Layered Context
Layered Context provides a holistic view of the most critical resources found in all environments that are connected to InsightCloudSec. The newest release includes trend and analytics visualizations for Insights impacting resources and high-risk resource types. We are continuing to update and expand features for this capability focusing on delivering an experience that provides:
- High-level visualizations around the most critical high risk resources
- A resource-centric view of risk across multiple security domains in a unified, consolidated framework
- Easy access to details of risk surrounding a specific resource
- Filtering for context with Clouds and Applications, and on specific resource types, severities, and security domains for better triaging/risk prioritization
- Reduced noise, offering a better view to understanding risk posture of your cloud estate
Feature overview
This video does not include scoping with Clouds, Applications, and Resources but you can read more about it here.
Getting started with Layered Context
Layered Context provides access to the visualizations, search functionality, filters, as well as a table/list display of clouds, applications, and resources. Any resource listed here is associated with one or more Insights.
Go to Security > Layered Context to get started.
The Layered Context Page includes:
- Trend and analytics visualizations that provide a snapshot of risk
- Search functionality and filtering that allow you to narrow the list of resources to only the most critical or vulnerable
- A table/list display with a list of clouds, applications, and resources that are currently associated with one or more InsightCloudSec Insight, Vulnerability, or Threat Finding
Visualizations (Trend and Analytics)
The Trend and Analytics section of Layered Context provides three high-level visuals to summarize risk associated with your resources.
| Field | Description |
|---|---|
| Risky Resources | The number of high-risk resources that are included in your overall footprint. This count includes resources that are impacted by at least 1 Critical Finding for Insights or Vulnerabilities and are considered to have public exposure - the combination of these two elements have been selected to help you identify resources that should be prioritized for review. |
| Insights Summary | A summary of the number of resources with findings for each of the severity categories available (for example: critical, high, medium). Hovering over the severity will display the total number of resources in each severity category. |
| High Risk Resource Types | Displays a visual breakdown of the top 5 high risk resource types with a count and overall percentage (for example: resourceaccesslist includes 138 resources, representing 12.8% of your total resources) |
Scoping the Data
Layered Context includes tabs/sections to narrow your focus to specific categories. We include Clouds, Applications, and Resources as a way to explore and analyze your risk. For organizations with large and complex cloud environments, these scopes provide the ability to evaluate a single cloud account, Application Context, or resource. When combined with filtering, these scoping capabilities enable you to quickly navigate to specific areas that you want to evaluate for risk.
| Tab | Description |
|---|---|
| Clouds | Selecting the Clouds tab allows you to view Layered Context for your cloud resources through the scope of your cloud account(s). Selecting an individual cloud by clicking on the name generates a view of the resources for the cloud selected. This view can be refined further through filtering to help you target specific security concerns within that cloud account. |
| Applications | Selecting the Applications tab allows you to view Layered Context for your cloud resources through the scope of your Applications. This feature requires some additional configuration that you can learn more about through the Application Context page. Selecting an individual application generates a view of the resources within that application. This view can be refined further through filtering to help you target specific security concerns within the application. |
| Resources | Selecting the Resources tab displays Layered Context details for all of your connected cloud resources. Selecting an individual resource by clicking on the name, provides a resource detail pane with where you can explore the properties of the resource, Insight Findings, view Related Resources and download JSON for that individual resource (along with many other contextual details). |
Filtering & Searching
Layered Context has searching and filtering functionality to effectively narrow the scope of and navigate the resource list.
Add Filter
Filtering allows for narrowing the scope of the resources list using properties like cloud accounts, clusters, resource groups, etc. Some things to note about filtering behavior:
- Each selected Filter updates dynamically with options appropriate for the property selected.
- After selecting an initial property, click + Add Filter to add an additional filter and further narrow the scope.
- If filtering on a Resource Tag:
- Searching for a tag is case insensitive.
- New tags are harvested every 12 hours by the
ResourceTypeTrigramsProcessbackground job (see System Settings for more information).
To add a filter:
- Click the Add Filters button to open the side panel.
- Select and configure a property to get started.
- After configuring your desired filters, click Apply to update the scope for the feature.
Save Filters (Optional)
After Adding a Filter, you can save it so that can easily be reused the next time you access the feature. Saved filters are feature-specific (since options vary between features), i.e., a saved filter in Feature "A" will only be available in Feature "A" and will not be available in Feature "B".
To save a filter:
- Once filter(s) have been applied, ensure the filters list is expanded by clicking the arrow (>)
- Click the ellipsis (...) button, then click Save Filter.
- Provide a name for the filter and an optional description.
- Select the checkbox for Set as Default Filter to set this filter as the default for the feature.
- Select the checkbox for Make this a Public Filter to allow other users to see the filter.
- Click OK.
Once a filter has been successfully saved, it can be accessed (along with other saved filters) or edited from the same ellipsis menu.
Search
Type into the search bar and the list of resources will automatically filter to match the criteria. Currently, search is limited to the resource name and type metadata attributes.
Download
To save a copy of the information found in the resource list, click "Download" next to the search bar and select either "CSV" or "JSON". The file will be prepared in the background until it is ready to be downloaded by your web browser.
