23.3.7 Release Notes

🚧

Important Changes to Review

Changes to Paths for Hosted Customers

As of Release 23.3.7, accessing static data via /divvy/ will no longer work. In cases like this, you will need to use /static/ instead which should function identically. The most common examples or usage of these paths is in the Logo URL of custom packs that reference cloud provider images and in some Plugins.

[ENG-20367]

Updates to Endpoint Handling
InsightCloudSec’s 23.2.28 release included updates to our internal webserver library, Flask. As a result, some of our endpoint handling has changed in the following ways:
Any requests submitting JSON to an endpoint must explicitly include the Content-Type: application/json header (e.g. for POST requests).
Any requests POSTing empty bodies may fail with a 500 error as empty bodies for endpoints that expect one aren’t valid JSON.
Plugins that declare custom endpoints will also be affected by the above changes.
For more information about the above changes, refer to the details linked here.

[ENG-23896]

InsightCloudSec Software Release Notice - 23.3.7 Release

Release Highlights (23.3.7)

InsightCloudSec is pleased to announce Release 23.3.7. This release includes Vulnerability FIndings incorporated into Layered Context, the display of Auto-Badge choice for AWS and Azure Cloud Organization forms, and updated BotFactory actions for Azure Storage Accounts to allow customers to schedule the action in the future.

In addition, 23.3.7 includes one new Insight, three new Query Filters, two updated Bot actions, and 20 bug fixes.

• Contact us through the unified Customer Support Portal with any questions.

📘

Self-Hosted Deployment Updates (23.3.7)

Release availability for self-hosted customers is Thursday, February x, 2023. If you’re interested in learning more about becoming a hosted customer, reach out through our Customer Support Portal.

Our latest Terraform template (static files and modules) can be found here: https://s3.amazonaws.com/get.divvycloud.com/prodserv/divvycloud-prodserv-tf/example-usage/aws/release/divvycloud-tf-release.zip

Features & Enhancements (23.3.7)

• Layered Context now incorporates Vulnerability Findings into the data that is displayed and analyzed. Vulnerabilities are listed in summary in a new column and have also been applied to the Risky Resources score, so that the score reflects resources that are publicly accessible and include either 1 critical Insight finding or 1 critical vulnerability finding. [ENG-22060]

  • These updates also include modifying the CSV export to include Vulnerability data. [ENG-24292]

• We now expose the Auto-Badge choice for AWS and Azure Cloud Organization forms, allowing users to disable AWS Account tags and Azure Subscription tags to ICS badges automatically. This change makes the configuration option the same across AWS, Azure, and GCP. [ENG-9744]

• We have added a cloud's Organization ID to the cloud’s resource details to make it easier to see a cloud's organizational membership without needing to leave the Resources section. [ENG-23724]

• Updated the styling of the resource property panel to be consistent across Layered Context, Threat Findings, Host Vulnerability Assessment, Resources and the Compliance Scorecard. The property panel was also updated to include actions, policy attachment, tags and event history. [ENG-24193, ENG-23518]

Resources (23.3.7)

📘

Resource Updates - DynamoDb Tables

We’ve made an update that resolves an issue with malformed resource IDs on Global DynamoDb tables. As a result, some small subset of resources will be removed and you will need to rerun the DistributedTableHarvester to return these to a healthy state. [ENG-24357]

AZURE

• Several updates for Microsoft Defender for Cloud Apps Integration:
  • Checks the Account Integration Setting surrounding Microsoft Defender for Cloud, 'Allow Microsoft Defender for Cloud Apps to access my data', and If setting is disabled, Query Filter returns the whole cloud account.
  • Setting can be found at: Azure Portal > Microsoft Defender for Cloud > Environment Settings > Select desired subscription > Integrations > Allow Microsoft Defender for Cloud Apps to access my data.
  • Added of a new Insight Microsoft Defender Cloud Apps Integration Disabled which supports Azure Arm, China, and Gov.
    [ENG-18834]

Insights (23.3.7)

AZURE

• New Insight - Microsoft Defender Cloud Apps Integration Disabled ; identifies Azure Subscriptions which have Microsoft Defender for Cloud enabled, but have Defender access to Cloud App Data disabled; new Insight supports Azure Arm, China and Gov. [ENG-18834]

Query Filters (23.3.7)

AWS

• New Query Filter - Elasticsearch Instance OpenSearch Version finds Elasticsearch instances running OpenSearch version matching, older than, or newer than provided input. [ENG-23723]

• New Query Filters for AWS Autoscaling Groups [ENG-24166]:

  • Autoscaling Group Maximum Instance Lifetime - Identifies autoscaling groups by their maximum instance lifetime values.
  • Autoscaling Group Without Maximum Instance Lifetime - Identifies autoscaling groups without maximum instance lifetime configured.

