# Viewing insights in Security Hub CSPM
<a name="securityhub-insights"></a>

In AWS Security Hub CSPM, an *insight* is a collection of related findings. An insight can identify a specific security area that requires attention and intervention. For example, an insight might point out EC2 instances that are the subject of findings that detect poor security practices. An insight brings together findings from across finding providers.

Each insight is defined by a group by statement and optional filters. The group by statement indicates how to group the matching findings, and identifies the type of item that the insight applies to. For example, if an insight is grouped by resource identifier, then the insight produces a list of resource identifiers. The optional filters identify the matching findings for the insight. For example, you might want to only see findings from specific providers or findings that are associated with specific types of resources.

Security Hub CSPM offers several built-in managed insights. You can't modify or delete managed insights. To track security issues that are unique to your AWS environment and usage, you can create custom insights.

The **Insights** page on the AWS Security Hub CSPM console displays the list of available insights.

By default, the list displays both managed and custom insights. To filter the insight list based on insight type, choose the insight type from the dropdown menu that is next to the filter field.
+ To display all of the available insights, choose **All insights**. This is the default option.
+ To display only managed insights, choose **Security Hub CSPM managed insights**.
+ To display only custom insights, choose **Custom insights**.

You also can filter the insight list based on the insight's name. To do so, in the filter field, type the text to use to filter the list. The filter is not case sensitive. The filter looks for insights that contain the text anywhere in the insight name.

An insight only returns results if you have enabled integrations or standards that produce matching findings. For example, the managed insight **29. Top resources by counts of failed CIS checks** only returns results if you enable a version of the Center for Internet Security (CIS) AWS Foundations Benchmark standard.

# Reviewing and acting on insights in Security Hub CSPM
<a name="securityhub-insights-view-take-action"></a>

For each insight, AWS Security Hub CSPM first determines the findings that match the filter criteria, and then uses the grouping attribute to group the matching findings.

From the **Insights** page on the console, you can view and take action on the results and findings.

If you enable cross-Region aggregation, the results for managed insights (when you're signed in to the aggregation Region) include findings from the aggregation Region and linked Regions. The results for custom insights, if the insight doesn't filter by Region, also include findings from the aggregation Region and linked Regions (when you're signed in to the aggregation Region). In other Regions, the insight results are only for that Region.

For information about configuring cross-Region aggregation, see [Understanding cross-Region aggregation in Security Hub CSPM](finding-aggregation.md).

## Viewing and taking action on insight results
<a name="securityhub-insight-results-console"></a>

The insight results consist of a grouped list of the results for the insight. For example, if the insight is grouped by resource identifiers, then the insight results are the list of resource identifiers. Each item in the results list indicates the number of matching findings for that item.

If the findings are grouped by resource identifier or resource type, the results include all of the resources in the matching findings. This includes resources that have a different type from the resource type specified in the filter criteria. For example, an insight identifies findings that are associated with S3 buckets. If a matching finding contains both an S3 bucket resource and an IAM access key resource, the insight results include both resources.

On the Security Hub CSPM console, the results list is sorted from most to fewest matching findings. Security Hub CSPM can only display 100 results. If there are more than 100 grouping values, you only see the first 100.

In addition to the results list, the insight results display a set of charts summarizing the number of matching findings for the following attributes.
+ **Severity label** – Number of findings for each severity label
+ **AWS account ID** – Top five account IDs for the matching findings
+ **Resource type** – Top five resource types for the matching findings
+ **Resource ID** – Top five resource IDs for the matching findings
+ **Product name** - Top five finding providers for the matching findings

If you have configured custom actions, then you can send selected results to a custom action. The action must be associated with an Amazon CloudWatch rule for the `Security Hub Insight Results` event type. For more information, see [Using EventBridge for automated response and remediation](securityhub-cloudwatch-events.md). If you have not configured custom actions, the **Actions** menu is disabled.

------
#### [ Security Hub CSPM console ]

**To view and take action on insight results (console)**

1. Open the AWS Security Hub CSPM console at [https://console.aws.amazon.com/securityhub/](https://console.aws.amazon.com/securityhub/).

