Threat Findings User Guide

The information on this page has moved

For the most up to date Threat Findings guidance, go to Threat Findings.

Threat Findings provides access to data visualizations (Trend and Analytics), filtering, saved filters, and a table/list display of Event Sources, Findings Types, and more.

Go to Security > Threat Findings to get started.

Threat Findings Landing Page

Filtering & Searching

Threat Findings has filtering functionality to narrow the scope of the Event Source list. The "Add Filter" button allows you to select a filter/filters that will be applied to the data displayed on the page, including the Trend and Analytics visualizations.

Filter and review threat findings

  1. Go to Security > Threat Findings.
  2. On the Threat Findings page, click Add Filter and enter your filter criteria.
  3. (Optional) Save the filter for repeat use.
    1. Click the ellipsis and select Save Filter.
    2. Select whether the filter if the default filter to display.
    3. Select whether to make the filter public.
    4. Click OK.
  4. Review the findings.

Type into the search bar and the list of event sources will automatically filter to match the criteria. Updating the view of Findings and the Trend and Analytics data display.

Data Display

The main Thread Findings page displays a list of Threat Findings (with a total and percentage displayed at the top) with search, and columns for: Event Source, Finding Type, Count, Severity, Cloud Account, Resource Name & ID, Resource Type, and Last Detected.

The main Threat Findings view includes the columns Event Source, Finding Type, Count, Severity, Cloud Account, Resource Name & ID, Resource Type, and Last Seen. The view can be sorted ascending/descending on any of these columns.

DetailsDescription
Event SourceIdentifies the source of the Threat Finding. For this current release only third-party CSP sources are supported.
Finding TypeIdentifies the Finding Type and links to expanded data.

Clicking on the link for an individual Finding Type opens a detail pane that contains additional detail for that finding, as well as a JSON display/download option.
CountProvides a count of the findings for the event source.
SeverityIdentifies the severity of the Threat Finding (e.g. High, Medium, Low). Severities are determined by data reported through the individual 3rd-party severity information.
Resource Name & IDDisplays the Resource Name and ID. Clicking on the individual Resource ID opens the detailed resource view. This view contains the option to download the source data as well as a tabbed view (Properties, Public Access, Insight Findings, Thread Findings, etc.)
Resource TypeDisplays the Resource Type, for example Instance or Serviceaccesskey.
Last DetectedProvides the time the Threat Finding was last seen. This will vary based on when the data was last harvested.

Threat Findings and Automation (Bots)

InsightCloudSec supports the ability to build automation around notifications through our Bot capability out-of-the-box with Threat Findings. Users can export findings to SIEM (e.g. Splunk) or generate notifications for a specific scope of findings to an specific email or Slack channel. Your Bot can be scoped with two resource types associated with Threat Findings:

For more details about Bot configuration refer to our documentation on BotFactory & Automation. In general Bots can be created in one of three ways:

JSON Threat Findings Bot Template
json
1
{
2
"resource_id": "divvybot:1:1234",
3
"name": "Threat Findings Bot",
4
"description": "",
5
"notes": null,
6
"insight_id": null,
7
"source": null,
8
"insight_name": null,
9
"insight_severity": null,
10
"owner": "divvyuser:1234:",
11
"owner_name": "Rapid7",
12
"state": "RUNNING",
13
"date_created": "2022-12-14 11:00:15",
14
"date_modified": "2022-12-21 14:29:28",
15
"category": "Security",
16
"badge_scope_operator": null,
17
"instructions": {
18
 "resource_types": [
19
  "threatfinding"
20
 ],
21
 "filters": [
22
  {
23
   "name": "divvy.filter.threat_finding_by_category_and_confidence",
24
   "config": {
25
    "confidence": [
26
     "low",
27
     "medium",
28
     "high"
29
    ],
30
    "category": [
31
     "incident",
32
     "anomaly"
33
    ]
34
   }
35
  }
36
 ],
37
 "actions": [
38
  {
39
   "name": "divvy.action.send_bulk_email",
40
   "config": {
41
    "message_subject": "Found a threat!",
42
    "preamble": "start",
43
    "message_body": "{{resource.serialize(indent=2)}}",
44
    "conclusion": "end",
45
    "recipient_list": [
46
     "john_smith@rapid7.com"
47
    ],
48
    "recipient_tag_keys": [],
49
    "walk_resource_group": false,
50
    "recipient_badge_keys": [],
51
    "separator": "",
52
    "send_via_bcc": false,
53
    "html_message": false,
54
    "skip_duplicates": true,
55
    "send_empty_email": false,
56
    "replacement_strings": []
57
   },
58
   "run_when_result_is": true
59
  },
60
  {
61
   "name": "divvy.action.mark_non_compliant",
62
   "config": {},
63
   "run_when_result_is": true
64
  }
65
 ],
66
 "groups": [
67
  "divvyorganizationservice:1",
68
  "divvyorganizationservice:2"
69
 ],
70
 "badges": [],
71
 "exclusion_badges": null,
72
 "hookpoints": [
73
  "divvycloud.resource.created",
74
  "divvycloud.resource.modified"
75
 ],
76
 "schedule": null,
77
 "schedule_description": null
78
},
79
"valid": true,
80
"errors": [],
81
"severity": "low",
82
"detailed_logging": false,
83
"scope": [
84
 "divvyorganizationservice:1",
85
 "divvyorganizationservice:2"
86
]
87
}
88

Creating a Threat Findings Bot from a Template

Import an automation template

  1. In InsightCloudSec, go to Automation > BotFactory.
  2. On the Templates tab, select the Import Template option.
  3. In the JSON window, paste the JSON automation template, provided above.
  4. Click Submit to verify and store the template for future use.
  5. Review Creating Bots for more information on next steps.