Viewing and taking action on insight results and findings - AWS Security Hub

Viewing and taking action on insight results and findings

For each insight, AWS Security Hub first determines the findings that match the filter criteria, and then uses the grouping attribute to group the matching findings.

From the Insights console page, you can view and take action on the results and findings.

Viewing and taking action on insight results (console)

The insight results consist of a grouped list of the results for the insight. For example, if the insight is grouped by resource identifiers, then the insight results are the list of resource identifiers. Each item in the results list indicates the number of matching findings for that item.

Note that if the findings are grouped by resource identifier or resource type, then the results include all of the resources in the matching findings. This includes resources that have a different type from the resource type specified in the filter criteria. For example, an insight identifies findings that are associated with S3 buckets. If a matching finding contains both an S3 bucket resource and an IAM access key resource, then the insight results list both of those resources.

The results list is sorted from most to fewest matching findings.

Security Hub can only display 100 results. If there are more than 100 grouping values, you only see the first 100.

In addition to the results list, the insight results display a set of charts summarizing the number of matching findings for the following attributes.

  • Severity label – Number of findings for each severity label

  • AWS account ID – Top five account IDs for the matching findings

  • Resource type – Top five resource types for the matching findings

  • Resource ID – Top five resource IDs for the matching findings

  • Product name - Top five finding providers for the matching findings

If you have configured custom actions, then you can send selected results to a custom action. The action must be associated with a CloudWatch rule for the Security Hub Insight Results event type. See Automated response and remediation.

If you have not configured custom actions, then the Actions menu is disabled.

To display and take action on the list of insight results

  1. Open the AWS Security Hub console at https://console.aws.amazon.com/securityhub/.

  2. In the navigation pane, choose Insights.

  3. To display the list of insight results, choose the insight name.

  4. Select the check box for each result to send to the custom action.

  5. From the Actions menu, choose the custom action.

Viewing insight results (Security Hub API, AWS CLI)

To view insight results, you can use an API call or the AWS Command Line Interface.

To view insight results (Security Hub API, AWS CLI)

  • Security Hub API – Use the GetInsightResults operation. To identify the insight to return results for, you need the insight ARN. To obtain the insight ARNs for custom insights, use the GetInsights operation.

  • AWS CLI – At the command line, run the get-insight-results command.

    aws securityhub get-insight-results --insight-arn <insight ARN>

    Example:

    aws securityhub get-insight-results --insight-arn "arn:aws:securityhub:us-west-1:123456789012:insight/123456789012/custom/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"

Viewing findings for an insight result (console)

From the insight results list, you can display the list of findings for each result.

To display and take action on insight findings

  1. Open the AWS Security Hub console at https://console.aws.amazon.com/securityhub/.

  2. In the navigation pane, choose Insights.

  3. To display the list of insight results, choose the insight name.

  4. To display the list of findings for an insight result, choose the item from the results list.

The findings list shows the active findings for the selected insight result that have a workflow status of NEW or NOTIFIED.

From the findings list, you can perform the following actions.