1. In the navigation pane, choose **Insights**.

1. To display the list of insight results, choose the insight name.

1. Select the check box for each result to send to the custom action.

1. From the **Actions** menu, choose the custom action.

------
#### [ Security Hub CSPM API, AWS CLI ]

**To view and take action on insight results (API, AWS CLI)**

To view insight results, use the [https://docs.aws.amazon.com//securityhub/1.0/APIReference/API_GetInsightResults.html](https://docs.aws.amazon.com//securityhub/1.0/APIReference/API_GetInsightResults.html) operation of the Security Hub CSPM API. If you use the AWS CLI, run the [https://docs.aws.amazon.com/cli/latest/reference/securityhub/get-insight-results.html](https://docs.aws.amazon.com/cli/latest/reference/securityhub/get-insight-results.html) command.

To identify the insight to return results for, you need the insight ARN. To obtain the insight ARNs for custom insights, use the [https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_GetInsights.html](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_GetInsights.html) API operation or the [https://docs.aws.amazon.com/cli/latest/reference/securityhub/get-insight-results.html](https://docs.aws.amazon.com/cli/latest/reference/securityhub/get-insight-results.html) command.

The following example retrieves the results for the specified insight. This example is formatted for Linux, macOS, or Unix, and it uses the backslash (\$1) line-continuation character to improve readability.

```
$ aws securityhub get-insight-results --insight-arn "arn:aws:securityhub:us-west-1:123456789012:insight/123456789012/custom/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"
```

For information about how to create custom actions programmatically, see [Using custom actions to send findings and insight results to EventBridge](securityhub-cwe-custom-actions.md).

------

## Viewing and taking action on insight result findings (console)
<a name="securityhub-insight-findings-console"></a>

From an insight results list on the Security Hub CSPM console, you can display the list of findings for each result.

**To display and take action on insight findings (console)**

1. Open the AWS Security Hub CSPM console at [https://console.aws.amazon.com/securityhub/](https://console.aws.amazon.com/securityhub/).

1. In the navigation pane, choose **Insights**.

1. To display the list of insight results, choose the insight name.

1. To display the list of findings for an insight result, choose the item from the results list. The findings list shows the active findings for the selected insight result that have a workflow status of `NEW` or `NOTIFIED`.

From the findings list, you can perform the following actions:
+ [Filtering findings in Security Hub CSPM](securityhub-findings-manage.md)
+ [Reviewing finding details and history](securityhub-findings-viewing.md#finding-view-details-console)
+ [Setting the workflow status of findings in Security Hub CSPM](findings-workflow-status.md)
+ [Sending findings to a custom Security Hub CSPM action](findings-custom-action.md)

# Managed insights in Security Hub CSPM
<a name="securityhub-managed-insights"></a>

AWS Security Hub CSPM provides several managed insights.

You can't edit or delete Security Hub CSPM managed insights. You can [view and take action on the insight results and findings](securityhub-insights-view-take-action.md). You can also [use a managed insight as the basis for a new custom insight](securityhub-custom-insight-create-api.md#securityhub-custom-insight-frrom-managed).

As with all insights, a managed insight only returns results if you have enabled product integrations or security standards that can produce matching findings.

For insights that are grouped by resource identifier, the results include the identifiers of all of the resources in the matching findings. This includes resources that have a different type from the resource type in the filter criteria. For example, insight 2 in the following list identifies findings that are associated with Amazon S3 buckets. If a matching finding contains both an S3 bucket resource and an IAM access key resource, the insight results include both resources.

Security Hub CSPM currently offers the following managed insights:

**1. AWS resources with the most findings**  
**ARN:** `arn:aws:securityhub:::insight/securityhub/default/1`  
**Grouped by:** Resource identifier  
**Finding filters:**  
+ Record state is `ACTIVE`
+ Workflow status is `NEW` or `NOTIFIED`

**2. S3 buckets with public write or read permissions**  
**ARN:** `arn:aws:securityhub:::insight/securityhub/default/10`  
**Grouped by:** Resource identifier  
**Finding filters:**  
+ Type starts with `Effects/Data Exposure`
+ Resource type is `AwsS3Bucket`
+ Record state is `ACTIVE`
+ Workflow status is `NEW` or `NOTIFIED`

