Insights

An Overview of How InsightCloudSec Provides In-Depth Holistic Infrastructure Intelligence

An Insight is a check on a specific behavior, condition, or characteristic of a cloud resource. Built from a continuously growing library of Query Filters, an Insight allows you to view all of your clouds, and provides an in-depth understanding of your infrastructure's security, compliance, optimization, or other characteristics that you specify.

Insights can be defined around an individual resource or resource type to identify resources that may need to have limited public accessibility. Insights can focus on specific characteristics or configuration issues, used to identify a network missing an internet gateway, or used to identify a database without encryption.

Some examples of common Insights include:

  • Storage Container Exposing Access to the World
  • Database Instance Publicly Accessible
  • Volume Encryption Not Enabled

As a key feature, Insights provide customization, flexibility, and extensibility to support a variety of cloud environments.

1500

InsightCloudSec Feature Overview

The InsightCloudSec platform comes with a library of hundreds of built-in Insights. We offer more than a dozen industry-regulation Compliance Packs, or collections of Insights, for CIS, ISO 27001, NIST 800-53, and others.

You can also create custom Insights--and Insight packs--for use in your organization. Custom Packs can be built from scratch, from existing Insights, or from a Compliance Pack as a template for customization.

Check out the Insights - Quick Reference page for high-level answers to common questions.

Insights Library

The Insight Library is the default view on the Insights main page. You can also select the "Library" tab on this page to display the library.

The InsightCloudSec Insight library contains hundreds of individual Insights. You can view all available Insights at once (page by page), or you can filter the view by a number of options, including:

  • Individual cloud provider(s)
  • Insights marked as favorites (by checking the Only Favorites box)
  • Insights marked as failed (by checking the Only Failed Insights box)
  • Insights with IaC support (by checking the IaC support box)
  • The Insights' "Scope" or "Source" (All, InsightCloudSec, Custom)
1912

Insight Library - Viewing Options

Cloud accounts which are in a paused state are no longer evaluated during hourly Insight scans. This allows the system to align with Bots which have skipped paused clouds for the past year.

  • Note: It will also affect Insight calculations if the paused clouds are in scope of the Insight.

Viewing Individual Insights

Each line in the Insights library provides multiple options for obtaining details about or taking actions on your Insights. You can reorder the Insight listing by clicking on an individual column heading (e.g., Severity, Insights, Total Findings, etc.) and selecting the up or down arrow that appears.

  • For example, clicking a down arrow next to "Total Findings" will order the Insights in descending order by the number of findings; clicking an up arrow next to "Severity" will order the Insights from least severe to most severe.
2476

Viewing Insights - Individual Insight Options

Insight Filtering and Viewing Options

Checkbox - Selects a specific Insight for further inspection or action. Checking here activates the Action menu for this Insight. (See Actions/Context menu description below.)

Actions/Context Menu - (Three dots menu to the left of the Insight name)

  • Create Bot: Allows creation of a bot linked to the selected Insight. See BotFactory.
  • Edit Labels: Allows editing of labels associated with the select Insight.

Severity - Shows color-coded severity indicator for selected insight: Info (teal), Low (purple), Medium (blue), High (orange), and Critical (red).

Insight name - Clicking it opens the Insights report for the selected Insight. See Insights Report.

Total Findings - Provides a summary of compliance findings for the target Insight.

  • Insights will have a count of Total Findings shown within a color-coded indicator: Insights with compliance findings will have a red indicator while Insights without any findings will have a green indicator.

  • Hovering over a value in the Total Findings column will show the supported clouds for that Insight.

  • Clicking the highlighted number of Total Findings opens the Resources page showing details for the non-compliant resources. Selecting the individual resources shown on this view enables the creation of Exemptions.

  • Note that for Insights associated with cloud accounts which are in a paused state are not evaluated during hourly Insight scans. This configuration allows the system to align with Bots which have skipped paused clouds for the past year. It will affect Insight calculations (e.g. Findings) if the paused clouds are in scope of the Insight.

  • Insight severity is graded on numerous criteria. For example, with InsightCloudSec Compliance Packs, Insights identified as "critical" are designated as such because of their impact on global access, exposing instances, and root account security.

  • Protection of these elements is defined as critical to InsightCloudSec functionality. When creating Custom Insights, users can define severity based on their requirements.

Exemptions - Gives the number, if any, of exempted resources for this Insight.

  • Clicking the number opens the Resources page showing details for the exempted resource.
  • Refer to the complete documentation on Exemptions.

Bots - If at least one bot is associated with this Insight, the number of associated bots will appear in blue. Clicking on the number will open the BotFactory page, detailing all of the bots linked to the selected Insight.

Favorite indicator - Indicates whether this Insight has been flagged as a favorite. Clicking the star will toggle between choosing this Insight as a favorite (solid star) or not (outlined star). You can use this indicator to scope your Insights (see above).

  • The Favorite indicator flags an Insight to display on your main InsightCloudSec landing page.

