Threat Findings
Feature Summary
InsightCloudSec Threat Findings is a multi-cloud capability that curates runtime threat detections from customer resources. Threat Findings provides a single view that collects all runtime threat detection findings from various sources. The unified view provides various filtering options, while offering security context by associating the findings with the relevant cloud resource(s) and resource properties. This uniform solution allows users to explore findings using filters and Bot automation.
Feature Terminology
| Term | Description |
|---|---|
| Threat Finding | A data item refers to the detection of a possible malicious behavior. The finding may refer to a specific event occurring at a specific point in time or a behavior that spans a period of time. Note: Data for reporting in Threat Findings is retained for 90 days. |
| Affected Resource | The cloud resource that is affected by the malicious behavior. The resource may be the one that presents the malicious behavior or the one that is the target of the behavior. |
| Finding Source | The tool or mechanism generating the findings |
Feature Support
Threat Findings is available to all InsightCloudSec users from the main navigation under “Security → Threat Findings”.
Threat Findings Landing Page
For its initial release Threat Findings will display information from the following third party sources:
- AWS Guard Duty
- Azure Defender for Cloud
- GCP Security Command Center
Future iterations will expand the data we support and display.
Prerequisites & Deployment
Threat Findings relies on the data that is harvested for InsightCloudSec from each Cloud Service Provider you have configured. Before getting started with Threat Findings you will need to ensure you have the following:
- An existing InsightCloudSec installation (version 22.4.8 or later)
- Appropriate permissions for your desired Cloud Service Providers. In order to harvest the resource information specific to Threat Findings you will need the specified permissions for the Resource Type(s) (e.g. Threat Finding) identified below. *Note: These may already be enabled/configured within your environment as part of your existing platform installation. For general information on policies/roles/permissions for each CSP refer to:
Refer to the details below to validate the individual permissions for each Cloud Service Provider (CSP)
AWS Resource Type & Required Permissions
ResourceType.THREAT_FINDING:
"guardduty:GetFindings",
"guardduty:ListDetectors",
"guardduty:ListFindings",
Azure Resource Type & Required Permissions
ResourceType.THREAT_FINDING:
"Microsoft.Security/alerts/read"
GCP Resource Type & Required Permissions
ResourceType.THREAT_FINDING:
"securitycenter.sources.list",
"securitycenter.findings.list"
Using Threat Findings
The main Thread Findings page displays a list of Threat Findings (with a total and percentage displayed at the top), and the top bar of navigation tools include search, and filtering.
Threat Findings Feature Navigation
General Navigation
The page displays a list of Threat Findings (with a total and percentage displayed at the top), and the top bar of navigation tools include search, and filtering.
Search
Allows you to search the Threat Findings data for the following fields: Finding Source, Finding Type, Severity, Affected Resource Type, Affected Resource ID. Additional fields will be included in search in future versions.
Filtering
The filtering capability included with Threat Findings allows you to select additive filters for various finding attributes (Finding Type, Finding Name, Finding Badge, Cloud Type, etc.) and will dynamically assign properties applicable to the attribute selected.
Users can apply additional conditions for specified filters and add additional filters to further refine the data that is displayed.
Threat Findings - Filter View
“Apply” will activate when the selected filters are populated. To exit the Filters window without applying any filters click “Esc” on your keyboard.
Pagination/Items per Page
Located at the bottom of the main Threat Findings display you can adjust the total number of items displayed on a single page and page through the full list of Threat Finding results.
Main Data Display
Threat Findings Landing Page
Viewing Threat Findings Data
The main Threat Findings view includes the columns Event Source, Finding Type, Count, Severity, Cloud Account, Resource Name & ID, Resource Type, and Last Seen. The view can be sorted ascending/descending on any of these columns.
Event Source
Identifies the source of the Threat Finding. For this current release only third-party CSP sources are supported.
Finding Type
Identifies the Finding Type and links to expanded data.
Threat Findings - Finding Type
Clicking on the link for an individual Finding Type opens a detail pane that contains additional detail for that finding, as well as a JSON display/download option.
Threat Findings - JSON Detail Example
Count
Provides a count of the findings for the event source.
Severity
Identifies the severity of the Threat Finding (e.g. High, Medium, Low). Severities are determined by data reported through the individual 3rd-party severity information.
Resource Name & ID
Displays the Resource Name and ID. Clicking on the individual Resource ID opens the detailed resource view. This view contains the option to download the source data as well as a tabbed view (Properties, Public Access, Insight Findings, Thread Findings, etc.) Note: tabs for each resource vary based on type.
Resource Detail Example
Resource Type
Displays the Resource Type, for example Instance or Serviceaccesskey.
Last Seen
Provides the time the Threat Finding was last seen. This will vary based on when the data was last harvested.
Threat Findings and Automation (Bots)
InsightCloudSec supports the ability to build automation around notifications through our Bot capability out-of-the-box with Threat Findings. Users can export findings to SIEM (e.g. Splunk) or generate notifications for a specific scope of findings to an specific email or Slack channel.
Your Bot can be scoped with two resource types associated with Threat Findings.
- The Threat Findings resource and the Resource(s) (e.g., EC2 instances) on which a Threat Finding as been identified.
For more details about Bot configuration refer to our documentation on BotFactory & Automation. In general Bots can be created in one of three ways:
- From the BotFactory landing page via the “Create Bot” button
- From an Insight
- Through a template as outlined below (InsightCloudSec does not have out-of-the-box Bot templates but this section includes two examples below.)
1. To use the templates below from your InsightCloudSec platform installation navigate to "Automation --> BotFactory".
2. To import one of the templates on the BotFactory landing page, navigate to "Templates".
Importing a Bot template
3. From the "Templates" tab under BotFactory select the "Import Template" option and paste one of the two examples featured above into the JSON window.
Import JSON template
- Click "Submit" to complete the creation of your new Bot.
Updated 7 days ago