**3. AMIs that are generating the most findings**  
**ARN:** `arn:aws:securityhub:::insight/securityhub/default/3`  
**Grouped by:** EC2 instance image ID  
**Finding filters:**  
+ Resource type is `AwsEc2Instance`
+ Record state is `ACTIVE`
+ Workflow status is `NEW` or `NOTIFIED`

**4. EC2 instances involved in known Tactics, Techniques, and Procedures (TTPs)**  
**ARN:** `arn:aws:securityhub:::insight/securityhub/default/14`  
**Grouped by:** Resource ID  
**Finding filters:**  
+ Type starts with `TTPs`
+ Resource type is `AwsEc2Instance`
+ Record state is `ACTIVE`
+ Workflow status is `NEW` or `NOTIFIED`

**5. AWS principals with suspicious access key activity**  
**ARN:** `arn:aws:securityhub:::insight/securityhub/default/9`  
**Grouped by:** IAM access key principal name  
**Finding filters:**  
+ Resource type is `AwsIamAccessKey`
+ Record state is `ACTIVE`
+ Workflow status is `NEW` or `NOTIFIED`

**6. AWS resources instances that don't meet security standards / best practices**  
**ARN:** `arn:aws:securityhub:::insight/securityhub/default/6`  
**Grouped by:** Resource ID  
**Finding filters:**  
+ Type is `Software and Configuration Checks/Industry and Regulatory Standards/AWS Security Best Practices`
+ Record state is `ACTIVE`
+ Workflow status is `NEW` or `NOTIFIED`

**7. AWS resources associated with potential data exfiltration**  
**ARN:** `arn:aws:securityhub:::insight/securityhub/default/7`  
**Grouped by:**: Resource ID  
**Finding filters:**  
+ Type starts with Effects/Data Exfiltration/
+ Record state is `ACTIVE`
+ Workflow status is `NEW` or `NOTIFIED`

**8. AWS resources associated with unauthorized resource consumption**  
**ARN:** `arn:aws:securityhub:::insight/securityhub/default/8`  
**Grouped by:** Resource ID  
**Finding filters:**  
+ Type starts with `Effects/Resource Consumption`
+ Record state is `ACTIVE`
+ Workflow status is `NEW` or `NOTIFIED`

**9. S3 buckets that don't meet security standards / best practice**  
**ARN:** `arn:aws:securityhub:::insight/securityhub/default/11`  
**Grouped by:** Resource ID  
**Finding filters:**  
+ Resource type is `AwsS3Bucket`
+ Type is `Software and Configuration Checks/Industry and Regulatory Standards/AWS Security Best Practices`
+ Record state is `ACTIVE`
+ Workflow status is `NEW` or `NOTIFIED`

**10. S3 buckets with sensitive data**  
**ARN:** `arn:aws:securityhub:::insight/securityhub/default/12`  
**Grouped by:** Resource ID  
**Finding filters:**  
+ Resource type is `AwsS3Bucket`
+ Type starts with `Sensitive Data Identifications/`
+ Record state is `ACTIVE`
+ Workflow status is `NEW` or `NOTIFIED`

**11. Credentials that may have leaked**  
**ARN:** `arn:aws:securityhub:::insight/securityhub/default/13`  
**Grouped by:** Resource ID  
**Finding filters:**  
+ Type starts with `Sensitive Data Identifications/Passwords/`
+ Record state is `ACTIVE`
+ Workflow status is `NEW` or `NOTIFIED`

**12. EC2 instances that have missing security patches for important vulnerabilities**  
**ARN:** `arn:aws:securityhub:::insight/securityhub/default/16`  
**Grouped by:** Resource ID  
**Finding filters:**  
+ Type starts with `Software and Configuration Checks/Vulnerabilities/CVE`
+ Resource type is `AwsEc2Instance`
+ Record state is `ACTIVE`
+ Workflow status is `NEW` or `NOTIFIED`

**13. EC2 instances with general unusual behavior**  
**ARN:** `arn:aws:securityhub:::insight/securityhub/default/17`  
**Grouped by:** Resource ID  
**Finding filters:**  
+ Type starts with `Unusual Behaviors`
+ Resource type is `AwsEc2Instance`
+ Record state is `ACTIVE`
+ Workflow status is `NEW` or `NOTIFIED`

