Event-driven harvesting (EDH) pulls data from either AWS CloudWatch Events and AWS CloudTrail or from Azure's Event Grid into a central event bus for use by InsightCloudSec. This approach to data collection improves the cadence with which InsightCloudSec can provide resource visibility and opportunities for remediation.
EDH enriches the data with life-cycle changes as a way to enable greater auditing capabilities. With EDH-provided data, identifying how a resource entered a noncompliant state becomes much easier at scale.
This page focuses on using the Event-Driven Harvesting main page in InsightCloudSec to view harvested events and reported results, located in "Cloud --> Clouds --> Event-Driven Harvesting".
- For high-level information check out our Harvesting Overview
- For additional details specific to AWS EDH, check out AWS Event-Driven Harvesting
- For additional details specific to Azure EDH, check out Azure Event-Driven Harvesting
The EDH Overview displays details for the entire organization or, after selecting an individual cloud account and selecting the Event-Driven Harvesting tab, that individual cloud account. You can also select an individual cloud account on the EDH Overview page from the drop-down.
The main landing tab is the "Overview" subtab. This section of EDH provides high-level overview information with visualizations including: a total of processed events, a suspicious event count, top events by type, and top event producing clouds.
This section of the EDH page provides a total of the number of events that were processed (for the last 5 days) with a breakdown between source (e.g., the Console or the API). Hovering over a specific point on the Event Count graph provides a total for that individual day.
- Clicking on an individual points will open a filtered set of results on the "Events" tab of EDH to provide details about the events for that day.
This section of the EDH page provides a graph summarizing the number of suspicious events for the last 5 days broken out by daily totals. Hovering over an individual day on the graph provides a total for that individual day. Clicking on an individual point will open a filtered set of results on the "Events" tab of EDH to provide details about the suspicious events identified on that date.
In general, suspicious events are defined as:
- Changes marking a resource as publicly accessible/exposed to the world
- Changes making a resource unencrypted at rest
- Changes removing transit encryption for a resource
- Changes removing cloud protective measures (S3 block public settings, password policy, etc.)
- Changes adding overly permissive policies to a resource
This section of the EDH page provides a graph displaying the top events by type, including counts for each displayed event. Hovering over an individual event provides the total count and clicking on an individual event opens a filtered set of results on the "Events" tab of EDH.
This section of the EDH page provides a graph displaying the top event producing clouds. *Note: This view is only available if an individual cloud account has not been selected.
The "Consumers" tab provides a list of Consumers associated with the selected cloud account and access to "Add Consumers". Refer to configuration instructions for your preferred cloud provider for additional details.
The "Producers" tab provides a list of Producers associated with the selected cloud account and access to "Add Producers". Refer to configuration instructions for your preferred cloud provider for additional details.
The "Events" tab for EDH displays details of the CloudWatch (AWS) or EventGrid (Azure) events that occur. These details show the account, cloud, resource (Provider ID) upon which the action was taken, the date and time the action was taken, the user taking the action, and the specific action taken. As with many InsightCloudSec features displaying cloud information, you can scope your clouds by account and/or badge.
These details allow you to readily view actions taken and users responsible for taking them.
This live event feed updates in real time; as new CloudWatch (AWS) or EventGrid (Azure) events occur, they are added immediately to the list.
Updated 2 months ago