# Using custom actions to send findings and insight results to EventBridge
To use AWS Security Hub CSPM custom actions to send findings or insight results to Amazon EventBridge, you first create the custom action in Security Hub CSPM. Then, you can define rules in EventBridge that apply to your custom actions.
You can create up to 50 custom actions.
If you enable cross-Region aggregation, and manage findings from the aggregation Region, then create custom actions in the aggregation Region.
The rule in EventBridge uses the Amazon Resource Name (ARN) from the custom action.
# Creating a custom action
When you create a custom action in AWS Security Hub CSPM, you specify its name, description, and a unique identifier.
A custom action specifies which actions to take when an EventBridge event matches an EventBridge rule. Security Hub CSPM sends each finding to EventBridge as an event.
Choose your preferred method, and follow the steps to create a custom action.
------
#### [ Console ]
**To create a custom action in Security Hub CSPM (console)**
1. Open the AWS Security Hub CSPM console at [https://console.aws.amazon.com/securityhub/](https://console.aws.amazon.com/securityhub/).
1. In the navigation pane, choose **Settings** and then choose **Custom actions**.
1. Choose **Create custom action**.
1. Provide a **Name**, **Description**, and **Custom action ID** for the action.
The **Name** must be fewer than 20 characters.
The **Custom action ID** must be unique for each AWS account.
1. Choose **Create custom action**.
1. Make a note of the **Custom action ARN**. You need to use the ARN when you create a rule to associate with this action in EventBridge.
------
#### [ API ]
**To create a custom action (API)**
Use the [https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_CreateActionTarget.html](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_CreateActionTarget.html) operation. If you're using the AWS CLI, run the [create-action-target](https://docs.aws.amazon.com/cli/latest/reference/securityhub/create-action-target.html) command.
The following example creates a custom action to send findings to a remediation tool. This example is formatted for Linux, macOS, or Unix, and it uses the backslash (\$1) line-continuation character to improve readability.
```
$ aws securityhub create-action-target --name "Send to remediation" --description "Action to send the finding for remediation tracking" --id "Remediation"
```
------
# Defining a rule in EventBridge
To trigger a custom action in Amazon EventBridge, you must create a corresponding rule in EventBridge. The rule definition includes the Amazon Resource Name (ARN) of the custom action.
The event pattern for a **Security Hub Findings - Custom Action** event has the following format:
```
{
"source": [
"aws.securityhub"
],
"detail-type": [
"Security Hub Findings - Custom Action"
],
"resources": [ "" ]
}
```
The event pattern for a **Security Hub Insight Results** event has the following format:
```
{
"source": [
"aws.securityhub"
],
"detail-type": [
"Security Hub Insight Results"
],
"resources": [ "" ]
}
```
In both patterns, `` is the ARN of a custom action. You can configure a rule that applies to more than one custom action.
The instructions provided here are for the EventBridge console. When you use the console, EventBridge automatically creates the required resource-based policy that enables EventBridge to write to CloudWatch Logs.
You can also use the [https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_PutRule.html](https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_PutRule.html) API operation of the EventBridge API. However, if you use the EventBridge API, then you must create the resource-based policy. For details on the required policy, see [CloudWatch Logs permissions](https://docs.aws.amazon.com/eventbridge/latest/userguide/resource-based-policies-eventbridge.html#cloudwatchlogs-permissions) in the *Amazon EventBridge User Guide*.
**To define a rule in EventBridge (EventBridge console)**
1. Open the Amazon EventBridge console at [https://console.aws.amazon.com/events/](https://console.aws.amazon.com/events/).
1. In the navigation pane, choose **Rules**.
1. Choose **Create rule**.
1. Enter a name and description for the rule.
1. For **Event bus**, choose the event bus that you want to associate with this rule. If you want this rule to match events that come from your account, select **default**. When an AWS service in your account emits an event, it always goes to your account’s default event bus.
1. For **Rule type**, choose **Rule with an event pattern**.
1. Choose **Next**.
1. For **Event source**, choose **AWS events**.
1. For **Event pattern**, choose **Event pattern form**.
1. For **Event source**, choose **AWS services**.
1. For **AWS service**, choose **Security Hub**.
1. For **Event type**, do one of the following:
+ To create a rule to apply when you send findings to a custom action, choose **Security Hub Findings - Custom Action**.
+ To create a rule to apply when you send insight results to a custom action, choose **Security Hub Insight Results**.
1. Choose **Specific custom action ARNs**, add a custom action ARN.
If the rule applies to multiple custom actions, choose **Add** to add more custom action ARNs.
1. Choose **Next**.
1. Under **Select targets**, choose and configure the target to invoke when this rule is matched.
1. Choose **Next**.
1. (Optional) Enter one or more tags for the rule. For more information, see [Amazon EventBridge tags](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-tagging.html) in the *Amazon EventBridge User Guide*.
1. Choose **Next**.
1. Review the details of the rule and choose **Create rule**.
When you perform a custom action on findings or insight results in your account, events are generated in EventBridge.
# Selecting a custom action for findings and insight results
After you create AWS Security Hub CSPM custom actions and Amazon EventBridge rules, you can send findings and insight results to EventBridge for automatic management and processing.
Events are sent to EventBridge only in the account in which they are viewed. If you view a finding using an administrator account, the event is sent to EventBridge in the administrator account.
For AWS API calls to be effective, the implementations of target code must switch roles into member accounts. This also means that the role you switch into must be deployed to each member where action is needed.
**To send findings to EventBridge (console)**
1. Open the AWS Security Hub CSPM console at [https://console.aws.amazon.com/securityhub/](https://console.aws.amazon.com/securityhub/).
1. Display a list of findings:
+ From **Findings**, you can view findings from all of the enabled product integrations and controls.
+ From **Security standards**, you can navigate to a list of findings generated from a specific control. For more information, see [Reviewing the details of controls in Security Hub CSPM](securityhub-standards-control-details.md).
+ From **Integrations**, you can navigate to a list of findings generated by an enabled integration. For more information, see [Viewing findings from a Security Hub CSPM integration](securityhub-integration-view-findings.md).
+ From **Insights**, you can navigate to a list of findings for an insight result. For more information, see [Reviewing and acting on insights in Security Hub CSPM](securityhub-insights-view-take-action.md).
1. Select the findings to send to EventBridge. You can select up to 20 findings at a time.
1. From **Actions**, choose the custom action that aligns with the EventBridge rule to apply.
Security Hub CSPM sends a separate **Security Hub Findings - Custom Action** event for each finding.
**To send insight results to EventBridge (console)**
1. Open the AWS Security Hub CSPM console at [https://console.aws.amazon.com/securityhub/](https://console.aws.amazon.com/securityhub/).
1. In the navigation pane, choose **Insights**.
1. On the **Insights** page, choose the insight that includes the results to send to EventBridge.
1. Select the insight results to send to EventBridge. You can select up to 20 results at a time.
1. From **Actions**, choose the custom action that aligns with the EventBridge rule to apply.