Understand and Prioritize with Layered Context

Layered Context provides a holistic view of the most critical resources found in all environments that are connected to InsightCloudSec.

Explore Layered Context

In InsightCloudSec, navigate to Security > Layered Context to start viewing high risk resources and their impact on Insights in your environment.

Filter

Layered Context has filtering functionality to effectively narrow the scope of and navigate the data.

Add Filter

Filtering allows for narrowing the scope of the resources list using properties like cloud accounts, clusters, resource groups, etc. Some things to note about filtering behavior:

  • Each selected filter updates dynamically with options appropriate for the property selected.
  • After selecting an initial property, click + Add Filter to add an additional filter and further narrow the scope.
  • If filtering on a Resource Tag:
    • Searching for a tag is case insensitive.
    • New tags are harvested every 12 hours by the ResourceTypeTrigramsProcess background job (see System Settings for more information).

To add a filter:

  1. Click the Add Filters button to open the side panel.
  2. Select and configure a property to get started.
  3. After configuring your desired filters, click Apply to update the scope for the feature.
Save Filters (Optional)

After Adding a Filter, you can save it so that it can easily be reused the next time you access the feature. Saved filters are feature-specific (since options vary between features), i.e., a saved filter in Feature "A" will only be available in Feature "A" and will not be available in Feature "B".

To save a filter:

  1. Once filter(s) have been applied, ensure the filters list is expanded by clicking the arrow (>)
  2. Click the ellipsis (...) button, then click Save Filter.
  3. Provide a name for the filter and an optional description.
  4. Select the checkbox for Set as Default Filter to set this filter as the default for the feature.
  5. Select the checkbox for Make this a Public Filter to allow other users to see the filter.
  6. Click OK.

Once a filter has been successfully saved, it can be accessed (along with other saved filters) or edited from the same ellipsis menu.

Trend and Analytics

The Trend and Analytics section of Layered Context provides three high-level visuals to summarize risk associated with your resources.

FieldDescription
Risky ResourcesThe number of high-risk resources that are included in your overall footprint. This count includes resources that are impacted by at least 1 Critical Finding for Insights or Vulnerabilities and are considered to have public exposure - the combination of these two elements have been selected to help you identify resources that should be prioritized for review.
Insights SummaryA summary of the number of resources with findings for each of the severity categories available (for example: critical, high, medium). Hovering over the severity will display the total number of resources in each severity category.
High Risk Resource TypesDisplays a visual breakdown of the top 5 high risk resource types with a count and overall percentage (for example: resourceaccesslist includes 138 resources, representing 12.8% of your total resources)

Data Display

This display contains all of the data analyzed within Layered Context. The data display is split amongst three tabs: Resources, Clouds, and Applications. For organizations with large and complex cloud environments, these scopes provide the ability to evaluate a single cloud account, Application, or resource. When combined with filtering, these scoping capabilities enable you to quickly navigate to specific areas that you want to evaluate for risk. Each tab includes the functionality for:

  • Search -- Type into the search bar and the list of resources will automatically filter to match the criteria. Currently, search is limited to the resource name and type metadata attributes.
  • Download -- To save a copy of the information found in the resource list, click Download next to the search bar and select either CSV or JSON. The file will be prepared in the background until it is ready to be downloaded by your web browser. If the file preparation takes longer than 10 minutes, it will timeout, so it's best to narrow the scope prior to downloading.
  • Column Options -- Column options vary for each of the additional scope options (Clouds, Applications, and Resources) and are provided in detail below.
Resources

Selecting the Resources tab displays Layered Context details for all of your connected cloud resources. Selecting an individual resource by clicking on the name opens a Context Detail pane where you can explore the properties of the resource, Insight Findings, view Related Resources, and download JSON for that individual resource (along with many other contextual details). For each individual resource available in Layered Context, the additional details (properties, actions, tag, etc) will vary. Areas that are not applicable and/or those that do not contain data will be inactive.