**14. EC2 instances that have ports accessible from the Internet**  
**ARN:** `arn:aws:securityhub:::insight/securityhub/default/18`  
**Grouped by:** Resource ID  
**Finding filters:**  
+ Type starts with `Software and Configuration Checks/AWS Security Best Practices/Network Reachability`
+ Resource type is `AwsEc2Instance`
+ Record state is `ACTIVE`
+ Workflow status is `NEW` or `NOTIFIED`

**15. EC2 instances that don't meet security standards / best practices**  
**ARN:** `arn:aws:securityhub:::insight/securityhub/default/19`  
**Grouped by:** Resource ID  
**Finding filters:**  
+ Type starts with one of the following:
  + `Software and Configuration Checks/Industry and Regulatory Standards/`
  + `Software and Configuration Checks/AWS Security Best Practices`
+ Resource type is `AwsEc2Instance`
+ Record state is `ACTIVE`
+ Workflow status is `NEW` or `NOTIFIED`

**16. EC2 instances that are open to the Internet**  
**ARN:** `arn:aws:securityhub:::insight/securityhub/default/21`  
**Grouped by:** Resource ID  
**Finding filters:**  
+ Type starts with `Software and Configuration Checks/AWS Security Best Practices/Network Reachability`
+ Resource type is `AwsEc2Instance`
+ Record state is `ACTIVE`
+ Workflow status is `NEW` or `NOTIFIED`

**17. EC2 instances associated with adversary reconnaissance**  
**ARN:** `arn:aws:securityhub:::insight/securityhub/default/22`  
**Grouped by:** Resource ID  
**Finding filters:**  
+ Type starts with TTPs/Discovery/Recon
+ Resource type is `AwsEc2Instance`
+ Record state is `ACTIVE`
+ Workflow status is `NEW` or `NOTIFIED`

**18. AWS resources that are associated with malware**  
**ARN:** `arn:aws:securityhub:::insight/securityhub/default/23`  
**Grouped by:** Resource ID  
**Finding filters:**  
+ Type starts with one of the following:
  + `Effects/Data Exfiltration/Trojan`
  + `TTPs/Initial Access/Trojan`
  + `TTPs/Command and Control/Backdoor`
  + `TTPs/Command and Control/Trojan`
  + `Software and Configuration Checks/Backdoor`
  + `Unusual Behaviors/VM/Backdoor`
+ Record state is `ACTIVE`
+ Workflow status is `NEW` or `NOTIFIED`

**19. AWS resources associated with cryptocurrency issues**  
**ARN:** `arn:aws:securityhub:::insight/securityhub/default/24`  
**Grouped by:** Resource ID  
**Finding filters:**  
+ Type starts with one of the following:
  + `Effects/Resource Consumption/Cryptocurrency`
  + `TTPs/Command and Control/CryptoCurrency`
+ Record state is `ACTIVE`
+ Workflow status is `NEW` or `NOTIFIED`

**20. AWS resources with unauthorized access attempts**  
**ARN:** `arn:aws:securityhub:::insight/securityhub/default/25`  
**Grouped by:** Resource ID  
**Finding filters:**  
+ Type starts with one of the following:
  + `TTPs/Command and Control/UnauthorizedAccess`
  + `TTPs/Initial Access/UnauthorizedAccess`
  + `Effects/Data Exfiltration/UnauthorizedAccess`
  + `Unusual Behaviors/User/UnauthorizedAccess`
  + `Effects/Resource Consumption/UnauthorizedAccess`
+ Record state is `ACTIVE`
+ Workflow status is `NEW` or `NOTIFIED`

**21. Threat Intel indicators with the most hits in the last week**  
**ARN:** `arn:aws:securityhub:::insight/securityhub/default/26`  
**Finding filters:**  
+ Created within the last 7 days

**22. Top accounts by counts of findings**  
**ARN:** `arn:aws:securityhub:::insight/securityhub/default/27`  
**Grouped by:** AWS account ID  
**Finding filters:**  
+ Record state is `ACTIVE`
+ Workflow status is `NEW` or `NOTIFIED`

**23. Top products by counts of findings**  
**ARN:** `arn:aws:securityhub:::insight/securityhub/default/28`  
**Grouped by:** Product name  
**Finding filters:**  
+ Record state is `ACTIVE`
+ Workflow status is `NEW` or `NOTIFIED`

