Event-Driven Harvesting Reports

Details on the Main Event-Driven Harvesting Page in InsightCloudSec to View Events and Reported Results

Event-driven harvesting (EDH) pulls data from either AWS CloudWatch Events and AWS CloudTrail or from Azure's Event Grid into a central event bus for use by InsightCloudSec. This approach to data collection improves the cadence with which InsightCloudSec can provide resource visibility and opportunities for remediation.

EDH enriches the data with life-cycle changes as a way to enable greater auditing capabilities. With EDH-provided data, identifying how a resource entered a noncompliant state becomes much easier at scale.

This page focuses on using the Event-Driven Harvesting main page in InsightCloudSec to view harvested events and reported results, located in "Cloud --> Clouds --> Event-Driven Harvesting".

14131413

EDH Location in InsightCloudSec

EDH Overview

The EDH Overview displays details for the entire organization or, after selecting an individual cloud account and selecting the Event-Driven Harvesting tab, that individual cloud account. You can also select an individual cloud account on the EDH Overview page from the drop-down.

The main landing tab is the "Overview" subtab. This section of EDH provides high-level overview information with visualizations including: a total of processed events, a suspicious event count, top events by type, and top event producing clouds.

11811181

EDH Overview Page

Event Count

This section of the EDH page provides a total of the number of events that were processed (for the last 5 days) with a breakdown between source (e.g., the Console or the API). Hovering over a specific point on the Event Count graph provides a total for that individual day.

  • Clicking on an individual points will open a filtered set of results on the "Events" tab of EDH to provide details about the events for that day.
11501150

EDH Overview - Event Count

Suspicious Event Count

This section of the EDH page provides a graph summarizing the number of suspicious events for the last 5 days broken out by daily totals. Hovering over an individual day on the graph provides a total for that individual day. Clicking on an individual point will open a filtered set of results on the "Events" tab of EDH to provide details about the suspicious events identified on that date.

In general, suspicious events are defined as:

  • Changes marking a resource as publicly accessible/exposed to the world
  • Changes making a resource unencrypted at rest
  • Changes removing transit encryption for a resource
  • Changes removing cloud protective measures (S3 block public settings, password policy, etc.)
  • Changes adding overly permissive policies to a resource
11451145

EDH Overview - Suspicious Events

Top Events By Type

This section of the EDH page provides a graph displaying the top events by type, including counts for each displayed event. Hovering over an individual event provides the total count and clicking on an individual event opens a filtered set of results on the "Events" tab of EDH.

Top Event Producing Clouds

This section of the EDH page provides a graph displaying the top event producing clouds. *Note: This view is only available if an individual cloud account has not been selected.

Consumers

The "Consumers" tab provides a list of Consumers associated with the selected cloud account and access to "Add Consumers". Refer to configuration instructions for your preferred cloud provider for additional details.

11941194

EDH Consumers Tab

Producers

The "Producers" tab provides a list of Producers associated with the selected cloud account and access to "Add Producers". Refer to configuration instructions for your preferred cloud provider for additional details.

11981198

EDH Producers Tab

EDH Events

The "Events" tab for EDH displays details of the CloudWatch (AWS) or EventGrid (Azure) events that occur. These details show the account, cloud, resource (Provider ID) upon which the action was taken, the date and time the action was taken, the user taking the action, and the specific action taken. As with many InsightCloudSec features displaying cloud information, you can scope your clouds by account and/or badge.

  • These details allow you to readily view actions taken and users responsible for taking them.

  • This live event feed updates in real time; as new CloudWatch (AWS) or EventGrid (Azure) events occur, they are added immediately to the list.

11851185

EDH Events


Did this page help you?