Threat Findings User Guide
InsightCloudSec Threat Findings User Guide
Threat Findings is available to all InsightCloudSec users from the main navigation under “Security → Threat Findings”. Threat Findings provides access to data visualizations (Trend and Analytics), filtering, saved filters, and a table/list display of Event Sources, Findings Types, and more.
Filtering & Searching
Threat Findings has filtering functionality to narrow the scope of the Event Source list. The "Add Filter" button allows you to select a filter/filters that will be applied to the data displayed on the page, including the Trend and Analytics visualizations.
Add Filter
Filtering ("Add Filter") allows for narrowing event source list using properties like: account badge, event source, and resource type. Click the “Add Filters” button to open the panel, and “Select a property” to get started. After choosing your desired filters, select “Apply” to update the page to display the results of your specified filters.
Filtering Behavior
- Each selected Filter updates dynamically with options appropriate for the property selected.
- Click “+ Add Filter” to add an additional filter and further narrow the scope.
Save Filters
After Adding a Filter you can save it so that can easily be reused the next time you access the feature. Note: Saved filters are feature-specific (since options vary between features), i.e., a Feature "A" saved filter will only be available in Feature "A" and will not be available in Feature "B".
To save a filter:
1. Use the "Add Filter" option to create a filtered view of the page.
2. Expand the Filters section, and click the "Options" button (ellipsis).
Select "Save Filter"
3. Click "Save Filter" and provide a name and (optional) description.
4. If desired, select the checkboxes:
- "Set as Default Filter" -- Designates this filter as your default when you return to the feature
- "Make this a Public Filter" -- Makes this filter available to all users inside your InsightCloudSec organization
5. Click "OK". The filter is saved and can be edited from the "Saved Filters" page for this feature.
Search
Type into the search bar and the list of event sources will automatically filter to match the criteria. Updating the view of Findings and the Trend and Analytics data display.
Trend and Analytics
The Trend and Analytics chart displays the count of threats found per day/hour within a given timeframe, with the option to organize the graph by threat severity.
- Click a View name to toggle between the Default view (raw counts by day) or the Severities Trend view (raw counts by day organized by severity)
- If using the Severities Trend view, you can click the severity types along the X axis to filter a particular severity out of the graph
- Click and drag across the graph to zoom-in the view; the lowest granularity for the graph is hours. If your selected timeframe is less than 72 hours, the X axis will switch from days to hours.
- If you zoom-in the view, the data display will filter accordingly
- Use the buttons at the bottom of the view to jump to popular timeframs, e.g., Show All, Last Hour, Last 72 Hours, Last 7 Days
- Whenever you're finished and would like to return to the default timeframe, click <- Back.
Data Display
The main Thread Findings page displays a list of Threat Findings (with a total and percentage displayed at the top) with search, and columns for: Event Source, Finding Type, Count, Severity, Cloud Account, Resource Name & ID, Resource Type, and Last Detected.
The main Threat Findings view includes the columns Event Source, Finding Type, Count, Severity, Cloud Account, Resource Name & ID, Resource Type, and Last Seen. The view can be sorted ascending/descending on any of these columns.
Event Source
Identifies the source of the Threat Finding. For this current release only third-party CSP sources are supported.
Finding Type
Identifies the Finding Type and links to expanded data.
Clicking on the link for an individual Finding Type opens a detail pane that contains additional detail for that finding, as well as a JSON display/download option.
Threat Findings - JSON Detail Example
Count
Provides a count of the findings for the event source.
Severity
Identifies the severity of the Threat Finding (e.g. High, Medium, Low). Severities are determined by data reported through the individual 3rd-party severity information.
Resource Name & ID
Displays the Resource Name and ID. Clicking on the individual Resource ID opens the detailed resource view. This view contains the option to download the source data as well as a tabbed view (Properties, Public Access, Insight Findings, Thread Findings, etc.) Note: tabs for each resource vary based on type.
Resource Type
Displays the Resource Type, for example Instance or Serviceaccesskey.
Last Detected
Provides the time the Threat Finding was last seen. This will vary based on when the data was last harvested.
Threat Findings and Automation (Bots)
InsightCloudSec supports the ability to build automation around notifications through our Bot capability out-of-the-box with Threat Findings. Users can export findings to SIEM (e.g. Splunk) or generate notifications for a specific scope of findings to an specific email or Slack channel. Your Bot can be scoped with two resource types associated with Threat Findings:
- The Threat Findings resource and the Resource(s) (e.g., EC2 instances) on which a Threat Finding as been identified.
For more details about Bot configuration refer to our documentation on BotFactory & Automation. In general Bots can be created in one of three ways:
- From the BotFactory landing page via the “Create Bot” button
- From an Insight
- Through a template as outlined below (InsightCloudSec does not have out-of-the-box Bot templates but this section includes one example below.)
{
"resource_id": "divvybot:1:1234",
"name": "Threat Findings Bot",
"description": "",
"notes": null,
"insight_id": null,
"source": null,
"insight_name": null,
"insight_severity": null,
"owner": "divvyuser:1234:",
"owner_name": "Rapid7",
"state": "RUNNING",
"date_created": "2022-12-14 11:00:15",
"date_modified": "2022-12-21 14:29:28",
"category": "Security",
"badge_scope_operator": null,
"instructions": {
"resource_types": [
"threatfinding"
],
"filters": [
{
"name": "divvy.filter.threat_finding_by_trailblazer_by_category_and_confidence",
"config": {
"confidence": [
"low",
"medium",
"high"
],
"category": [
"incident",
"anomaly"
]
}
}
],
"actions": [
{
"name": "divvy.action.send_bulk_email",
"config": {
"message_subject": "Found a threat!",
"preamble": "start",
"message_body": "{{resource.serialize(indent=2)}}",
"conclusion": "end",
"recipient_list": [
"[email protected]"
],
"recipient_tag_keys": [],
"walk_resource_group": false,
"recipient_badge_keys": [],
"separator": "",
"send_via_bcc": false,
"html_message": false,
"skip_duplicates": true,
"send_empty_email": false,
"replacement_strings": []
},
"run_when_result_is": true
},
{
"name": "divvy.action.mark_non_compliant",
"config": {},
"run_when_result_is": true
}
],
"groups": [
"divvyorganizationservice:1",
"divvyorganizationservice:2"
],
"badges": [],
"exclusion_badges": null,
"hookpoints": [
"divvycloud.resource.created",
"divvycloud.resource.modified"
],
"schedule": null,
"schedule_description": null
},
"valid": true,
"errors": [],
"severity": "low",
"detailed_logging": false,
"scope": [
"divvyorganizationservice:1",
"divvyorganizationservice:2"
]
}
Creating a Threat Findings Bot from a Template
To use the template example above
1. From your InsightCloudSec platform installation, navigate to "Automation --> BotFactory".
2. On the BotFactory landing page, navigate to "Templates".
Importing a Bot template
3. From the "Templates" tab under BotFactory select the "Import Template" option and paste the example featured above into the JSON window.
Import JSON template
4. Click "Submit" to verify and store the template for future use. Review Creating Bots for more information on next steps.
Updated 5 months ago