Explore Detection Findings

Detection Findings provides a unified view of security detections across your cloud and Kubernetes environments for improved investigation and response. It consolidates findings from the following:

AWS
- GuardDuty
- Macie
Azure Defender for Cloud
GCP Security Command Center
Container Runtime Security (when enabled)

Navigate to Security > Detection Findings to get started.

ℹ️

New interface

Detection Findings replaces the previous Threat Findings experience with:

Enhanced visualizations
Improved table design and organization
Container runtime detection and MITRE ATT&CK framework mapping support
Expanded investigation and remediation capabilities

Detection Findings is now the default experience for all users, but you can return to the previous Threat Findings experience at any time using the Threat Findings button. The underlying findings data remains unchanged.

Before you begin

Before you can use the Detection Findings page, you need to:

Connect at least one cloud account with a security service configured (requires additional harvesting permissions):
- AWS GuardDuty or Macie
- Azure Defender for Cloud
- GCP Security Command Center

Optionally, if you want to track container runtime detections, you need to enable Container Runtime Security.

Additional harvesting permissions

To securely harvest threat information from AWS, Azure, or GCP, Cloud Security (InsightCloudSec) requires the following permissions:

AWS permissions


"guardduty:GetFindings",
"guardduty:ListDetectors",
"guardduty:ListFindings",
"macie2:GetFindings",
"macie2:ListFindings"

Azure permissions


"Microsoft.Security/alerts/read"

GCP permissions


"securitycenter.sources.list",
"securitycenter.findings.list"

Explore Detection Findings

Detection Findings is divided into three sections:

Filters, which can filter your entire experience by account, region, severity, and more
Summary graphs
Detection Findings Table

ℹ️

Saved filters are scoped to the interface where you create them

For example, filters saved in Threat Findings do not appear in Detection Findings. You must create separate saved filters for each feature.

Summary graphs

The Detection Findings page includes two graphs:

Detection Findings by Severity

A visual breakdown of findings grouped by severity level (for example, Critical, High, Medium, Low).

This chart helps you:

Identify high-priority detections
Track severity distribution at a glance
Prioritize investigation efforts

Event Source Distribution

A visual summary of findings by detection source, including:

Cloud provider services
Container runtime detections

This helps you understand where detections originate and assess coverage across environments.

Detection Findings table

The Detection Findings table includes all supported cloud findings and as well as detailed container runtime detections. The table supports sorting by column, free-text search, and adjusting table density. Rapid7 retains findings for 30 days by default, but you can select a number between 7 and 90 in the System Settings. However, if a cloud service provider (CSP) deletes a finding, Rapid7 will remove the finding with the next harvest.

⚠️

Fix missing runtime findings in Cloud Security

If runtime findings for a cluster do not appear in Cloud Security, the cluster is not fully configured for runtime security. No data is lost. You can still access runtime findings in Container Runtime Security. To restore visibility in Cloud Security, locate the clusters in Container Runtime Security and complete onboarding:

Connect the associated cloud account for remote clusters
Enable Kubernetes security guardrails for local clusters

Runtime findings will appear in Cloud Security after both features are enabled.

Click a Finding Type name to open the finding details page. Your experience will differ depending on the finding source:

Container runtime detections

Container runtime detections include an expanded investigation interface.

Tab name	Contents
Overview	Displays: Detection description MITRE ATT&CK tactics (if applicable) Finding ID Impacted resource details Environment context (cluster, namespace, workload)
Events	Displays a timeline of related events in chronological order. Each event includes: Connection details Request and response information Headers (if applicable) Process information HTTP details (if applicable) Clicking an event opens a side panel with expanded technical details.
AI Analysis	Provides an automatically generated summary based on detection context. The AI-generated analysis may include: Discovery summary Attack flow description Threat classification Identified attack targets Potential impact and damage assessment
Response Guidance	Provides structured remediation guidance: Immediate containment actions Recommended investigation steps Long-term prevention strategies
JSON	Displays the full detection object in JSON format for audit, export, and advanced analysis.

ℹ️

Concerns about AI?

Rapid7 does not use any customer data for training or fine-tuning our large language models (LLMs), nor do we share your data with any third-party LLMs for their training purposes. For more details about the feature and how it works, see AI Overview. If you would prefer to opt out of AI usage, contact your CSA or Support.

Click Respond to open the runtime response experience. Available response options may include:

Terminate processes
Apply or generate Network Policies
Generate Seccomp profiles
Additional remediation workflows

Review Explore and manage Kubernetes runtime incidents to learn more.

Cloud-native detections (AWS, Azure, GCP)

Cloud-native detections use the Detection Findings interface while preserving existing detection content.

Tab name	Contents
Overview	Displays: Finding ID Impacted resource details Finding ID Source-specific metadata
Response Guidance	Displays static remediation guidance provided by the detection source.
JSON	Displays the full detection object in JSON format for audit, export, and advanced analysis.