Released - Indicates the version of InsightCloudSec that this Insight was released. Custom Insights will display "N/A".

Author - Indicates the creator of the Insight, all Insights included with the platform will have "InsightCloudSec" listed as their author. Custom Insights will display the creator's name.

  • Note: It's also important to note that when creating a custom Insight, if you mark yourself as the owner, this removes the Insight for all other users.

📘

Exempted Resources

Resources listed as 'Exempt' are harvested as any other resource scoped to a particular Insight. If exempt resources fail to meet the conditions of the Insight, however, they are not counted as findings in the Resource Breakdown.

For example, an Insight may be looking for storage containers exposing access to the public, but some of your resources are static websites which can be open to the public. Exempting those static website resources from your Insight prevents them from being included as a finding, i.e., giving false positives on your report.

Actions on Insights

Selecting the checkbox for one or more individual Insights enables the "Action" button from which you can:

  • Edit metadata - Edit metadata for the selected Insight.
  • Add Labels - Add labels for the selected Insight. These will be added to the existing set of labels for the Insight (if there are any).
  • Set severity - Edit severity for the selected Insight. Note: Select "Default" to reset the severity to its original value.
  • Add to pack - Allows you to add the selected Insight to an existing pack.
  • Add to Favorites - Adds the Insight to your list of Favorites.
  • Remove from Favorites - Removes the Insight from your list of Favorites.
  • Delete - Deletes the Insight (with verification).
  • Clone - Creates a copy of the selected Insight. Note: Cloning is only available for Custom Insights.

Note: Some actions, like editing metadata or setting severity, will require specific permissions.

📘

Insight Metadata

Metadata allows you to annotate Insights associated with an Insight pack and only relates to Insights within packs.

For example, if your organization uses a particular Insight within a pack to verify your resources' adherence to a specific organization policy, e.g., "AcmeCorp Policy 7A.1", you may modify the metadata for this Insight to read "AcmeCorp 7A.1".

Insights Report

Clicking on an individual Insight name in the library listing will open the Insights Report. Here you can view:

  • Results by Cloud - a breakdown of impacted resources for this Insight by cloud. Also provides access to Insights Report actions.
  • Insight Information - an overview of the Insight, including specific compliance frameworks associated with this Insight, included Query Filters, and (where applicable) suggested remediation and recommended Bot workflow for remediation.
    • Compliance Information will include any Compliance Packs (aka out-of-the-box InsightCloudSec Insight Packs) that include the Insight
    • In addition, this section will include Insight Pack Membership which will list any Custom Insight Packs that this Insight may belong to.
  • (Noncompliant) Resource Totals - a time series display of noncompliant resources by cloud; here, you are looking for a downward trend in the number of noncompliant resources as you take actions (use Bots) to remediate.
  • Bot Lifecycle Actions - displays the previous week's worth of bot actions taken against this Insight. Typically you should see a correlation between Bot actions taken and decrease in number of noncompliant resources.
2480

Insights Report: Results by Cloud and Insight Information

1081

Insights Report: Noncompliant Resource Totals and Bot Lifecycle Actions

Insights Report Actions

Clicking the three dots to the right of "Results By Cloud" will open the actions/context menu, providing the following options:

  • Create Bot - Opens the Bot Creation interface so you can create a bot for this specific insight.
  • View Results - Opens the Resources page filtered to match this insight.
  • Download CSV - Downloads a CSV file that contains this report as a series of comma-separated values.
  • Edit Insight (Custom Insights Only) - Opens the Edit Insight interface so you can edit the insight's name description, severity, and more.
  • Version (Custom Insights Only) - Insight versioning provides the ability to select a different "version" of an Insight, in some scenarios enabling a user to fall back to a last known-good configuration. To create a version of an existing InsightCloudSec Insight, you must first create a copy.
    • Insight versions are created by updating one of the following: the Insight Name, the Insight Description, or the labels. Changes to any other details will not create a new version.
    • To select a different version, click on the Insight name to open the "Insight Report" view. In the "Results by Cloud" section, select "Version History" to view the list of available versions.
      • If there are more than one version(s) available, the version that is "active" will be marked as such; clicking "Activate" will enable a different version.
1255

Insight Report Actions

Custom Insights

While InsightCloudSec includes an extensive library of Insights to work with directly out of the box, users can also create custom Insights.

Create a Custom Insight

To create a custom Insight, you will need to start from the Resources Page, available under “Inventory → Resources” on the main navigation panel.

1. Select the resource you want your Insight to apply to using the drop-down at the top of the page.

1600

Custom Insight - Narrowing Scope by Selecting a Resource Type

2. Click on "Scopes" (the cloud shaped button next to the drop down resource list) on the top right to narrow your scope as desired (to select specific Clouds or Resource Groups). (Optional)

3. Click on "Query Filters" to browse and select your desired Query Filters (configuration will vary based on the filter type).