The following details display by default for Resources.

FieldDescription
Resource NameThe name of the resource
Resource TypeThe type of resource
Account NameThe name and type of the cloud account the resource is associated with
Public Access
  • Public: Reflects resources with public accessibility based on the specified system checks. Click the column value to navigate directly to the Context Details > Public Access tab.
  • Not Public: Reflects resources that are not publicly accessible based on system checks.
Insights SummaryDisplays highest criticality available (for example if the resource is only associated with an Insight (or Insights) with a misconfiguration identified with a Medium severity, that is what will display in the Insights Summary).

  • Critical, High, Medium, Low, Info: The count of the Insights associated with the resource respective to each individual severity. (e.g. Critical = 13, indicates 13 Critical Insights for that resource.)
  • Hover on the Insights badge for the counts of each Insight severity associated with the resource.
  • Click the Insights badge for expanded details on any Insight Findings associated with a specific resource.
Vulnerabilities SummaryDisplays the badge(s) and count (Critical, High, Medium, Low), for the highest severity vulnerabilities identified for the selected resource.

  • Critical, High, Medium, Low, Info: The count of the Vulnerabilities associated with the resource respective to each individual severity. (e.g. Critical = 13, indicates 13 Critical Vulnerabilities for that resource.)
  • Hover on the Vulnerabilities badge for the counts of each Vulnerability severity associated with the resource.
  • Select the Vulnerabilities badge for expanded details on any Vulnerabilities associated with a specific resource.
Threat Findings SummaryDisplays the badge for highest severity Threat Finding for the selected resource

  • High, Medium, Low: Badges are based on the count of Threat Finding occurrences associated with the resource respective to reach individual severity (e.g., Low = 399 indicates 399 Low severity Threat Finding occurrences for that resource.)
  • Select the Threat Findings badge for expanded details on any Thread Findings associated with a specific resource.
ActionOffers a context menu with links to:
  • View Context Details
  • Download this resource's Source Data

Public Access

Public Accessibility is a major security risk and as such has a huge impact on risk for a given resource. InsightCloudSec designates something as publicly accessible if a relevant Insights fails when checking a given resource. When you open the Context Details > Public Access tab, you'll find a table of all Public-related Insights for the given resource type as well as the first date the resource failed the Insight and the result (if the resource failed, it's Public; if it has not failed or the Insight does not apply, it's not Public). Click the + next to a Source to review detailed information about the Insight.

Public Insights

You can find relevant Insight examples by visiting the Insight Library and searching for public. Some examples include:

  • Instance with a Public IP Exposing SSH
  • Snapshot Available to the Public
  • Artifact Registry Allows Public Access

Source Data

For select Resources, there is an additional Context Details pane called Source Data that surfaces raw data about the resource harvested directly from the Cloud Service Provider (CSP). This additional context about your resources can help to further investigate configuration issues or provide deeper analysis. Click into the document viewing area, then use ⌘F (MacOS) or CTRL+F (Windows) to search through the data. For full support details, see Resources

Documents will only be stored if changes are detected for a resource or if new resources have been created, so some supported resources may not have any source documents.

Clouds

Selecting the Clouds tab allows you to view Layered Context for your cloud resources through the scope of your cloud account(s). Selecting an individual cloud by clicking on the name generates a view of the resources for the cloud selected. This view can be refined further through filtering to help you target specific security concerns within a cloud account.

The following details display by default for Clouds.

FieldDescription
Cloud NameThe name of the cloud account
CloudThe type of cloud account
ResourcesThe resource count for the cloud account
Public Access
  • Public: Reflects clouds with public accessibility based on the specified system checks. Click Public to navigate directly to the Context Details > Public Access tab.
  • Not Public: Reflects clouds that are not publicly accessible based on system checks.
Insights SummaryDisplays highest criticality available (for example if the resource is only associated with an Insight (or Insights) with a misconfiguration identified with a Medium severity, that is what will display in the Insights Summary).

