Review Identity Analysis

Identity Analysis provides a unified location to explore principals and their associated details including cloud accounts, permissions, high-level Insight Summary details, and more. You'll be able to:

  • Identify and prioritize cloud identity risk through key risk indicators like overly permissive access and privilege escalation.
  • Narrow the scope of your assessment with tools for search & filtering and explore detailed information for individual principals.
  • Review permission usage summaries and remediation to take action on identified risks.

Prerequisites

Before getting started with Identity Analysis you will need:

  • A functioning InsightCloudSec installation
  • One or more successfully onboarded cloud account(s)
  • For customers using AWS
    • Differential Cache must be enabled (this is enabled by default for SaaS/hosted customers)
    • LPA for AWS should be configured. Read more under the AWS LPA Setup documentation.
  • For customers using Azure
    • LPA should be configured. Read more under the Azure LPA Setup documentation.
  • For customers using GCP
    • LPA is set up automatically. Read more about this feature in the GCP LPA Usage documentation.

Explore Identity Analysis

In InsightCloudSec, navigate to Security > Identity Analysis to start viewing your principal user data. Search and filter functionality is available to investigate your results quickly and effectively.

Search and Filter

Type into the search bar to revise the list of principals based on your search criteria.

Filtering

Filtering (Add Filter) allows for narrowing the scope of the principals displayed list using properties like: cloud accounts, principal type, and total permission count.

  1. Click the Add Filters button to open the panel, and “Select a property” to get started.
  2. After choosing your desired filters, select Apply to update the page to display the results of your specified filters.
  3. Total active filters will display a count next to the Filters label.
  4. Expanding the filters section of the Identity Analysis page displays the details for filters that are active.

Save Filters

After Adding a Filter you can save it so that can easily be reused the next time you access the feature.

Saved filters are feature-specific (since options vary between features), i.e., a Feature A saved filter will only be available in Feature A and will not be available in Feature B.

To save a filter:

  1. Use the Add Filter option to create a filtered view of the page.
  2. Expand the Filters section, and click the Options button (ellipsis).
  3. Click Save Filter and provide a name and (optional) description.
  4. If desired, select the checkboxes:
    • Set as Default Filter -- Designates this filter as your default when you return to the feature
    • Make this a Public Filter -- Makes this filter available to all users inside your InsightCloudSec organization.
  5. Click OK. The filter is saved and can be edited from the Saved Filters page for this feature.

Principals

The Principals tab contains the principals found across all of your onboarded cloud accounts.

The Trend and Analytics section comprises charts that summarize critical details for your principals. Currently this section features two charts:

  • Risk Factors -- The most common risk factors in your environment as well as the count of principals affected by the factor
    • Click a Risk Factor to automatically configure the filters to scope the Data Display to the selected risk factor, e.g., clicking the Multi-Factor Authentication Disabled risk factor will add the filter Risk Factor is in mfa_disabled.
      • Click Clear All in the Filters section to clear all filters and reset the view
  • Unused Permissions Distribution -- The count of principals that have unused permissions allocated to them (grouped in 20% chunks).
    • Click an Unused Permissions Distribution to automatically configure the filters to scope the Data Display to the selected group, e.g., clicking the Under 20% group will add the filters Unused Permission Percentage greater than 0 and Unused Permission Percentage less than or equal to 20

Principals Data Display

On the Principals tab, below the Trends and Analytics is the main table of data. The value at the top of the table displays the total principals, but this value will update to reflect the number of principals scoped by any configured filters.

DetailsDescription
Principal NameThe name of the principal.

  • Clicking the copy icon to the right of the name copies the full name
  • Clicking the name opens a detail view with expanded properties, Insight Findings, Related Resources, etc. Refer to Context Details for more information.
Principal TypeThe principal type for the associated principal. Currently Cloud Role and Cloud User are supported.
Cloud AccountThe type of cloud account as well as the account name for the associated principal.

Insight SummaryDisplays highest criticality available (for example if the principal is only associated with an Insight (or Insights) with a Medium severity, that is what will display in the Insights Summary).

  • Critical, High, Medium, Low, Info: The count of the Insights associated with the principal respective to each individual severity. (e.g. Critical = 13, indicates 13 Critical Insights for that resource.)
  • Hover on the Insights badge for the counts of each Insight severity associated with the principal.
  • Click the Insights badge for expanded details on any Insight Findings associated with a specific principal.
PermissionsDisplays a visualization of permissions with different colors for the quantity of unused, used, and unassessed permissions. Un-assessed permissions do not appear in the graph, but their count will be displayed in the tooltip if you hover on the graph.

  • Clicking the permissions visualization bar opens the detail view for the selected principal.
Privilege EscalationDisplays a visual indicator for privilege escalation for the selected principal, options include none, N/A (where no data is available), and a flag to indicate that the principal may have issues around privilege escalation.

  • Clicking the value in the column opens to the Insight Findings tab of the Context Details to explore Insight Findings data that identifies risk of privilege escalation.
Action
  • Click View Context Details (left icon) to open the Context Details panel.
  • Click Download Source Data (right icon) to download source data for the principal.

Context Details

Selecting an individual principal by clicking on the name, or by selecting View Context Details under actions opens a detail view for the selected Principal.

This view includes information like:

Principal Detail Availability

For each individual principal available in Identity Analysis the context details will vary.

  • Areas that are not applicable, and/or those that do not contain data will be greyed out
  • Depending on the principal, different context details are available