System Settings

InsightCloudSec's platform includes numerous administrative configuration elements. Under Administration on the main navigation, the options include configurations around third-party Integrations, Plugins (if applicable), Identity & Management Resources, IAM Settings, Harvesting Strategies, and overall System Administration.

This page covers the System portion of System Administration, which is accessible when you select System Administration > System from the main navigation.

Specific documentation for other areas of System Administration are as follows:

For questions regarding these settings or other configuration concerns, reach out to us through the Customer Support Portal.

System Administration landing page

The System page is where you can view and configure global settings for your InsightCloudSec platform, including all organizations. This section of Administration includes:

  • General Settings
  • Job Backlog Settings
  • Whitelabel Settings
  • Health Notifications
  • Job Scheduler Information
  • System Health
  • Worker Node Status
  • Slowest Jobs
  • Current User Sessions
  • Diagnostics

General Settings

General Settings are available in the first content area on the top left of the System Administration > System section. From here you can view and/or update the following:

Applying Changes

The majority of changes to any values under General Settings, e.g., the Session Timeout or Insight Scan time, will only take effect if the Scheduler is restarted.

Make sure you remember to click SAVE if you make changes to the content in this section.

  • Base URL -- Enter the base URL to your InsightCloudSec installation. This URL provides InsightCloudSec with a "return address" to third party products--integrations--that InsightCloudSec calls. For example, "https://insightcloudsec.companyname.com".
  • Session Timeout -- Set this to the value in minutes when InsightCloudSec sessions will automatically timeout. Values may be set from 1-720 minutes or a maximum of 12 hours. The default value is 60 minutes.
  • Insight Scan Time -- Set this to the value in minutes that you want Insight scanning to occur (60-720). More frequent Insight scanning (lower values) can impact system performance at scale.
  • System Email Settings (Optional) -- Allows you to specify an email address to receive harvesting/monitoring notifications. The email address specified in this field (or domain admins if no address is provided) will receive an email when harvesting capabilities are disrupted. For example: if a cloud account has invalid credentials, or when EDH is interrupted and your cloud data is not being obtained, or if an admin manually triggers the "run diagnostics" functionality on the System page.
    • This field only supports a single email address, so it's often populated with an alias (e.g., support@mycompany.com).
    • This field is optional because if no email address is provided, all domain admins will receive system email notifications.
    • Note that this functionality also requires establishing a connection between InsightCloudSec and an SMTP Server. Visit SMTP (Email Notifications) for more information.
  • Sentry Bug URL (Optional) -- Enter the Sentry URL here if you wish to send bug and stack traces to Sentry for analysis and tracking.
  • New Account Email Body (Optional) -- This is the default text of the email generated and sent to new users. This feature supports the Jinja2 variables {{ username }}, {{ url }}, and {{ password }}. You can alter this message for consistency in internal branding, i.e., the email appears to come from your organization as opposed to coming from InsightCloudSec.

Job Backlog Settings

Use the Job Backlog Settings to select the cloud account to which you would like to export backlog information. This option is currently only available for AWS and GCP. For more information on the Job backlog export, refer to the details here.

For AWS you will also need to:

  • Specify the Target Region
  • If desired, you can customize the Target Namespace (AWS Only).
  • Check "Use Instance Authentication" to enable the use of credentials generated by the instance profile.

Within CloudWatch if you do not select a custom name, the Custom Namespace defaults to InsightCloudSec. Otherwise, in our example, it will show with the Target Namespace (e.g. Your-NameSpace) you specified.

Whitelabel Settings

Whitelabel Settings can be used to replace the InsightCloudSec logo used throughout the tool with a logo or image of your choosing, e.g., your company’s logo. To do so you will need to:

  1. Select an image URL or Base64-encoded PNG image file with approximate dimensions of 115 x 450 pixels (px).
  2. Select SAVE to apply the changes. Valid images will appear in a preview.

Health Notifications

Health Notifications allow users to disable notifications or alternatively enable a Slack or MS Teams notification for System Health. When enabled, users can select a cadence for the notifications and as with the general WebHook integration/configuration, can specify a Slack or MS Teams channel.

Add your Slack WebHook or your MS Teams WebHook and the specified channel will receive notifications based on the cadence you select (Daily or Hourly).

  • Check out the Slack Integration page for complete details on generating a Slack WebHook.
  • Check out the Microsoft Teams Integration page for complete details on generating an MS Teams WebHook.
    • The MS Teams integration supports multiple WebHooks. To generate the health notifications, you can use an existing WebHook or simply create a new one.

System & Health Notifications

System/Health notifications are typically generated based on issues related to the following: system clock drift, job scheduling (no harvest within 24 hours), invalid credentials, assume role failures, and invalid permissions.

