Insights

An Insight is a check on a specific behavior, condition, or characteristic of a cloud resource. Built from a continuously growing library of Query Filters, an Insight allows you to view all of your clouds, and provides an in-depth understanding of your infrastructure's security, compliance, optimization, or other characteristics that you specify.

Feature relationships

Defining Insights

Insights can be defined around an individual resource or resource type to identify resources that may need to have limited public accessibility. Insights can focus on specific characteristics or configuration issues, used to identify a network missing an internet gateway, or used to identify a database without encryption.

Some examples of common Insights include:

  • Storage Container Exposing Access to the World
  • Database Instance Publicly Accessible
  • Volume Encryption Not Enabled

As a key feature, Insights provide customization, flexibility, and extensibility to support a variety of cloud environments. The InsightCloudSec platform comes with a library of hundreds of built-in Insights. We offer more than a dozen industry-regulation Compliance Packs, or collections of Insights, for CIS, ISO 27001, NIST 800-53, and others.

You can also create custom Insights--and Insight packs--for use in your organization. Custom Packs can be built from scratch, from existing Insights, or from a Compliance Pack as a template for customization.

Check out the FAQ for high-level answers to common questions.

Using the Insights Library

The Insight Library is the default view on the Security > Insights > Insights Library. You can reorder the Insight listing by clicking on an individual column heading and selecting the up or down arrow that appears.

The InsightCloudSec Insight library contains hundreds of individual Insights. You can view all available Insights at once (page by page), or you can filter the view by a number of options, including:

  • Individual cloud provider(s)
  • Insights marked as favorites (by checking the Only Favorites box)
  • Insights marked as failed (by checking the Only Failed Insights box)
  • Insights with IaC support (by checking the IaC support box)
  • The Insights' "Scope" or "Source" (All, InsightCloudSec, Custom)

Cloud accounts which are in a paused state are no longer evaluated during hourly Insight scans. This allows the system to align with Bots which have skipped paused clouds for the past year. If the paused clouds are in scope of the Insight, calculation are impacted.

View Individual Insights

Go to Insights > Library and select the insight you want to view. Each line in the Insights library provides multiple options for obtaining details about or taking actions on your Insights.

Detailed descriptions of filtering and viewing options for Insights

Filtering and viewing options

OptionDescription
CheckboxSelects a specific Insight for further inspection or action. Checking here activates the Action menu for this Insight. (See Actions/Context menu description below.)
Actions/Context Menu
  • Create Bot: Allows creation of a bot linked to the selected Insight. See BotFactory.
  • Edit Labels: Allows editing of labels associated with the select Insight.
SeverityShows color-coded severity indicator for selected insight: Info (teal), Low (purple), Medium (blue), High (orange), and Critical (red).
Insight nameClicking it opens the Insights report for the selected Insight. See Insights Report.
Total FindingsProvides a summary of compliance findings for the target Insight.

  • Insights will have a count of Total Findings shown within a color-coded indicator: Insights with compliance findings will have a red indicator while Insights without any findings will have a green indicator.
  • Hovering over a value in the Total Findings column will show the supported clouds for that Insight.
  • Clicking the highlighted number of Total Findings opens the Resources page showing details for the non-compliant resources. Selecting the individual resources shown on this view enables the creation of Exemptions.
  • Note that for Insights associated with cloud accounts which are in a paused state are not evaluated during hourly Insight scans. This configuration allows the system to align with Bots which have skipped paused clouds for the past year. It will affect Insight calculations (e.g. Findings) if the paused clouds are in scope of the Insight.
  • Insight severity is graded on numerous criteria. For example, with InsightCloudSec Compliance Packs, Insights identified as "critical" are designated as such because of their impact on global access, exposing instances, and root account security.
  • Protection of these elements is defined as critical to InsightCloudSec functionality. When creating Custom Insights, users can define severity based on their requirements.
ExemptionsGives the number, if any, of exempted resources for this Insight.

  • Clicking the number opens the Resources page showing details for the exempted resource.
  • Refer to the complete documentation on Exemptions.
BotsIf at least one bot is associated with this Insight, the number of associated bots will appear in blue. Clicking on the number will open the BotFactory page, detailing all of the bots linked to the selected Insight.
Favorite indicatorIndicates whether this Insight has been flagged as a favorite. Clicking the star will toggle between choosing this Insight as a favorite (solid star) or not (outlined star). You can use this indicator to scope your Insights (see above).

The Favorite indicator flags an Insight to display on your main InsightCloudSec landing page.
ReleasedIndicates the version of InsightCloudSec that this Insight was released. Custom Insights will display "N/A".
AuthorIndicates the creator of the Insight, all Insights included with the platform will have "InsightCloudSec" listed as their author. Custom Insights will display the creator's name.

It's also important to note that when creating a custom Insight, if you mark yourself as the owner, this removes the Insight for all other users.

