Query Filters
An Overview of How InsightCloudSec Enables Visibility Into Your Cloud Infrastructure
The Query Filters section of InsightCloudSec is where you find the tools to surface problems of interest among your resources. Query Filters specify the conditions InsightCloudSec searches for in identifying matching resources. Reports or actions can then be made on matched resources.
The full list of Query Filters can be accessed via "Security --> Query Filters" from the main navigation, or explored through the Query Filters option within Resources.
Query Filters Landing Page
Exploring Query Filters
Query Filters specify conditions InsightCloudSec searches for in identifying matching resources. They are used in Insights and Bots. Insights combine Query Filters, scope, and reporting. Bots take action based on the output of Query Filters, scope, and Insights.
InsightCloudSec Feature Overview
Narrow Your Focus of Query Filters
InsightCloudSec is continually updating its filtering toolset in response to cloud providers' newly released capabilities as well as customer requests. The current list of Query Filters can be somewhat overwhelming and we recommend that you become familiar with them by:
-
Examining the Query Filters that are relevant to your cloud environments.
-
Focusing on your higher priority resources.
You can also combine the Cloud Provider and Resource Type scopes to narrow your Query Filter search even further.
In the example below we've selected Google Cloud Platform as the CSP and selected the "Container Image" resource, to narrow the scope of possible Query Filters.
Query Filter View - Narrowed Scope
Learn About Each Query Filter
Once you have identified Query Filters of interest, you can learn details, such as description, supported clouds, supported resources, and configuration requirements. You can also view the underlying code to understand how a given Query Filter works.
Working With Query Filters
Once you have an understanding of what is available, you can take actions, including reporting, using Query Filters. Actions are used with:
1. Insights - combining Query Filters + scope + reporting.
2. Bots - combining Query Filters + scope + action.
In both cases, you will likely combine Query Filters and specify configurations to identify only the resources you want to explore
For example, you might combine these Query Filters:
- Resource Is Not Encrypted
- Resource Is Exposed To Public
- Resource Contains Tag Key and Value Regular Expression
In addition to matching Query Filters (or combinations of Query Filters), you can also search for resources that fail to match Query Filters. For example, you might specify that a key/value is not equal to environment: public-facing; this would surface S3 buckets with potential unintended data exposure.
Searching for Query Filters
You can narrow your view of using the search bar to find a specific Query Filter with keywords or terms (e.g., Access List), by scoping by supporting clouds or resource type, or by looking through specific versions of InsightCloudSec. Custom Query Filters are also included in the full listing and can be access by toggling the "Owner" option at the top of the page.
Show Custom Filters
Using Supporting Clouds or Resource Types
You can further narrow the search by using the "Cloud Support" and "Supported Resources" options:
- For the Cloud Support option, you can search for only those Query Filters supported by selected cloud providers, e.g., Amazon Web Services, Amazon Web Services Gov Cloud, Amazon Web Services China, Google Compute Engine, Microsoft Azure, Kubernetes, and Alicloud.
- For the Supported Resource option, you can search for only those Query Filters which are supported by the selected resource type, Instance, Volume, etc. A full list of all InsightCloudSec resource types is found on the Resource Type Definitions page.
In the example below, Amazon Web Services provides "Cloud Support" and EC2 Instance is the "Supported Resource" in a search for filters containing "Public IP".
Viewing Query Filters by Cloud Support (AWS) and Supported Resources (EC2 Instance)
Using Versions and Toggling Columns
Query Filters can also be focused using their Release Version, using the "Select Version" button. You can also choose which columns should appear in your results. Options here include number of Insights with which this Query Filter is associated, number of Bots with which this Query Filter is associated, date created, owner, etc.
Inspecting Your Query Filters
To inspect the Query Filters in the results, click on the filter name (in blue) to view the SQL query associated with this Query Filter:
Viewing the Source Code Associated with the Selected Query Filter
DivvyCloud vs. InsightCloudSec
Query Filter naming, database values, and other items may still refer to DivvyCloud vs. InsightCloudSec, the functionality is the same.
Using Query Filters With Bots
Query Filters are also used in the creation of Bots.
- For detailed step by step instructions check out Creating Bots.
- You can also view Working with Bots (Best Practices & Examples) if you want to review some examples
Notes about Query Filters vs. Bot filtering
The Resource Type you select in Step 2 of Bot creation will limit the Query Filters you can select in Step 3.
In the example below, a resource type of Instance is selected. The Query Filters specifying the filters for the Bot are limited to only those associated with Instance as a resource type.
The example below shows the same type of limits on accessible Query Filters when the resource type Network is first selected.
Using Query Filters to Create a Bot
Using Query Filters With Resources
Query Filters are also found on the Resources page. In the example below, Query Filters can be used as one criteria to further narrow a specific resource type, Instance.
Check out additional information on the Resources documentation.
Using Query Filters With Resources
Updated 3 months ago