Threat Findings

InsightCloudSec Feature Summary for Threat Findings

Feature Summary

InsightCloudSec Threat Findings is a multi-cloud capability that curates runtime threat detections from customer resources. Threat Findings provides a single view that collects all runtime threat detection findings from various sources. The unified view provides various filtering options, while offering security context by associating the findings with the relevant cloud resource(s) and resource properties. This uniform solution allows users to explore findings using filters and Bot automation.

Feature Terminology

TermDescription
Threat FindingA data item refers to the detection of a possible malicious behavior. The finding may refer to a specific event occurring at a specific point in time or a behavior that spans a period of time.

Note: Data for reporting in Threat Findings is retained for 90 days.
Affected ResourceThe cloud resource that is affected by the malicious behavior. The resource may be the one that presents the malicious behavior or the one that is the target of the behavior.
Finding SourceThe tool or mechanism generating the findings

Feature Support

Threat Findings is available to all InsightCloudSec users from the main navigation under “Security → Threat Findings”.

Threat Findings Landing Page

Threat Findings Landing Page

For its initial release Threat Findings will display information from the following third party sources:

  • AWS Guard Duty
  • Azure Defender for Cloud
  • GCP Security Command Center

Future iterations will expand the data we support and display.

Prerequisites & Deployment

Threat Findings relies on the data that is harvested for InsightCloudSec from each Cloud Service Provider you have configured. Before getting started with Threat Findings you will need to ensure you have the following:

  • An existing InsightCloudSec installation (version 22.4.8 or later)
  • Appropriate permissions for your desired Cloud Service Providers. In order to harvest the resource information specific to Threat Findings you will need the specified permissions for the Resource Type(s) (e.g. Threat Finding) identified below. *Note: These may already be enabled/configured within your environment as part of your existing platform installation. For general information on policies/roles/permissions for each CSP refer to:

Refer to the details below to validate the individual permissions for each Cloud Service Provider (CSP)

AWS Resource Type & Required Permissions

ResourceType.THREAT_FINDING: 
 "guardduty:GetFindings",
 "guardduty:ListDetectors",
 "guardduty:ListFindings",

Azure Resource Type & Required Permissions

ResourceType.THREAT_FINDING: 
  "Microsoft.Security/alerts/read"

GCP Resource Type & Required Permissions

ResourceType.THREAT_FINDING: 
 "securitycenter.sources.list",
 "securitycenter.findings.list"