EDH Event Summaries and Reports
Details on the Main Event-Driven Harvesting Page in InsightCloudSec to View Events and Reported Results
Event-driven harvesting (EDH) pulls data from either AWS CloudWatch Events and AWS CloudTrail or from Azure's Event Grid, or from GCP's Cloud Asset Inventory into a central event bus for use by InsightCloudSec. This approach to data collection improves the cadence with which InsightCloudSec can provide resource visibility and opportunities for remediation.
EDH enriches the data with life-cycle changes as a way to enable greater auditing capabilities. With EDH-provided data, identifying how a resource entered a noncompliant state becomes much easier at scale.
- For high-level information about harvesting in general check out the Harvesting & Event-Driven Harvesting Overview (doc:harvesting-overview)
- For additional details specific to AWS EDH, check out AWS Event-Driven Harvesting
- For additional details specific to Azure EDH, check out Azure Event-Driven Harvesting
- For additional details specific to GCP EDH, check out GCP Event-Driven Harvesting
The "EDH Consumers" tab provides a list of Consumers associated with the selected cloud account and access to add consumers via the "EDH Configuration" button. Refer to configuration instructions for your preferred cloud provider for additional details.
The "EDH Producers" tab provides a list of EDH Producers associated AWS Accounts and AWS Event Bridge Rules.
- Refer to the documentation AWS Event-Driven Harvesting for specific details.
Selecting "Add Producer" provides access to the "Create Auto-Provisioning Producer" form (shown below).
EDH Events Summary
EDH Events Summary displays details for the entire organization or a selected individual cloud account.
The main landing tab is the "Overview" subtab. This section of EDH provides high-level overview information with visualizations including: a total of processed events, a suspicious event count, top events by type, and top event producing clouds.
This section of the page provides a total of the number of events that were processed (for the last 5 days) with a breakdown between source (e.g., the Console or the API). Hovering over a specific point on the Event Count graph provides a total for that individual day.
- Clicking on an individual points will open a filtered set of results on the "Events" tab of EDH to provide details about the events for that day.
Suspicious Event Count
This section provides a graph summarizing the number of suspicious events for the last 5 days broken out by daily totals. Hovering over an individual day on the graph provides a total for that individual day. Clicking on an individual point will open a filtered set of results on the "Events" tab of EDH to provide details about the suspicious events identified on that date.
In general, suspicious events are defined as:
- Changes marking a resource as publicly accessible/exposed to the world
- Changes making a resource unencrypted at rest
- Changes removing transit encryption for a resource
- Changes removing cloud protective measures (S3 block public settings, password policy, etc.)
- Changes adding overly permissive policies to a resource
Top Events By Type
This section provides a graph displaying the top events by type, including counts for each displayed event. Hovering over an individual event provides the total count and clicking on an individual event opens a filtered set of results on the "Events" tab of EDH.
Top Event Producing Clouds
This section provides a graph displaying the top event producing clouds. *Note: This view is only available if an individual cloud account has not been selected.
The "EDH Events" tab displays details of the CloudWatch (AWS), EventGrid (Azure), Cloud Asset Inventory (GCP) events that occur. These details show the account, cloud, resource (Provider ID) upon which the action was taken, the date and time the action was taken, the user taking the action, and the specific action taken. As with many InsightCloudSec features displaying cloud information, you can scope your clouds by account and/or badge.
These details allow you to readily view actions taken and users responsible for taking them.
This live event feed updates in real time; as new events occur, they are added immediately to the list.
Updated 6 months ago