Infrastructure-as-Code Settings

The Infrastructure-as-Code Settings section allows IaC users to specify settings for authentication and defaults for new Insights added to a Custom Pack.

Requiring Authentication

By default Infrastructure-as-Code (IaC) scans do not require user authentication since scanned resources are simulated and discarded immediately after the scan results are delivered.

  • Leaving authentication disabled can make it easier to integrate IaC analysis into CI/CD pipelines.
  • If you choose to enable Require Authentication, the API endpoint used to scan IaC templates will require authentication from an active user.

Scan Retention Days

This setting allows administrators to specify a threshold (in days) for the retention of IaC scans. If no value is specified the scans are never deleted, otherwise scans will be retained for the specified number of days.

Setting Defaults for Insights Added to Existing Configurations

Users have the ability to configure IaC default settings for Insights that are added to a Custom Pack that is already associated with an IaC configuration, so that they have a particular status applied. The status options are:

  • Default Insights to Warn
  • Default Insights to Fail
  • Default Insights to Ignore

For additional details on the IaC feature we recommend you check out the IaC Security Overview page or the Getting Started with IaC Security page. To jump right in to other IaC-related settings refer to the Managing Configurations section of the IaC documentation.

Insight Exemptions

By default the Insight Exemptions section of the System settings is blank. If no settings are specified here, exemptions that are within 72 hours of expiration automatically generate a report to notify the creator. 1Changes implemented here will supersede these defaults.

Insight Exemptions settings allow a user with the appropriate permissions to define requirements around Insight Exemptions as follows:

  • Exemption Notification Days -- This is the number of days before the expiration of an exemption will trigger an email.
    • For example, when set to 3, the specified approver will receive an email 3 days before the expiration of the exemption, notifying them of the upcoming expiration.
  • Require Approver -- When checked/enabled requires an approver for all exemptions.
  • Require Approver Email -- When checked/enabled requires the approver field to be populated with a valid email address (this field supports both text and email).
  • Maximum Age -- This is the maximum age (in days) that an Insight Exemption can be set to, if this field is left blank or set to 0, there is no maximum enforced.

Job Scheduler Information

The Job Scheduler Information pane can be used to refresh the active job scheduler. While InsightCloudSec is only architected for one scheduler, a common deployment practice is to have a secondary scheduler as a High Availability (HA) failover option. This pane displays which scheduler is currently the active (or master), the host for each scheduler, the time each job scheduler last sent a heartbeat to Redis, and the status of any plugins that have been applied to the schedulers. Users also have the ability to flush the Redis cache and address issues that cannot be otherwise resolved or managed. If you have questions about this feature we recommend reaching out to us through the Customer Support Portal.

Check out our Product Architecture page to learn more about the role of the scheduler within InsightCloudSec's overall workflow.

System Health

This System Health section is a display-only pane that shows the description and status of a dozen parameters describing system health. You must scroll within the pane to view the full details.

For users that want to receive this information they can choose to opt-in under their profile. Details on that setting are available here.

Job Backlog, Daily Queue, and Daily Job Duration Action

For Job Backlog (High Priority), Job Backlog (Medium Priority), and Job Backlog (Low Priority), clicking the trash can icon in the Action field will completely reset and clear the selected priority job backlog queue.

For Daily Queue (any) and Daily Job Duration (any), there is a refresh icon in the Action field. Clicking this icon does NOT refresh the Daily Queue and Daily Job Duration statistics and instead will completely reset the statistics.

Use caution when using either of these actions.