**24. Severity by counts of findings**  
**ARN:** `arn:aws:securityhub:::insight/securityhub/default/29`  
**Grouped by:** Severity label  
**Finding filters:**  
+ Record state is `ACTIVE`
+ Workflow status is `NEW` or `NOTIFIED`

**25. Top S3 buckets by counts of findings**  
**ARN:** `arn:aws:securityhub:::insight/securityhub/default/30`  
**Grouped by:** Resource ID  
**Finding filters:**  
+ Resource type is `AwsS3Bucket`
+ Record state is `ACTIVE`
+ Workflow status is `NEW` or `NOTIFIED`

**26. Top EC2 instances by counts of findings**  
**ARN:** `arn:aws:securityhub:::insight/securityhub/default/31`  
**Grouped by:** Resource ID  
**Finding filters:**  
+ Resource type is `AwsEc2Instance`
+ Record state is `ACTIVE`
+ Workflow status is `NEW` or `NOTIFIED`

**27. Top AMIs by counts of findings**  
**ARN:** `arn:aws:securityhub:::insight/securityhub/default/32`  
**Grouped by:** EC2 instance image ID  
**Finding filters:**  
+ Resource type is `AwsEc2Instance`
+ Record state is `ACTIVE`
+ Workflow status is `NEW` or `NOTIFIED`

**28. Top IAM users by counts of findings**  
**ARN:** `arn:aws:securityhub:::insight/securityhub/default/33`  
**Grouped by:** IAM access key ID  
**Finding filters:**  
+ Resource type is `AwsIamAccessKey`
+ Record state is `ACTIVE`
+ Workflow status is `NEW` or `NOTIFIED`

**29. Top resources by counts of failed CIS checks**  
**ARN:** `arn:aws:securityhub:::insight/securityhub/default/34`  
**Grouped by:** Resource ID  
**Finding filters:**  
+ Generator ID starts with `arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule`
+ Updated in the last day
+ Compliance status is `FAILED`
+ Record state is `ACTIVE`
+ Workflow status is `NEW` or `NOTIFIED`

**30. Top integrations by counts of findings**  
**ARN:** `arn:aws:securityhub:::insight/securityhub/default/35`  
**Grouped by:** Product ARN  
**Finding filters:**  
+ Record state is `ACTIVE`
+ Workflow status is `NEW` or `NOTIFIED`

**31. Resources with the most failed security checks**  
**ARN:** `arn:aws:securityhub:::insight/securityhub/default/36`  
**Grouped by:** Resource ID  
**Finding filters:**  
+ Updated in the last day
+ Compliance status is `FAILED`
+ Record state is `ACTIVE`
+ Workflow status is `NEW` or `NOTIFIED`

**32. IAM users with suspicious activity**  
**ARN:** `arn:aws:securityhub:::insight/securityhub/default/37`  
**Grouped by:** IAM user  
**Finding filters:**  
+ Resource type is `AwsIamUser`
+ Record state is `ACTIVE`
+ Workflow status is `NEW` or `NOTIFIED`

**33. Resources with the most AWS Health findings**  
**ARN:** `arn:aws:securityhub:::insight/securityhub/default/38`  
**Grouped by:** Resource ID  
**Finding filters:**  
+ `ProductName` equals `Health`

**34. Resources with the most AWS Config findings**  
**ARN:** `arn:aws:securityhub:::insight/securityhub/default/39`  
**Grouped by:** Resource ID  
**Finding filters:**  
+ `ProductName` equals `Config`

**35. Applications with the most findings**  
**ARN:** `arn:aws:securityhub:::insight/securityhub/default/40`  
**Grouped by:** ResourceApplicationArn  
**Finding filters:**  
+ `RecordState` equals `ACTIVE`
+ `Workflow.Status` equals `NEW` or `NOTIFIED`

# Understanding custom insights in Security Hub CSPM
<a name="securityhub-custom-insights"></a>

In addition to AWS Security Hub CSPM managed insights, you can create custom insights in Security Hub CSPM to track issues that are specific to your environment. Custom insights help you track a curated subset of issues.

Here are some examples of custom insights that may be useful to set up:
+ If you own an administrator account, you can set up a custom insight to track critical and high severity findings that are affecting member accounts.
+ If you rely on a specific [integrated AWS service](securityhub-internal-providers.md), you can set up a custom insight to track critical and high severity findings from that service.
+ If you rely on a [third party integration](securityhub-partner-providers.md), you can set up a custom insight to track critical and high severity findings from that integrated product.

