EDH Event Summaries and Reports

Details on the Main Event-Driven Harvesting Page in InsightCloudSec to View Events and Reported Results

Event-driven harvesting (EDH) pulls data from either AWS CloudWatch Events and AWS CloudTrail or from Azure's Event Grid, or from GCP's Cloud Asset Inventory into a central event bus for use by InsightCloudSec. This approach to data collection improves the cadence with which InsightCloudSec can provide resource visibility and opportunities for remediation.

EDH enriches the data with life-cycle changes as a way to enable greater auditing capabilities. With EDH-provided data, identifying how a resource entered a noncompliant state becomes much easier at scale.

EDH Consumers

The "EDH Consumers" tab provides a list of Consumers associated with the selected cloud account and access to add consumers via the "EDH Configuration" button. Refer to configuration instructions for your preferred cloud provider for additional details.

12661266

Clouds Page - Consumers Tab

EDH Producers

The "EDH Producers" tab provides a list of EDH Producers associated AWS Accounts and AWS Event Bridge Rules.

12791279

EDH Producers Tab

Selecting "Add Producer" provides access to the "Create Auto-Provisioning Producer" form (shown below).

697697

Create Auto-Provisioning Producer Form

EDH Events Summary

EDH Events Summary displays details for the entire organization or a selected individual cloud account.

The main landing tab is the "Overview" subtab. This section of EDH provides high-level overview information with visualizations including: a total of processed events, a suspicious event count, top events by type, and top event producing clouds.

14581458

Event Summary Overview

Event Count

This section of the page provides a total of the number of events that were processed (for the last 5 days) with a breakdown between source (e.g., the Console or the API). Hovering over a specific point on the Event Count graph provides a total for that individual day.

  • Clicking on an individual points will open a filtered set of results on the "Events" tab of EDH to provide details about the events for that day.
11501150

EDH Overview - Event Count

Suspicious Event Count

This section provides a graph summarizing the number of suspicious events for the last 5 days broken out by daily totals. Hovering over an individual day on the graph provides a total for that individual day. Clicking on an individual point will open a filtered set of results on the "Events" tab of EDH to provide details about the suspicious events identified on that date.

In general, suspicious events are defined as:

  • Changes marking a resource as publicly accessible/exposed to the world
  • Changes making a resource unencrypted at rest
  • Changes removing transit encryption for a resource
  • Changes removing cloud protective measures (S3 block public settings, password policy, etc.)
  • Changes adding overly permissive policies to a resource
11451145

EDH Overview - Suspicious Events

Top Events By Type

This section provides a graph displaying the top events by type, including counts for each displayed event. Hovering over an individual event provides the total count and clicking on an individual event opens a filtered set of results on the "Events" tab of EDH.

Top Event Producing Clouds

This section provides a graph displaying the top event producing clouds. *Note: This view is only available if an individual cloud account has not been selected.

EDH Events

The "EDH Events" tab displays details of the CloudWatch (AWS), EventGrid (Azure), Cloud Asset Inventory (GCP) events that occur. These details show the account, cloud, resource (Provider ID) upon which the action was taken, the date and time the action was taken, the user taking the action, and the specific action taken. As with many InsightCloudSec features displaying cloud information, you can scope your clouds by account and/or badge.

  • These details allow you to readily view actions taken and users responsible for taking them.

  • This live event feed updates in real time; as new events occur, they are added immediately to the list.

12761276

EDH Events