Threat Findings User Guide

InsightCloudSec Threat Findings User Guide

Threat Findings Page

Threat Findings is available to all InsightCloudSec users from the main navigation under “Security → Threat Findings”. Threat Findings provides access to data visualizations (Trend and Analytics), filtering, saved filters, and a table/list display of Event Sources, Findings Types, and more.

Threat Findings Landing Page

Threat Findings Landing Page

Filtering & Searching

Threat Findings has filtering functionality to narrow the scope of the Event Source list. The "Add Filter" button allows you to select a filter/filters that will be applied to the data displayed on the page, including the Trend and Analytics visualizations.

Add Filter

Filtering ("Add Filter") allows for narrowing event source list using properties like: account badge, event source, and resource type. Click the “Add Filters” button to open the panel, and “Select a property” to get started. After choosing your desired filters, select “Apply” to update the page to display the results of your specified filters.

Filtering Behavior

  • Each selected Filter updates dynamically with options appropriate for the property selected.
  • Click “+ Add Filter” to add an additional filter and further narrow the scope.

Save Filters

After Adding a Filter you can save it so that can easily be reused the next time you access the feature. Note: Saved filters are feature-specific (since options vary between features), i.e., a Feature "A" saved filter will only be available in Feature "A" and will not be available in Feature "B".

To save a filter:

1. Use the "Add Filter" option to create a filtered view of the page.

2. Expand the Filters section, and click the "Options" button (ellipsis).

Select "Save Filter"

Select "Save Filter"

3. Click "Save Filter" and provide a name and (optional) description.

4. If desired, select the checkboxes:

  • "Set as Default Filter" -- Designates this filter as your default when you return to the feature
  • "Make this a Public Filter" -- Makes this filter available to all users inside your InsightCloudSec organization

5. Click "OK". The filter is saved and can be edited from the "Saved Filters" page for this feature.

Search

Type into the search bar and the list of event sources will automatically filter to match the criteria. Updating the view of Findings and the Trend and Analytics data display.

Data Display

The main Thread Findings page displays a list of Threat Findings (with a total and percentage displayed at the top) with search, and columns for: Event Source, Finding Type, Count, Severity, Cloud Account, Resource Name & ID, Resource Type, and Last Detected.

Threat Findings Feature Navigation

Threat Findings Feature Navigation

The main Threat Findings view includes the columns Event Source, Finding Type, Count, Severity, Cloud Account, Resource Name & ID, Resource Type, and Last Seen. The view can be sorted ascending/descending on any of these columns.

Event Source

Identifies the source of the Threat Finding. For this current release only third-party CSP sources are supported.

Finding Type

Identifies the Finding Type and links to expanded data.

Clicking on the link for an individual Finding Type opens a detail pane that contains additional detail for that finding, as well as a JSON display/download option.

Threat Findings - JSON Detail Example

Threat Findings - JSON Detail Example

Count

Provides a count of the findings for the event source.

Severity

Identifies the severity of the Threat Finding (e.g. High, Medium, Low). Severities are determined by data reported through the individual 3rd-party severity information.

Resource Name & ID

Displays the Resource Name and ID. Clicking on the individual Resource ID opens the detailed resource view. This view contains the option to download the source data as well as a tabbed view (Properties, Public Access, Insight Findings, Thread Findings, etc.) Note: tabs for each resource vary based on type.

Resource Type

Displays the Resource Type, for example Instance or Serviceaccesskey.

Last Detected

Provides the time the Threat Finding was last seen. This will vary based on when the data was last harvested.

Threat Findings and Automation (Bots)

InsightCloudSec supports the ability to build automation around notifications through our Bot capability out-of-the-box with Threat Findings. Users can export findings to SIEM (e.g. Splunk) or generate notifications for a specific scope of findings to an specific email or Slack channel. Your Bot can be scoped with two resource types associated with Threat Findings:

For more details about Bot configuration refer to our documentation on BotFactory & Automation. In general Bots can be created in one of three ways:

{
"resource_id": "divvybot:1:1234",
"name": "Threat Findings Bot",
"description": "",
"notes": null,
"insight_id": null,
"source": null,
"insight_name": null,
"insight_severity": null,
"owner": "divvyuser:1234:",
"owner_name": "Rapid7",
"state": "RUNNING",
"date_created": "2022-12-14 11:00:15",
"date_modified": "2022-12-21 14:29:28",
"category": "Security",
"badge_scope_operator": null,
"instructions": {
 "resource_types": [
  "threatfinding"
 ],
 "filters": [
  {
   "name": "divvy.filter.threat_finding_by_trailblazer_by_category_and_confidence",
   "config": {
    "confidence": [
     "low",
     "medium",
     "high"
    ],
    "category": [
     "incident",
     "anomaly"
    ]
   }
  }
 ],
 "actions": [
  {
   "name": "divvy.action.send_bulk_email",
   "config": {
    "message_subject": "Found a threat!",
    "preamble": "start",
    "message_body": "{{resource.serialize(indent=2)}}",
    "conclusion": "end",
    "recipient_list": [
     "[email protected]"
    ],
    "recipient_tag_keys": [],
    "walk_resource_group": false,
    "recipient_badge_keys": [],
    "separator": "",
    "send_via_bcc": false,
    "html_message": false,
    "skip_duplicates": true,
    "send_empty_email": false,
    "replacement_strings": []
   },
   "run_when_result_is": true
  },
  {
   "name": "divvy.action.mark_non_compliant",
   "config": {},
   "run_when_result_is": true
  }
 ],
 "groups": [
  "divvyorganizationservice:1",
  "divvyorganizationservice:2"
 ],
 "badges": [],
 "exclusion_badges": null,
 "hookpoints": [
  "divvycloud.resource.created",
  "divvycloud.resource.modified"
 ],
 "schedule": null,
 "schedule_description": null
},
"valid": true,
"errors": [],
"severity": "low",
"detailed_logging": false,
"scope": [
 "divvyorganizationservice:1",
 "divvyorganizationservice:2"
]
}

Creating a Threat Findings Bot from a Template

To use the template example above

1. From your InsightCloudSec platform installation, navigate to "Automation --> BotFactory".

2. On the BotFactory landing page, navigate to "Templates".

2416

Importing a Bot template

3. From the "Templates" tab under BotFactory select the "Import Template" option and paste the example featured above into the JSON window.

2432

Import JSON template

4. Click "Submit" to verify and store the template for future use. Review Creating Bots for more information on next steps.