If the file preparation takes longer than 10 minutes, it will timeout, so it's best to narrow the scope prior to downloading.
Data Display
Below the Trend and Analytics data visualizations is the main table/list display of all of the data (grouped by Clouds, Applications, and Resources) analyzed within Layered Context.
The capabilities for this section of the page (above the data display) include: Search, Download (JSON/CSV), and Column Options. Column options vary for each of the additional scope options (Clouds, Applications, and Resources) and are provided in detail below.
Detailed descriptions of Cloud fields
Cloud
The following details display by default for Clouds.
| Field | Description |
|---|---|
| Cloud Name | The name of the cloud account |
| Cloud | The type of cloud account |
| Resources | The resource count for the cloud account |
| Public Access |
|
| Insights Summary | Displays highest criticality available (for example if the resource is only associated with an Insight (or Insights) with a misconfiguration identified with a Medium severity, that is what will display in the Insights Summary).
|
| Vulnerabilities Summary | Displays the badge(s) and count (Critical, High, Medium, Low), for the highest severity vulnerabilities identified for the selected resource.
|
| Threat Findings Summary | Displays the badge for highest severity Threat Finding for the selected resource
|
| Action (View Resources) | Creates a scoped view of resources where you can do the following:
|
Detailed descriptions of Applications fields
Applications
The following details display by default for Applications.
| Field | Description |
|---|---|
| Application Name | The name of the application |
| Business Critical | Identifies an application as business critical |
| Resources | The resource count for the application |
| Public Access |
|
| Insights Summary | Displays highest criticality available (for example if the resource is only associated with an Insight (or Insights) with a misconfiguration identified with a Medium severity, that is what will display in the Insights Summary).
|
| Threat Findings Summary | Displays the badge for highest severity Threat Finding for the selected resource
|
| Action (View Resources) | Creates a scoped view of resources where you can do the following:
|
Detailed descriptions of Resources fields
Resources
The following details display by default for Resources.
| Field | Description |
|---|---|
| Resource Name | The name of the resource |
| Resource Type | The type of resource |
| Cloud | The type of cloud account the resource is associated with |
| Account Name | The name of the cloud account the resource is associated with |
| Public Access |
|
| Insights Summary | Displays highest criticality available (for example if the resource is only associated with an Insight (or Insights) with a misconfiguration identified with a Medium severity, that is what will display in the Insights Summary).
|
| Vulnerabilities Summary | Displays the badge(s) and count (Critical, High, Medium, Low), for the highest severity vulnerabilities identified for the selected resource.
|
| Threat Findings Summary | Displays the badge for highest severity Threat Finding for the selected resource
|
| Action (View Resources) | Creates a scoped view of resources where you can do the following:
|
Context (Resource)
Selecting an individual resource by name, either from the Resources tab/section, or the scoped Resources tab/section generated by viewing data through Clouds or Applications, opens a detailed view of the context for the selected resource.
Resource Detail Availability
For each individual resource available in Layered Context the additional details (properties, actions, tag, etc) will vary.
- Areas that are not applicable, and/or those that do not contain data will be grayed out.
- Depending on the resource different context is available.
The following details display by default for Context (Resources).
| Details | Description |
|---|---|
| Properties | This tab provides a list of metadata attributes or properties for the selected resource, such as Cloud Account details, Resource ID, and a direct link. |
| Action(s) | A list of actions available for the selected resource. These will vary based on permissions and resource type. |
| Tags | Tags associated with the selected resource. |
| Insight Findings | Provides a detailed list of the Insights this resource is associated with.
|
| Public Access | For resources marked as publicly accessible, this tab contains a count of checks and details for each check, including the date it was identified and the results (Public/Not Public).
|
| Vulnerabilities | This tab will provide a detailed list of the Vulnerabilities associated with this resource when available. Note: This capability is still in development. See Container Vulnerability Management for more information on vulnerabilities. |
| Threat Findings | Provides a detailed list of the Threat Findings associated with this resource. Each line includes: Severity, Name, Provider ID, Occurrences (of each finding), First Seen (for each occurrence) and Last Seen (for last or most recent occurrence). Clicking on the arrow next to the individual line expands to show details for the selected Threat Finding. |
| Source Documents | See the full section below for more information. |
| Related Resources | Displays a list of associated resources with links to those resources/details. |
| Activity | Displays a list of activities associated with the resource. |
| Additional Columns | Additional columns beyond "Activity" may include Flow Log Findings, Groups, Policies, Custom Policies, etc. And will vary depending on the type of resource selected. |
Source Data
For select AWS resource types, there is an additional detail pane, Source Data, that surfaces raw data about the resource harvested directly from the Cloud Service Provider (CSP). This additional context about your resources can help to further investigate configuration issues or provide deeper analysis. Click into the document viewing area, then use ⌘F (MacOS) or CTRL+F (Windows) to search through the data. For full support details, see Resources
Documents will only be stored if changes are detected for a resource or if new resources have been created, so some supported resources may not have any source documents.
Layered Context API
There are two endpoints to enable interacting with Layered Context programmatically.
- Detail Resource: This endpoint details a resource, including parent account information and dependencies. Read more about in the InsightCloudSec API reference.
- Export Source Data: This endpoint will export a given resource's source data.