You can create completely new custom insights, or start from an existing custom or managed insight.

Each insight can be configured with the following options:
+ **Grouping attribute** – The grouping attribute determines which items are displayed in the insight results list. For example, if the grouping attribute is **Product name**, the insight results display the number of findings that are associated with each finding provider.
+ **Optional filters** – The filters narrow down the matching findings for the insight.

  A finding is included in the insight results only if it matches all of the provided filters. For example, if the filters are "Product name is GuardDuty" and "Resource type is `AwsS3Bucket`", matching findings must match both of these criteria.

  However, Security Hub CSPM applies boolean OR logic to filters that use the same attribute but different values. For example, if the filters are "Product name is GuardDuty" and "Product name is Amazon Inspector", a finding matches if it was generated by either Amazon GuardDuty or Amazon Inspector.

If you use the resource identifier or resource type as the grouping attribute, the insight results include all of the resources that are in the matching findings. The list is not limited to resources that match a resource type filter. For example, an insight identifies findings that are associated with S3 buckets, and groups those findings by resource identifier. A matching finding contains both an S3 bucket resource and an IAM access key resource. The insight results include both resources.

If you enable [cross-region aggregation](finding-aggregation.md) and then create a custom insight, the insight applies to matching findings in the aggregation Region and linked Regions. The exception is if your insight includes a Region filter.

# Creating a custom insight
<a name="securityhub-custom-insight-create-api"></a>

In AWS Security Hub CSPM, custom insights can be used to collect a specific set of findings and track issues that are unique to your environment. For background information about custom insights, see [Understanding custom insights in Security Hub CSPM](securityhub-custom-insights.md).

Choose your preferred method, and follow the steps to create a custom insight in Security Hub CSPM

------
#### [ Security Hub CSPM console ]

**To create a custom insight (console)**

1. Open the AWS Security Hub CSPM console at [https://console.aws.amazon.com/securityhub/](https://console.aws.amazon.com/securityhub/).

1. In the navigation pane, choose **Insights**.

1. Choose **Create insight**.

1. To select the grouping attribute for the insight:

   1. Choose the search box to display the filter options.

   1. Choose **Group by**.

   1. Select the attribute to use to group the findings that are associated with this insight.

   1. Choose **Apply**.

1. Optionally, choose any additional filters to use for this insight. For each filter, define the filter criteria, and then choose **Apply**.

1. Choose **Create insight**.

1. Enter an **Insight name**, and then choose **Create insight**.

------
#### [ Security Hub CSPM API ]

**To create a custom insight (API)**

1. To create a custom insight, use the [https://docs.aws.amazon.com//securityhub/1.0/APIReference/API_CreateInsight.html](https://docs.aws.amazon.com//securityhub/1.0/APIReference/API_CreateInsight.html) operation of the Security Hub CSPM API. If you use the AWS CLI, run the [https://docs.aws.amazon.com/cli/latest/reference/securityhub/create-insight.html](https://docs.aws.amazon.com/cli/latest/reference/securityhub/create-insight.html) command.

1. Populate the `Name` parameter with a name for your custom insight.

1. Populate the `Filters` parameter to specify which findings to include in the insight.

1. Populate the `GroupByAttribute` parameter to specify which attribute is used to group the findings that are included in the insight.

1. Optionally, populate the `SortCriteria` parameter to sort the findings by a specific field.

The following example creates a custom insight that includes critical findings with the `AwsIamRole` resource type. This example is formatted for Linux, macOS, or Unix, and it uses the backslash (\$1) line-continuation character to improve readability.

```
$ aws securityhub create-insight --name "Critical role findings" --filters '{"ResourceType": [{ "Comparison": "EQUALS", "Value": "AwsIamRole"}], "SeverityLabel": [{"Comparison": "EQUALS", "Value": "CRITICAL"}]}' --group-by-attribute "ResourceId"
```

------
#### [ PowerShell ]

**To create a custom insight (PowerShell)**

1. Use the `New-SHUBInsight` cmdlet.

1. Populate the `Name` parameter with a name for your custom insight.

1. Populate the `Filter` parameter to specify which findings to include in the insight.

1. Populate the `GroupByAttribute` parameter to specify which attribute is used to group the findings that are included in the insight.

