Review Identity Analysis
Identity Analysis provides a unified location to explore principals and their associated details including cloud accounts, permissions, high-level Insight Summary details, and more. You'll be able to:
- Identify and prioritize cloud identity risk through key risk indicators like overly permissive access and privilege escalation.
- Narrow the scope of your assessment with tools for search & filtering and explore detailed information for individual principals.
- Review permission usage summaries and remediation to take action on identified risks.
Prerequisites
Before getting started with Identity Analysis you will need:
- A functioning InsightCloudSec installation
- One or more successfully onboarded cloud account(s)
- For customers using AWS
- Differential Cache must be enabled (this is enabled by default for SaaS/hosted customers)
- LPA for AWS should be configured. Read more under the AWS LPA Setup documentation.
- For customers using Azure
- LPA should be configured. Read more under the Azure LPA Setup documentation.
- For customers using GCP
- LPA is set up automatically. Read more about this feature in the GCP LPA Usage documentation.
Explore Identity Analysis
In InsightCloudSec, navigate to Security > Identity Analysis to start viewing your principal user data. Search and filter functionality is available to investigate your results quickly and effectively.
Search and Filter
Search
Type into the search bar to revise the list of principals based on your search criteria.
Filtering
Filtering (Add Filter) allows for narrowing the scope of the principals displayed list using properties like: cloud accounts, principal type, and total permission count.
- Click the Add Filters button to open the panel, and “Select a property” to get started.
- After choosing your desired filters, select Apply to update the page to display the results of your specified filters.
- Total active filters will display a count next to the Filters label.
- Expanding the filters section of the Identity Analysis page displays the details for filters that are active.
Save Filters
After Adding a Filter you can save it so that can easily be reused the next time you access the feature.
Saved filters are feature-specific (since options vary between features), i.e., a Feature A saved filter will only be available in Feature A and will not be available in Feature B.
To save a filter:
- Use the Add Filter option to create a filtered view of the page.
- Expand the Filters section, and click the Options button (ellipsis).
- Click Save Filter and provide a name and (optional) description.
- If desired, select the checkboxes:
- Set as Default Filter -- Designates this filter as your default when you return to the feature
- Make this a Public Filter -- Makes this filter available to all users inside your InsightCloudSec organization.
- Click OK. The filter is saved and can be edited from the Saved Filters page for this feature.
Principals
The Principals tab contains the principals found across all of your onboarded cloud accounts.
Trends and Analytics
The Trend and Analytics section comprises charts that summarize critical details for your principals. Currently this section features two charts:
- Risk Factors -- The most common risk factors in your environment as well as the count of principals affected by the factor
- Click a Risk Factor to automatically configure the filters to scope the Data Display to the selected risk factor, e.g., clicking the Multi-Factor Authentication Disabled risk factor will add the filter Risk Factor is in mfa_disabled.
- Click Clear All in the Filters section to clear all filters and reset the view
- Click a Risk Factor to automatically configure the filters to scope the Data Display to the selected risk factor, e.g., clicking the Multi-Factor Authentication Disabled risk factor will add the filter Risk Factor is in mfa_disabled.
- Unused Permissions Distribution -- The count of principals that have unused permissions allocated to them (grouped in 20% chunks).
- Click an Unused Permissions Distribution to automatically configure the filters to scope the Data Display to the selected group, e.g., clicking the Under 20% group will add the filters Unused Permission Percentage greater than 0 and Unused Permission Percentage less than or equal to 20
Principals Data Display
On the Principals tab, below the Trends and Analytics is the main table of data. The value at the top of the table displays the total principals, but this value will update to reflect the number of principals scoped by any configured filters.
Details | Description |
---|---|
Principal Name | The name of the principal.
|
Principal Type | The principal type for the associated principal. Currently Cloud Role and Cloud User are supported. |
Cloud Account | The type of cloud account as well as the account name for the associated principal.
|
Insight Summary | Displays highest criticality available (for example if the principal is only associated with an Insight (or Insights) with a Medium severity, that is what will display in the Insights Summary).
|
Permissions | Displays a visualization of permissions with different colors for the quantity of unused, used, and unassessed permissions. Un-assessed permissions do not appear in the graph, but their count will be displayed in the tooltip if you hover on the graph.
|
Privilege Escalation | Displays a visual indicator for privilege escalation for the selected principal, options include none, N/A (where no data is available), and a flag to indicate that the principal may have issues around privilege escalation.
|
Action |
|
Context Details
Selecting an individual principal by clicking on the name, or by selecting View Context Details under actions opens a detail view for the selected Principal.
This view includes information like:
Principal Detail Availability
For each individual principal available in Identity Analysis the context details will vary.
- Areas that are not applicable, and/or those that do not contain data will be greyed out
- Depending on the principal, different context details are available