Identity Analysis

Feature Overview

Identity Analysis provides a unified location to view and explore principals and their associated details including cloud accounts, permissions, high-level Insight Summary details, and more.

• Identify and prioritize cloud identity risk through key risk indicators like overly permissive access and privilege escalation.
• Narrow the scope of your assessment with tools for search and filtering, and explore detailed information for individual principals.
• Review permission usage summaries and remediation to take action on identified risks.

Getting Started

Before getting started with Identity Analysis you will need:

• A functioning InsightCloudSec installation
• One or more successfully onboarded cloud account(s)
• For customers using AWS
  • Differential Cache must be enabled (this is enabled by default for SaaS/hosted customers)
  • LPA for AWS should be configured. Read more under the AWS LPA Setup documentation.
• For customers using Azure
  • LPA should be configured. Read more under the Azure LPA Setup documentation.
• For customers using GCP
  • LPA is set up automatically. Read more about this feature in the GCP LPA Usage documentation.

Explore Identity Analysis

In InsightCloudSec, navigate to "Security --> Identity Analysis" to start viewing your principal data.

Search and Filter

Search
Type into the search bar to revise the list of principals based on your search criteria.

Filtering

Filtering ("Add Filter") allows for narrowing the scope of the principals displayed list using properties like: cloud accounts, principal type, and total permission count.

• Click the “Add Filters” button to open the panel, and “Select a property” to get started.
• After choosing your desired filters, select “Apply” to update the page to display the results of your specified filters.

• Total active filters will display a count next to the "Filters" label.
• Expanding the filters section of the Identity Analysis page displays the details for filters that are active.

Save Filters

After Adding a Filter you can save it so that can easily be reused the next time you access the feature. Note: Saved filters are feature-specific (since options vary between features), i.e., a Feature "A" saved filter will only be available in Feature "A" and will not be available in Feature "B".

To save a filter:

1. Use the "Add Filter" option to create a filtered view of the page.

2. Expand the Filters section, and click the "Options" button (ellipsis).

3. Click "Save Filter" and provide a name and (optional) description.

4. If desired, select the checkboxes:

• "Set as Default Filter" -- Designates this filter as your default when you return to the feature
• "Make this a Public Filter" -- Makes this filter available to all users inside your InsightCloudSec organization

5. Click "OK". The filter is saved and can be edited from the "Saved Filters" page for this feature.

Data Display

Below the Filters display is the main table display of all of the data.

• The top number displays the total principals. This number will update to show the number of principals applicable to any selected filters, along with the percentage.
• Columns displayed are: Principal Name, Principal Type, Cloud, Account Name, Insights Summary, Permissions, Privilege Escalation, and Action. Details on each column are below.

Principal Name

The name of the principal.

• Clicking the "copy" icon to the right of the name copies the full name.
• Clicking on the name opens a detail view with expanded properties, Insight Findings, Related Resources, etc. Refer to Context (Principal) Details for more information.

Principal Type

The principal type for the associated principal. Currently Cloud Role and Cloud User are supported.

Cloud

The type of cloud account for the associated principal. For example: AWS, Azure, or GCP.

Account Name

The account name for the associated principal.

Insight Summary

Displays highest criticality available (for example if the principal is only associated with an Insight (or Insights) with a Medium severity, that is what will display in the Insights Summary).

• Critical, High, Medium, Low, Info: The count of the Insights associated with the principal respective to each individual severity. (e.g. Critical = 13, indicates 13 Critical Insights for that resource.)
• Hover on the Insights badge for the counts of each Insight severity associated with the principal.
• Click the Insights badge for expanded details on any Insight Findings associated with a specific principal.

Permissions

Displays a visualization of permissions with different colors for the quantity of unused, used, and unassessed permissions. Note: Unassessed permissions do not appear in the graph, but their count will be displayed in the tooltip if you hover on the graph.

• Clicking on the permissions visualization bar opens the detail view for the selected principal.

Privilege Escalation

Displays a visual indicator for privilege escalation for the selected principal, options include none, N/A (where no data is available), and a flag to indicate that the principal may have issues around privilege escalation.

• Clicking on the Flag, - symbol, or N/A opens to the Insight Findings tab of the Context Details to explore Insight Findings data that identifies risk of privilege escalation.

Action

Click the left icon to "View Context Details" or click the right icon "Download Source Data".

• Refer to Context (Principal) Details for more information.

Context (Principal) Details

Selecting an individual principal by clicking on the name, or by selecting "View Context Details" under actions opens a detail view for the selected Principal.

This view includes information like:

• Cloud Account
• Provider ID
• Resource ID
• Direct Link (when available)

📘

Principal Detail Availability

For each individual principal available in Identity Analysis the context details will vary.

• Areas that are not applicable, and/or those that do not contain data will be greyed out
• Depending on the principal different context details are available