Query Filters

An Overview of How InsightCloudSec Enables Visibility Into Your Cloud Infrastructure

The Query Filters section of InsightCloudSec is where you find the tools to surface problems of interest among your resources. Query Filters specify the conditions InsightCloudSec searches for in identifying matching resources. Reports or actions can then be made on matched resources.

The full list of Query Filters can be accessed via "Security --> Query Filters" from the main navigation, or explored through the Query Filters option within Resources.

1202

Query Filters Landing Page

Exploring Query Filters

Query Filters specify conditions InsightCloudSec searches for in identifying matching resources. They are used in Insights and Bots. Insights combine Query Filters, scope, and reporting. Bots take action based on the output of Query Filters, scope, and Insights.

1500

InsightCloudSec Feature Overview

Narrow Your Focus of Query Filters

InsightCloudSec is continually updating its filtering toolset in response to cloud providers' newly released capabilities as well as customer requests. The current list of Query Filters can be somewhat overwhelming and we recommend that you become familiar with them by:

  • Examining the Query Filters that are relevant to your cloud environments.

  • Focusing on your higher priority resources.

You can also combine the Cloud Provider and Resource Type scopes to narrow your Query Filter search even further.

In the example below we've selected Google Cloud Platform as the CSP and selected the "Container Image" resource, to narrow the scope of possible Query Filters.

1212

Query Filter View - Narrowed Scope

Learn About Each Query Filter

Once you have identified Query Filters of interest, you can learn details, such as description, supported clouds, supported resources, and configuration requirements. You can also view the underlying code to understand how a given Query Filter works.

Working With Query Filters

Once you have an understanding of what is available, you can take actions, including reporting, using Query Filters. Actions are used with:

1. Insights - combining Query Filters + scope + reporting.

2. Bots - combining Query Filters + scope + action.

In both cases, you will likely combine Query Filters and specify configurations to identify only the resources you want to explore

For example, you might combine these Query Filters:

  • Resource Is Not Encrypted
  • Resource Is Exposed To Public
  • Resource Contains Tag Key and Value Regular Expression

In addition to matching Query Filters (or combinations of Query Filters), you can also search for resources that fail to match Query Filters. For example, you might specify that a key/value is not equal to environment: public-facing; this would surface S3 buckets with potential unintended data exposure.

Searching for Query Filters

You can narrow your view of using the search bar to find a specific Query Filter with keywords or terms (e.g., Access List), by scoping by supporting clouds or resource type, or by looking through specific versions of InsightCloudSec. Custom Query Filters are also included in the full listing and can be access by toggling the "Owner" option at the top of the page.

1216

Show Custom Filters

Using Supporting Clouds or Resource Types

You can further narrow the search by using the "Cloud Support" and "Supported Resources" options:

  • For the Cloud Support option, you can search for only those Query Filters supported by selected cloud providers, e.g., Amazon Web Services, Amazon Web Services Gov Cloud, Amazon Web Services China, Google Compute Engine, Microsoft Azure, Kubernetes, and Alibaba Cloud.
  • For the Supported Resource option, you can search for only those Query Filters which are supported by the selected resource type, Instance, Volume, etc. A full list of all InsightCloudSec resource types is found on the Resource Type Definitions page.

In the example below, Amazon Web Services provides "Cloud Support" and EC2 Instance is the "Supported Resource" in a search for filters containing "Public IP".

1213

Viewing Query Filters by Cloud Support (AWS) and Supported Resources (EC2 Instance)

Using Versions and Toggling Columns

Query Filters can also be focused using their Release Version, using the "Select Version" button. You can also choose which columns should appear in your results. Options here include number of Insights with which this Query Filter is associated, number of Bots with which this Query Filter is associated, date created, owner, etc.

Inspecting Your Query Filters

To inspect the Query Filters in the results, click on the filter name (in blue) to view the SQL query associated with this Query Filter:

1019

Viewing the Source Code Associated with the Selected Query Filter

📘

DivvyCloud vs. InsightCloudSec

Query Filter naming, database values, and other items may still refer to DivvyCloud vs. InsightCloudSec, the functionality is the same.

Using Query Filters With Bots

Query Filters are also used in the creation of Bots.

🚧

Notes about Query Filters vs. Bot filtering

The Resource Type you select in Step 2 of Bot creation will limit the Query Filters you can select in Step 3.

In the example below, a resource type of Instance is selected. The Query Filters specifying the filters for the Bot are limited to only those associated with Instance as a resource type.

The example below shows the same type of limits on accessible Query Filters when the resource type Network is first selected.

1400

Using Query Filters to Create a Bot

Using Query Filters With Resources

Query Filters are also found on the Resources page. In the example below, Query Filters can be used as one criteria to further narrow a specific resource type, Instance.

Check out additional information on the Resources documentation.

  • Hover over a Cloud Service Provider to see all applicable support (e.g. AWS, AWS GovCloud, AWS China).
2870

Using Query Filters With Resources