Editing a custom insight - Amazon Security Hub
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Editing a custom insight

You can edit an existing custom insight to change the grouping value and filters. After you make the changes, you can save the updates to the original insight, or save the updated version as a new insight.

In Amazon Security Hub CSPM, custom insights can be used to collect a specific set of findings and track issues that are unique to your environment. For background information about custom insights, see Understanding custom insights in Security Hub CSPM.

To edit a custom insight, choose your preferred method, and follow the instructions.

Security Hub CSPM console
To edit a custom insight (console)

  1. Open the Amazon Security Hub CSPM console at https://console.amazonaws.cn/securityhub/.

  2. In the navigation pane, choose Insights.

  3. Choose the custom insight to modify.

  4. Edit the insight configuration as needed.

    • To change the attribute used to group findings in the insight:

      1. To remove the existing grouping, choose the X next to the Group by setting.

      2. Choose the search box.

      3. Select the attribute to use for grouping.

      4. Choose Apply.

    • To remove a filter from the insight, choose the circled X next to the filter.

    • To add a filter to the insight:

      1. Choose the search box.

      2. Select the attribute and value to use as a filter.

      3. Choose Apply.

  5. When you complete the updates, choose Save insight.

  6. When prompted, do one of the following:

    • To update the existing insight to reflect your changes, choose Update <Insight_Name> and then choose Save insight.

    • To create a new insight with the updates, choose Save new insight. Enter an Insight name, and then choose Save insight.

Security Hub CSPM API
To edit a custom insight (API)

  1. Use the UpdateInsight operation of the Security Hub CSPM API. If you use the Amazon CLI run the update-insight command.

  2. To identify the custom insight that you want to update, provide the insight's Amazon Resource Name (ARN). To get the ARN of a custom insight, use the GetInsights operation or the get-insights command.

  3. Update the Name, Filters, and GroupByAttribute parameters as needed.

The following example updates the specified insight. This example is formatted for Linux, macOS, or Unix, and it uses the backslash (\) line-continuation character to improve readability.

$ aws securityhub update-insight --insight-arn "arn:aws-cn:securityhub:us-west-1:123456789012:insight/123456789012/custom/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" --filters '{"ResourceType": [{ "Comparison": "EQUALS", "Value": "AwsIamRole"}], "SeverityLabel": [{"Comparison": "EQUALS", "Value": "HIGH"}]}' --name "High severity role findings"
PowerShell
To edit a custom insight (PowerShell)

  1. Use the Update-SHUBInsight cmdlet.

  2. To identify the custom insight, provide the insight's Amazon Resource Name (ARN). To get the ARN of a custom insight, use the Get-SHUBInsight cmdlet.

  3. Update the Name, Filter, and GroupByAttribute parameters as needed.

Example

$Filter = @{
    ResourceType = [Amazon.SecurityHub.Model.StringFilter]@{
        Comparison = "EQUALS"
        Value = "AwsIamRole"
    }
    SeverityLabel = [Amazon.SecurityHub.Model.StringFilter]@{
        Comparison = "EQUALS"
        Value = "HIGH"
    }
}

Update-SHUBInsight -InsightArn "arn:aws:securityhub:us-west-1:123456789012:insight/123456789012/custom/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" -Filter $Filter -Name "High severity role findings"