  • The Resource view will update as you select and apply the Query Filters, including a total count of filters applied.
  • If you attempt to apply a Query Filter that is not correctly configured you will see the name of the Query Filter highlighted in red and hovering will provide a contextual error about why it cannot be applied.
1715

Custom Insight - Narrowing Scope by Selecting Query Filters

4. Once you are satisfied with the Query Filters you have selected, click on "Save Insight" to create your new custom Insight. Complete the following as desired:

  • Insight Name
  • Insight Description
  • Any labels
  • Severity
  • Mark yourself as the owner
  • Mark the Insight as a favorite
  • Limit Resource Types (or modify the list)

📘

A Note About Creating Custom Insights

It's important to note that when creating a custom Insight, if you mark yourself as the owner, this removes the Insight for all other users.

5. Click "Submit" to complete the creation of your Custom Insight.

Once saved, your Insight will appear as a Custom Insight in the Insights Library. You can then use Source:Custom in the library to display only custom Insights.

Create a Custom Insight Using an Existing Insight

If you are interested in using an existing Insight as a starting point for a Custom Insight, you can do so using either a InsightCloudSec standard Insight or a Custom Insight. Refer to the steps below to create a new Custom Insight from an existing Insight.

1. From "Security --> Insights" on the Insight Library tab, select an Insight (click on the name) to view the Insight Report page.

2. Select one of the cloud accounts to open the filtered Resource View.

3. Make modifications as desired to Scope or Query Filters.

4. Changes will enable the "Save Insight" button and enable you to create a new Custom Insight.

Create a Custom Insight Using Clone

If you are interested in using an existing custom Insight as a starting point for a new Insight, you can clone that Insight. Note, that the clone action is not available for InsightCloudSec standard Insights.

1. From "Security --> Insights" on the Insight Library tab, select an Insight (click on the name) to view the Insight Report page.

2. Locate the Custom Insight you would like to clone and click the box to the left of the name.

3. From the Actions menu above the list of Insights, select "Clone".

  • Note this can be performed for multiple Insights at the same time.
  • Your new cloned Insight will be added to the Insight Library using the existing name with (Clone) appended to the name (e.g., "Service Encryption Key Expired or Expiring Soon (Clone)").

Editing a Custom Insight

The ability to edit an Insight is only available for Custom Insights and different components are editable through different options.

Editing a Custom Insight (Administrative Details)

These steps allow you to edit the name, description, severity, and ownership of an existing Custom Insight.
1. Navigate to "Security --> Insights" and on the Insights Library tab, locate the Insight you want to modify.

2. Click on the Insight name to open the Insight Report view.

3. In the "Results by Cloud" content area, open the context menu and select "Edit Insight".

1045

Edit Custom Insight

4. Modify the Custom Insight and select "Submit" once you have made the desired changes.

*Note: If you mark yourself as the Insight owner, this Insight will NOT be visible to any other users.

790

Modify the Existing Custom Insight

Editing a Custom Insight (Scope and Query Filters)

If you are interested in modifying the scope or Query Filters of an existing custom Insight to make permanent changes to that Insight, you must "record the changes".

Refer to the following steps:

1. Open a Custom Insight and then locate the "Total Findings" column; clicking on the number of Total Findings navigates to a filtered page displaying the resources that apply to the Insight.

1222

Open the Custom Insight Resources View

2. Under Actions, locate "Record Changes". There are two things to keep in mind for this capability:

First, once you are on this page, if you choose to make changes to the scope or Query Filters without selecting "Record Changes", effectively you are modifying a Resources view.

  • You will not be able to save modifications to the Custom Insight you started with.
  • Any changes made from this view will allow you to create a new Insight, but you're effectively starting from scratch to create a brand new Custom Insight.

Second, once you are on this page, if you want to edit or modify the existing Custom Insight, you must first click on the "Record Changes" button before you select any new scope or filtering.

  • This will provide you a confirmation that changes are being recorded and enable a "Save Changes" (rather than "Save Insight") button.
1399

Custom Insight - Record Changes

3. Adjust the "Query Filters" as necessary.

4. Click "Save Changes". The "Save Insight" window will appear.

  • Review all the information and/or update any of the fields. Note: A list of Bots that are associated with this Insight will be displayed. All changes to the Insight will be propagated to the Bots as well.

5. Click "Submit" to save all changes to the Insight.

1600

Save Insight

Insight Packs

InsightCloudSec Insights, in addition to being applied individually, are also organized in two types of Insight Packs.

  • Compliance Packs are pre-built Insight Packs that ship with the InsightCloudSec platform and typically revolve around industry security and compliance standards.
  • Custom Packs are Insight packs built from your specific requirements. Custom Packs can be based on an existing pack (copying and modifying an existing Compliance or Custom Pack) or from a selection of filtered resources.

From the Insights landing page, users can select either the "Compliance Pack" tab or the "Custom Packs" tab to view/access Insight Packs in these two categories.

1533

Accessing Compliance Packs or Custom Packs