Health CheckDescription
Internal Scheduler Mailbox QueueIndicates the number of internal InsightCloudSec scheduler jobs that are currently in queue. The queue should stay around 0 or at least be consistently decreasing.
Worker CountThe number of workers.
Job Backlog (High Priority)The number of high priority jobs awaiting completion.
Job Backlog (Medium Priority)The number of medium priority jobs awaiting completion.
Job Backlog (Low Priority)The number of low priority jobs awaiting completion.
Daily Queue All Queues (sec)The daily minimum, maximum, average, and deviation in seconds of time in queue (across all priorities).
Daily Queue High Priority (sec)The daily minimum, maximum, average, and deviation in seconds of time in queue (across the high priorities).
Daily Queue Medium Priority (sec)The daily minimum, maximum, average, and deviation in seconds of time in queue (across the medium priorities).
Daily Queue Low Priority (sec)The daily minimum, maximum, average, and deviation in seconds of time in queue (across the low priorities).
Daily Queue Lowest Priority (sec)The daily minimum, maximum, average, and deviation in seconds of time in queue (across the lowest priorities).
Daily Job Duration (sec)The daily minimum, maximum, average, and deviation in seconds of time to complete a job (all priorities).
Daily Job Duration High Priority (sec)The daily minimum, maximum, average, and deviation in seconds of time to complete a job (high priorities).
Daily Job Duration Medium Priority (sec)The daily minimum, maximum, average, and deviation in seconds of time to complete a job (medium priorities).
Daily Job Duration Low Priority (sec)The daily minimum, maximum, average, and deviation in seconds of time to complete a job (low priorities).
Daily Job Duration Lowest Priority (sec)The daily minimum, maximum, average, and deviation in seconds of time to complete a job (lowest priorities).
Daily Job CountThe daily number of jobs completed.
System Clock DriftInsightCloudSec provides an alert if the system clock is out of sync with the master time server. If the system clock is more than 5 minutes out of sync, the cloud provider may generate an invalid credentials error even with valid credentials.
Job SchedulingIndicates the health of the Job Scheduler and, in particular, whether harvesting is working, including the date and time of last harvest. If harvesting is not working, or has not been done recently, an error status displays here.
Invalid CredentialsIndicates the number of clouds with invalid credentials; clicking on the count will open a detail view. Otherwise a green check mark will indicate that there are no invalid credentials.
Assume Role FailuresIndicates the number of clouds with assume role failures; clicking on the count will open a detail view. Otherwise a green check mark will indicate that there are no assume role failures.
Invalid PermissionsIndicates the number of clouds with invalid permissions; clicking on the count will open a detail view. Otherwise a green check mark will indicate that there are no invalid permissions.
IAM OU/SCP Harvesting IssueIndicates the number of clouds experiencing an organizational unit/service control policy harvesting issue. Otherwise a green check mark will indicate that there are no issues.

Worker Node Status

This Worker Node Status pane displays details for the worker nodes as follows (you must scroll within the pane to view the full details):

  • Host -- The unique host identifier.
  • Status -- The status for the individual worker node.
  • Plugin Status -- The plugin status (if applicable) for the individual worker node.
  • AWS Role -- The corresponding AWS Role for the worker node.

Slowest Jobs

The Slowest Jobs pane displays, in descending order, the longest recorded times (in seconds) to complete the most recent jobs and includes the following fields for each:

  • Most Recent -- Name of the most recent job.
  • Cloud Type -- Icon to specify the applicable cloud type, e.g., AWS, GCP, etc.
  • Longest recorded run (seconds) -- Length of the longest recorded run for the applicable job, in seconds.

These jobs typically reflect very large jobs/global harvesting for items like Storage Containers, WAF, IAM, etc.

Current User Sessions

The Current User Sessions displays a pane that provides the details of current user sessions. The view includes a Rows per page drop-down menu and pagination for browsing. The details of each session include:

  • User ID -- The User ID for the individual session.
  • Name -- The name associated with the user for the individual user session.
  • Expiry -- The date and time of expiration for the individual user session.
  • Actions -- Available actions for the individual user session (e.g., delete - designated by the trash icon).

Each of the columns above include a sort arrow that appears if you hover over the text, allowing you to sort the contents in ascending or descending order.

System Diagnostic Reports

SaaS-Users & Visibility

System Diagnostic content is only visible for InsightCloudSec self-hosted customers. For SaaS (hosted) customers, the InsightCloudSec production services team manages diagnostics and has access to extensive data in support of hosted installations.

If you have questions or issues with your deployment contact your CSM, or reach out to support through the Customer Support Portal.

Diagnostic Reports

Two types of diagnostic reports are available for immediate download:

  • Scheduler and Queue Health -- a .json file containing various health statistics and information regarding the internal job scheduler
  • Bots and Their Configuration -- a .json file containing all the Bots available in the current organization as well as their configuration information

To access one of the diagnostic reports:

  1. Select a report type from the drop-down menu.
  2. Click Download Report. The file will be prepared and downloaded.

Database Performance Reports

Database Performance Reports takes approximately 10-15 minutes to generate and will be sent via email.

  • The email notification is sent to the email address configured on profile of the user who clicked the button. If this information is invalid, you will not receive an email.
  • The email will contain a .zip file that features diagnostic and performance information files, which can be used by support when troubleshooting system problems.
  • The report will also be available for download via the System Administration interface for approximately 1 hour after it was completed.

Before Running Diagnostics

One worker will have reduced job processing capabilities during the diagnostic collection run.

To access the Database Performance Report:

  1. Click the Run Database Report button to start the dialog.
  2. It is strongly recommended you use the default values unless otherwise directed by support. Click Submit to launch the diagnostics run.
  3. After the diagnostics have completed (which can take several minutes), the report will be listed in the System Diagnostic Reports section of the System Administration interface.