If you've enabled [cross-region aggregation](finding-aggregation.md) and use this cmdlet from the aggregation Region, the insight applies to matching findings from the aggregation and linked Regions.

**Example**

```
$Filter = @{
    AwsAccountId = [Amazon.SecurityHub.Model.StringFilter]@{
        Comparison = "EQUALS"
        Value = "XXX"
    }
    ComplianceStatus = [Amazon.SecurityHub.Model.StringFilter]@{
        Comparison = "EQUALS"
        Value = 'FAILED'
    }
}
New-SHUBInsight -Filter $Filter -Name TestInsight -GroupByAttribute ResourceId
```

------

## Creating a custom insight from a managed insight (console only)
<a name="securityhub-custom-insight-frrom-managed"></a>

You can't save changes to or delete a managed insight. However, you can use a managed insight as the basis for a custom insight. This is an option on the Security Hub CSPM console only.

**To create a custom insight from a managed insight (console)**

1. Open the AWS Security Hub CSPM console at [https://console.aws.amazon.com/securityhub/](https://console.aws.amazon.com/securityhub/).

1. In the navigation pane, choose **Insights**.

1. Choose the managed insight to work from.

1. Edit the insight configuration as needed.
   + To change the attribute used to group findings in the insight:

     1. To remove the existing grouping, choose the **X** next to the **Group by** setting.

     1. Choose the search box.

     1. Select the attribute to use for grouping.

     1. Choose **Apply**.
   + To remove a filter from the insight, choose the circled **X** next to the filter.
   + To add a filter to the insight:

     1. Choose the search box.

     1. Select the attribute and value to use as a filter.

     1. Choose **Apply**.

1. When your updates are complete, choose **Create insight**.

1. When prompted, enter an **Insight name**, and then choose **Create insight**.

# Editing a custom insight
<a name="securityhub-custom-insight-modify-console"></a>

You can edit an existing custom insight to change the grouping value and filters. After you make the changes, you can save the updates to the original insight, or save the updated version as a new insight.

In AWS Security Hub CSPM, custom insights can be used to collect a specific set of findings and track issues that are unique to your environment. For background information about custom insights, see [Understanding custom insights in Security Hub CSPM](securityhub-custom-insights.md).

To edit a custom insight, choose your preferred method, and follow the instructions.

------
#### [ Security Hub CSPM console ]

**To edit a custom insight (console)**

1. Open the AWS Security Hub CSPM console at [https://console.aws.amazon.com/securityhub/](https://console.aws.amazon.com/securityhub/).

1. In the navigation pane, choose **Insights**.

1. Choose the custom insight to modify.

1. Edit the insight configuration as needed.
   + To change the attribute used to group findings in the insight:

     1. To remove the existing grouping, choose the **X** next to the **Group by** setting.

     1. Choose the search box.

     1. Select the attribute to use for grouping.

     1. Choose **Apply**.
   + To remove a filter from the insight, choose the circled **X** next to the filter.
   + To add a filter to the insight:

     1. Choose the search box.

     1. Select the attribute and value to use as a filter.

     1. Choose **Apply**.

1. When you complete the updates, choose **Save insight**.

1. When prompted, do one of the following:
   + To update the existing insight to reflect your changes, choose **Update *<Insight\$1Name>*** and then choose **Save insight**.
   + To create a new insight with the updates, choose **Save new insight**. Enter an **Insight name**, and then choose **Save insight**.

------
#### [ Security Hub CSPM API ]

**To edit a custom insight (API)**

1. Use the [https://docs.aws.amazon.com//securityhub/1.0/APIReference/API_UpdateInsight.html](https://docs.aws.amazon.com//securityhub/1.0/APIReference/API_UpdateInsight.html) operation of the Security Hub CSPM API. If you use the AWS CLI run the [https://docs.aws.amazon.com/cli/latest/reference/securityhub/update-insight.html](https://docs.aws.amazon.com/cli/latest/reference/securityhub/update-insight.html) command.