Exempted Resources

Resources listed as 'Exempt' are harvested as any other resource scoped to a particular Insight. If exempt resources fail to meet the conditions of the Insight, however, they are not counted as findings in the Resource Breakdown.

For example, an Insight may be looking for storage containers exposing access to the public, but some of your resources are static websites which can be open to the public. Exempting those static website resources from your Insight prevents them from being included as a finding, i.e., giving false positives on your report.

Detailed descriptions of Actions on Insights

Actions on Insights

Selecting the checkbox for one or more individual Insights enables the "Action" button from which you can do the following:

ActionDescription
Edit metadataEdit metadata for the selected Insight.
Add LabelsAdd labels for the selected Insight. These will be added to the existing set of labels for the Insight (if there are any).
Set severityEdit severity for the selected Insight.

Select "Default" to reset the severity to its original value.
Add to packAllows you to add the selected Insight to an existing pack.
Add to FavoritesAdds the Insight to your list of Favorites.
Remove from FavoritesRemoves the Insight from your list of Favorites.
DeleteDeletes the Insight (with verification).
CloneCreates a copy of the selected Insight.

Cloning is only available for Custom Insights.

Some actions, like editing metadata or setting severity, will require specific permissions.

Insight Metadata

Metadata allows you to annotate Insights associated with an Insight pack and only relates to Insights within packs.

For example, if your organization uses a particular Insight within a pack to verify your resources' adherence to a specific organization policy, e.g., "AcmeCorp Policy 7A.1", you may modify the metadata for this Insight to read "AcmeCorp 7A.1".

Detailed descriptions of Insights Report details and actions

Insight report details

Clicking on an individual Insight name in the library listing will open the Insights Report. Here you can view the following:

DetailDescription
Results by CloudA breakdown of impacted resources for this Insight by cloud. Also provides access to Insights Report actions.
Insight InformationAn overview of the Insight, including specific compliance frameworks associated with this Insight, included Query Filters, and (where applicable) suggested remediation and recommended Bot workflow for remediation.

  • Compliance Information will include any Compliance Packs (aka out-of-the-box InsightCloudSec Insight Packs) that include the Insight
  • In addition, this section will include Insight Pack Membership which will list any Custom Insight Packs that this Insight may belong to.
(Noncompliant) Resource TotalsA time series display of noncompliant resources by cloud; here, you are looking for a downward trend in the number of noncompliant resources as you take actions (use Bots) to remediate.
Bot Lifecycle ActionsDisplays the previous week's worth of bot actions taken against this Insight. Typically you should see a correlation between Bot actions taken and decrease in number of noncompliant resources.

Insights report actions

Clicking the three dots to the right of "Results By Cloud" will open the actions/context menu, providing the following options:

ActionDescription
Create BotOpens the Bot Creation interface so you can create a bot for this specific insight.
View ResultsOpens the Resources page filtered to match this insight.
Download CSVDownloads a CSV file that contains this report as a series of comma-separated values.
Edit Insight (Custom Insights Only)Opens the Edit Insight interface so you can edit the insight's name description, severity, and more.
Version (Custom Insights Only)Insight versioning provides the ability to select a different "version" of an Insight, in some scenarios enabling a user to fall back to a last known-good configuration. To create a version of an existing InsightCloudSec Insight, you must first create a copy.

  • Insight versions are created by updating one of the following: the Insight Name, the Insight Description, or the labels. Changes to any other details will not create a new version.
  • To select a different version, click on the Insight name to open the "Insight Report" view. In the "Results by Cloud" section, select "Version History" to view the list of available versions.
  • If there are more than one version(s) available, the version that is "active" will be marked as such; clicking "Activate" will enable a different version.

Managing custom Insights

While InsightCloudSec includes an extensive library of Insights to work with directly out of the box, users can also create custom Insights.

Create a Custom Insight

  1. Go to Inventory > Resources and select the resource you want your Insight to apply to using the drop-down at the top of the page.
  2. (Optional) Click Scopes to narrow your scope by selecting specific clouds or groups.
  3. Click Query Filters and select your desired Query Filters.
  4. Click Save Insight to create your new custom Insight.
  5. Complete the Insight details. If you mark yourself as the owner, this removes the Insight for all other users.
  6. Click Submit to complete the creation of your Custom Insight.

After saving, the Insight appears as a Custom Insight in the Insights Library. You can then use Source:Custom in the library to display only custom Insights.

Create a Custom Insight Using an Existing Insight

If you are interested in using an existing Insight as a starting point for a Custom Insight, you can do so using either a InsightCloudSec standard Insight or a Custom Insight. Refer to the steps below to create a new Custom Insight from an existing Insight.

  1. Go to Security > Insights.
  2. On the Insight Library tab, select an Insight to view the Insight Report page.
  3. Select one of the cloud accounts to open the filtered Resource View.
  4. Make changes to Scope or Query Filters.
  5. Click Save Insight to create a new Custom Insight.

