insight, you can use an API call or the AWS Command Line Interface.

To create a custom insight (Security Hub API, AWS CLI)

  • Security Hub API – Use the CreateInsight operation. When you create a custom insight, you must provide the name, the filters, and the grouping attribute.

  • AWS CLI – At the command line, run the create-insight command.

    aws securityhub create-insight --name <insight name> --filters <filter values> --group-by-attribute <attribute name>

    Example

    aws securityhub create-insight --filters '{"ResourceType": [{ "Comparison": "EQUALS", "Value": "AwsIamRole"}], "SeverityLabel": [{"Comparison": "EQUALS", "Value": "CRITICAL"}]}' --group-by-attribute "ResourceId" --name "Critical role findings"

Modifying a custom insight (console)

You can modify an existing custom insight to change the grouping value and filters. After you make the changes, you can save the updates to the original insight, or save the updated version as a new insight.

To modify an insight

  1. Open the AWS Security Hub console at https://console.aws.amazon.com/securityhub/.

  2. In the navigation pane, choose Insights.

  3. Choose the custom insight to modify.

  4. Edit the insight configuration as needed.

    • To change the attribute used to group findings in the insight:

      1. To remove the existing grouping, choose the X next to the Group by setting.

      2. Choose the search box.

      3. Select the attribute to use for grouping.

      4. Choose Apply.

    • To remove a filter from the insight, choose the circled X next to the filter.

    • To add a filter to the insight:

      1. Choose the search box.

      2. Select the attribute and value to use as a filter.

      3. Choose Apply.

  5. When you complete the updates, choose Save insight.

  6. When prompted, do one of the following:

    • To update the existing insight to reflect your changes, choose Update <Insight_Name> and then choose Save insight.

    • To create a new insight with the updates, choose Save new insight. Enter an Insight name, and then choose Save insight.

Modifying a custom insight (Security Hub API, AWS CLI)

To modify a custom insight, you can use an API call or the AWS Command Line Interface.

To modify a custom insight (Security Hub API, AWS CLI)

  • Security Hub API – Use the UpdateInsight operation. To identify the custom insight, you provide the insight ARN. To obtain the insight ARNs for custom insights, use the GetInsights operation. You can then update the name, the filters, and the grouping value.

  • AWS CLI – At the command line, run the update-insight command.

    aws securityhub update-insight --insight-arn <insight ARN> [--name <new name>] [--filters <new filters>] [--group-by-attribute <new grouping attribute>]

    Example

    aws securityhub update-insight --insight-arn "arn:aws:securityhub:us-west-1:123456789012:insight/123456789012/custom/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" --filters '{"ResourceType": [{ "Comparison": "EQUALS", "Value": "AwsIamRole"}], "SeverityLabel": [{"Comparison": "EQUALS", "Value": "HIGH"}]}' --name "High severity role findings"

Creating a new custom insight from a managed insight (console)

You cannot save changes to or delete a managed insight. You can use a managed insight as the basis for a new custom insight.

To create a new custom insight from a managed insight

  1. Open the AWS Security Hub console at https://console.aws.amazon.com/securityhub/.

  2. In the navigation pane, choose Insights.

  3. Choose the managed insight to work from.

  4. Edit the insight configuration as needed.

    • To change the attribute used to group findings in the insight:

      1. To remove the existing grouping, choose the X next to the Group by setting.

      2. Choose the search box.

      3. Select the attribute to use for grouping.

      4. Choose Apply.

    • To remove a filter from the insight, choose the circled X next to the filter.

    • To add a filter to the insight:

      1. Choose the search box.

      2. Select the attribute and value to use as a filter.

      3. Choose Apply.

  5. When your updates are complete, choose Create insight.

  6. When prompted, enter an Insight name, and then choose Create insight.

Deleting a custom insight (console)

When you no longer want a custom insight, you can delete it. You cannot delete managed insights.

To delete a custom insight

  1. Open the AWS Security Hub console at https://console.aws.amazon.com/securityhub/.

  2. In the navigation pane, choose Insights.

  3. Locate the custom insight to delete.

  4. For that insight, choose the more options icon (the three dots in the top-right corner of the card).

  5. Choose Delete.

Deleting a custom insight (Security Hub API, AWS CLI)

To delete a custom insight, you can use an API call or the AWS Command Line Interface.

To delete a custom insight (Security Hub API, AWS CLI)

  • Security Hub API – Use the DeleteInsight operation. To identify the custom insight to delete, you provide the insight ARN. To obtain the insight ARNs for custom insights, use the GetInsights operation.

  • AWS CLI – At the command line, run the delete-insight command.

    aws securityhub delete-insight --insight-arn <insight ARN>

    Example

    aws securityhub delete-insight --insight-arn "arn:aws:securityhub:us-west-1:123456789012:insight/123456789012/custom/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"