Bot Actions (23.3.7)

AZURE

• “Delete Resource” - Updated this action to support Azure CosmosDB, which are Distributed Table resources. [ENG-24167]

MULTI-CLOUD/GENERAL

• "InsightIDR Event" - Updated this Bot action with the ‘Skip Previously Identified Resources’ checkbox. [ENG-24248]

• We have updated BotFactory actions for Azure Storage Accounts to allow customers to schedule the action in the future. This feature can be useful when the action is not needed immediately or there is a need to delay the BotFactory action to allow time for other actions, e.g., to allow time for corrective action by a resource owner. [ENG-24119]

Bug Fixes (23.3.7)

• Fixed an issue where exclusion badges used in Bots were not honored during an approximately 15 minute window after the addition of a new cloud account when that new cloud account was in Bot scope. [ENG-24414]

• Fixed an issue with malformed resource IDs on Global DynamoDb tables; users will need to reharvest DistributedTableHarvester to get their Dynamodb's back into a healthy state. [ENG-24357]

• Fixed an issue that did not include volume detachment actions in the ResourceHistory table. [ENG-24354]

• Fixed an issue preventing tags from being included in the resources CSV download. [ENG-24305]

• Fixed a bug that prevented Alibaba Cloud security group rules from displaying when a deny rule was present in the response. [ENG-24217]

• Fixed a bug that would broaden the supported cloud types when switching between compliance packs in the Insights view. [ENG-24209]

• Fixed a bug in terraform plan parsing to include default values of child modules. [ENG-24158]

• Fixed a bug in AWS RDS postgres instances where they did not properly reflect transit encryption enforcement for postgres instances that are part of a parent cluster. [ENG-24154]

• Fixed an EDH bug that would raise a resource modification event twice when the root account performs a ConsoleLogin action. [ENG-24125]

• Resolved an issue with event grid subscriptions not showing resource group. This has now been changed to destination resource group to accurately represent the value. [ENG-24123]

• Fixed a bug where Public IP State not showing in CSV; added the state column to Public IP resource downloads showing whether the Public IP is available or in-use depending upon its attachment status. [ENG-24114]

• We have removed a copy/paste error from Insight Cloud Role Trusting Unknown/Third Party Account. [ENG-24109]

• Fixed a bug where the Insight author would not display for users who have been deleted. [ENG-24097]

• Updated our harvesting for Alibaba RAM Users, Roles, Groups, and Policies by adding pagination support. [ENG-23999]

• Fixed a bug in the Query Filter Logic Apps Using Unapproved Connectors that would fail if a Logic App without any connectors existed in the installation. [ENG-23994]

• Fixed table sorting bug in resource panel. [ENG-23483]

• Fix bug in which Principal Activity and Principal Explorer options were not available for Gov Clouds [ENG-23334]

• Improved rate limiting issues seen with AWS Sagemaker calls by removing unnecessary calls when a notebook instance hasn't been modified. [ENG-22941]

• Fixed a bug where badges weren't harvested for GCP projects within an organization, if no tag key/value pairs were set at the organization level. [ENG-22846]

• Fixed a bug where restoring a previous Bot version would not update the scanning schedule. [ENG-20858]

Reference: Required Policies & Permissions

📘

Policies required for individual CSPs are as follows:

Alibaba Cloud

• Read Only Policy

AWS

• Commercial
  • Managed Read Only Supplement Policy
  • Customer-Managed Read Only Policy
    • Part 1
    • Part 2
    • Part 3
  • Commercial Power User Policy
• GovCloud
  • Read Only Policy
    • Part 1
    • Part 2
  • Power User Policy
• China Read Only Supplement

Azure

• Commercial
  • Custom Reader User Role
  • Power User Role
  • Reader Plus User Role
• GovCloud
  • Custom Reader User Role
  • Power User Role

GCP

• For GCP, since permissions are tied to APIs there is no policy file to maintain. Refer to our list of Recommended
  APIs that is maintained as part of our GCP coverage.

Oracle Cloud Infrastructure

• Power User Policy
• Read Only Policy

Host Vulnerability Management

• Host VM User Policy

For any questions or concerns, as usual, reach out to us through your CSM, or the Customer Support Portal.