Cloud Anomaly Detection

Feature Not Yet Released

This page is intended for customers with early access to the Cloud Anomaly Detection feature, which is not generally available (GA) yet. We request that you do not share this URL/page outside of the Rapid7 organization or with customers that do not have early access.

This documentation resource is a work-in-progress; if you have questions, issues, or suggestions about the content provided here, we are happy to receive feedback.

For questions or issues, reach out to your CSM or to support through the Customer Support Portal.

InsightCloudSec Analysis & Detection of Cloud API Activity/Audit Logs, or Cloud Anomaly Detection (a.k.a. Audit Log Monitoring), automatically analyzes Cloud API audit logs and detect anomalous behavior of principals, roles, resources, and clusters. This service automatically detects security-related events, especially anomalous behavior that can only be detected through tracking and monitoring entities over time and from extended context.

When InsightCloudSec detects API activity in a monitored environment that deviates from historical or expected behavior it generates an anomaly. A collection of cross-correlated anomalies may indicate higher probability for an attacker's behavior, and as a result, generate an incident. An incident contains the details about the discovery of a potential security issue. The finding details in the incident include information about what happened, which resources were involved in the activity, when the activity took place, which abnormal activity (anomalies) triggered this incident as well as other information. Not all Anomalies are mapped to incidents. InsightCloudSec allows you to explore both Anomalies and Incidents via the Threat Findings feature or to export the same data to a 3rd party system such as a Security Information & Event Management (SIEM) platform.