  • Critical, High, Medium, Low, Info: The count of the Insights associated with the resource respective to each individual severity. (e.g. Critical = 13, indicates 13 Critical Insights for that resource.)
  • Hover on the Insights badge for the counts of each Insight severity associated with the resource.
  • Click the Insights badge for expanded details on any Insight Findings associated with a specific cloud.
Vulnerabilities SummaryDisplays the badge(s) and count (Critical, High, Medium, Low), for the highest severity vulnerabilities identified for the selected cloud.

  • Critical, High, Medium, Low, Info: The count of the Vulnerabilities associated with the cloud respective to each individual severity. (e.g. Critical = 13, indicates 13 Critical Vulnerabilities for that cloud.)
  • Hover on the Vulnerabilities badge for the counts of each Vulnerability severity associated with the cloud.
  • Select the Vulnerabilities badge for expanded details on any Vulnerabilities associated with a specific cloud.
Threat Findings SummaryDisplays the badge for highest severity Threat Finding for the selected cloud

  • High, Medium, Low: Badges are based on the count of Threat Finding occurrences associated with the cloud respective to reach individual severity (e.g., Low = 399 indicates 399 Low severity Threat Finding occurrences for that cloud.)
  • Select the Threat Findings badge for expanded details on any Thread Findings associated with a specific cloud.
ActionOffers a context menu with a link to view the Resources associated with the given cloud.
Applications

Selecting the Applications tab allows you to view Layered Context for your cloud resources through the scope of your Applications. This feature requires some additional configuration that you can learn more about through the Application Context page.

Selecting an individual application generates a view of the resources within that application. This view can be refined further through filtering to help you target specific security concerns within an application.

The following details display by default for Applications.

FieldDescription
Application NameThe name of the application
Business CriticalIdentifies an application as business critical
ResourcesThe resource count for the application
Public Access
  • Public: Reflects applications with public accessibility based on the specified system checks. Click Public to navigate directly to the Context Details > Public Access tab.
  • Not Public: Reflects applications that are not publicly accessible based on system checks.
Insights SummaryDisplays highest criticality available (for example if the application is only associated with an Insight (or Insights) with a misconfiguration identified with a Medium severity, that is what will display in the Insights Summary).

  • Critical, High, Medium, Low, Info: The count of the Insights associated with the application respective to each individual severity. (e.g. Critical = 13, indicates 13 Critical Insights for that application.)
  • Hover on the Insights badge for the counts of each Insight severity associated with the application.
  • Click the Insights badge for expanded details on any Insight Findings associated with a specific application.
Vulnerabilities SummaryDisplays the badge(s) and count (Critical, High, Medium, Low), for the highest severity vulnerabilities identified for the selected application.
  • Critical, High, Medium, Low, Info: The count of the Vulnerabilities associated with the application respective to each individual severity. (e.g. Critical = 13, indicates 13 Critical Vulnerabilities for that application.)
  • Hover on the Vulnerabilities badge for the counts of each Vulnerability severity associated with the application.
  • Select the Vulnerabilities badge for expanded details on any Vulnerabilities associated with a specific application.
Threat Findings SummaryDisplays the badge for highest severity Threat Finding for the selected application

  • High, Medium, Low: Badges are based on the count of Threat Finding occurrences associated with the application respective to reach individual severity (e.g., Low = 399 indicates 399 Low severity Threat Finding occurrences for that application.)
  • Select the Threat Findings badge for expanded details on any Thread Findings associated with a specific application.
Action (View Resources)Creates a scoped view of resources where you can do the following:

  • Click the left icon to View Context Details or click the right icon Download Source Data.
  • Refer to the Context Details section for more information on exploring individual resources.

Layered Context API

There are two endpoints to enable interacting with Layered Context programmatically.

  • Detail Resource: This endpoint details a resource, including parent account information and dependencies. Read more about in the InsightCloudSec API reference.
  • Export Source Data: This endpoint will export a given resource's source data.