1. To identify the custom insight that you want to update, provide the insight's Amazon Resource Name (ARN). To get the ARN of a custom insight, use the [https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_GetInsights.html](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_GetInsights.html) operation or the [https://docs.aws.amazon.com/cli/latest/reference/securityhub/get-insights.html](https://docs.aws.amazon.com/cli/latest/reference/securityhub/get-insights.html) command.

1. Update the `Name`, `Filters`, and `GroupByAttribute` parameters as needed.

The following example updates the specified insight. This example is formatted for Linux, macOS, or Unix, and it uses the backslash (\$1) line-continuation character to improve readability.

```
$ aws securityhub update-insight --insight-arn "arn:aws:securityhub:us-west-1:123456789012:insight/123456789012/custom/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" --filters '{"ResourceType": [{ "Comparison": "EQUALS", "Value": "AwsIamRole"}], "SeverityLabel": [{"Comparison": "EQUALS", "Value": "HIGH"}]}' --name "High severity role findings"
```

------
#### [ PowerShell ]

**To edit a custom insight (PowerShell)**

1. Use the `Update-SHUBInsight` cmdlet.

1. To identify the custom insight, provide the insight's Amazon Resource Name (ARN). To get the ARN of a custom insight, use the `Get-SHUBInsight` cmdlet.

1. Update the `Name`, `Filter`, and `GroupByAttribute` parameters as needed.

**Example**

```
$Filter = @{
    ResourceType = [Amazon.SecurityHub.Model.StringFilter]@{
        Comparison = "EQUALS"
        Value = "AwsIamRole"
    }
    SeverityLabel = [Amazon.SecurityHub.Model.StringFilter]@{
        Comparison = "EQUALS"
        Value = "HIGH"
    }
}

Update-SHUBInsight -InsightArn "arn:aws:securityhub:us-west-1:123456789012:insight/123456789012/custom/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" -Filter $Filter -Name "High severity role findings"
```

------

# Deleting a custom insight
<a name="securityhub-custom-insight-delete-console"></a>

In AWS Security Hub CSPM, custom insights can be used to collect a specific set of findings and track issues that are unique to your environment. For background information about custom insights, see [Understanding custom insights in Security Hub CSPM](securityhub-custom-insights.md).

To delete a custom insight, choose your preferred method, and follow the instructions. You can't delete a managed insight.

------
#### [ Security Hub CSPM console ]

**To delete a custom insight (console)**

1. Open the AWS Security Hub CSPM console at [https://console.aws.amazon.com/securityhub/](https://console.aws.amazon.com/securityhub/).

1. In the navigation pane, choose **Insights**.

1. Locate the custom insight to delete.

1. For that insight, choose the more options icon (the three dots in the top-right corner of the card).

1. Choose **Delete**.

------
#### [ Security Hub CSPM API ]

**To delete a custom insight (API)**

1. Use the [https://docs.aws.amazon.com//securityhub/1.0/APIReference/API_DeleteInsight.html](https://docs.aws.amazon.com//securityhub/1.0/APIReference/API_DeleteInsight.html) operation of the Security Hub CSPM API. If you use the AWS CLI run the [https://docs.aws.amazon.com/cli/latest/reference/securityhub/delete-insight.html](https://docs.aws.amazon.com/cli/latest/reference/securityhub/delete-insight.html) command.

1. To identify the custom insight to delete, provide the insight's ARN. To get the ARN of a custom insight, use the [https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_GetInsights.html](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_GetInsights.html) operation or [https://docs.aws.amazon.com/cli/latest/reference/securityhub/get-insights.html](https://docs.aws.amazon.com/cli/latest/reference/securityhub/get-insights.html) command.

The following example deletes the specified insight. This example is formatted for Linux, macOS, or Unix, and it uses the backslash (\$1) line-continuation character to improve readability.

```
$ aws securityhub delete-insight --insight-arn "arn:aws:securityhub:us-west-1:123456789012:insight/123456789012/custom/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"
```

------
#### [ PowerShell ]

**To delete a custom insight (PowerShell)**

1. Use the `Remove-SHUBInsight` cmdlet.

1. To identify the custom insight, provide the insight's ARN. To get the ARN of a custom insight, use the `Get-SHUBInsight` cmdlet.

**Example**

```
-InsightArn "arn:aws:securityhub:us-west-1:123456789012:insight/123456789012/custom/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"
```

------