Create a Custom Insight Using Clone

If you are interested in using an existing custom Insight as a starting point for a new Insight, you can clone that Insight. The clone action is not available for InsightCloudSec standard Insights.

  1. Go to Security > Insights.
  2. On the Insight Library tab, select an Insight to view the Insight Report page.
  3. Select one of more of the Custom Insights you would like to clone and, from the Actions menu above the list of Insights, select Clone.

Your new cloned Insight will be added to the Insight Library using the existing name with (Clone) appended to the name (i.e. Expiring Soon (Clone)).

Edit the details of a Custom Insight

These steps allow you to edit the name, description, severity, and ownership of an existing Custom Insight.

  1. Go to Security > Insights and on the Insights Library tab, locate the Insight you want to modify.
  2. Click on the Insight name to open the Insight Report view.
  3. In the Results by Cloud section, open the context menu and click Edit Insight.
  4. Modify the Custom Insight and select Submit once you have made the desired changes.

If you mark yourself as the Insight owner, this Insight will NOT be visible to any other users.

Edit the scope and query filters of a Custom Insight

If you are interested in modifying the scope or Query Filters of an existing custom Insight to make permanent changes to that Insight, you must record the changes before making any additional edits to the scope or query filters.

  1. Go to Security > Insights and on the Insights Library tab, select the insight.
  2. In the Total Findings column, click the number of Total Findings to open a filtered page displaying the resources that apply to the Insight.
  3. Under Actions, click Record Changes.
  4. Adjust the Query Filters as necessary.
  5. Click Save Changes.
  6. In the Save Insight window, review all the information and/or update any of the fields.
  7. Click Submit to save all changes to the Insight.

Insight Packs

InsightCloudSec Insights, in addition to being applied individually, are also organized in two types of Insight Packs.

  • Compliance Packs are pre-built Insight Packs that ship with the InsightCloudSec platform and typically revolve around industry security and compliance standards.
  • Custom Packs are Insight packs built from your specific requirements. Custom Packs can be based on an existing pack (copying and modifying an existing Compliance or Custom Pack) or from a selection of filtered resources.

From the Insights landing page, go to either the Compliance Pack tab or the Custom Packs tab to view/access Insight Packs in these two categories.

Frequently Asked Questions (FAQ)

How do I create my own Insight?

How do I create my own Insight?

  • From Resources, select a target Resource, use the Filters option, at the top right of the resources page, and select any one or more filter(s) you want to apply to the selected resource. Choosing a resource narrows the filters automatically to display only those that apply.
    • This "filtered" resource view updates to include a Save Insight button.
    • You also have the ability to use an existing Insight as a starting point. You can clone a Custom Insight directly, or use the Record Changes option to create a modified Insight with any Insight as the starting point.
Can I clone/edit/modify an existing Insight?

Can I clone/edit/modify an existing Insight?

Only custom Insights (or those not included out-of-the-box) can be cloned. From the Insight Library (Security > Insights) select the checkbox to the left of the Insight name. Select the Actions button and scroll to the Clone option on the actions menu.

Where can I see the Filters that were used to create an Insight?

Where can I see the Filters that were used to create an Insight?

Filters are listed on the Insight Report details, in the Insight information panel. Scroll to the bottom of that content pane to view the list of filters.

This is the best option if you want to use an out-of-the-box Insight as a starting point to create your own.

Can I reset an Insight (e.g., modify the scope or filters)?

Can I reset an Insight (e.g., modify the scope or filters)?

To modify the scope or filters of an existing custom Insight to make permanent changes to that Insight, you can "record the changes".

Open a Custom Insight and then locate the Resource Breakdown column; clicking on the Findings/In Scope count navigates to a filtered page displaying the resources that apply to the Insight.

Once you are on this page, if you want to edit or modify the existing Custom Insight, you must first click on the Record Changes button before you select any new scope or filtering.

Refer to the complete instructions here.

How do I create an Exemption?

How do I create an Exemption?

Exemptions are Insight-driven. Refer to Exemptions (Insights) for detailed documentation on this capability.

There are two options:

  • From the Insight Report view of a selected Insight under the Results by Cloud select view all
  • Select the Findings/In Scope count

Either of these selections will open a filters view of applicable resources. From this view, select the box next to the target resource, and click on the Add Exemption button.

Can I change an Insight's severity?

Can I change an Insight's severity?

From the Insight Library, select the box next to the target Insight to enable the Actions menu. Click Actions > Set severity. Select a severity or "Default" to reset the severity to its original value, then click Update Severity.

Check out the full list of actions here.

Insight Findings

For Insight Findings, Insights associated with cloud accounts which are in a paused state are not evaluated during hourly Insight scans. This configuration allows the system to align with Bots which have skipped paused clouds for the past year. It will affect Insight calculations (e.g. Findings) if the paused clouds are in scope of the Insight.