Threat Findings

InsightCloudSec Threat Findings is a multi-cloud capability that curates runtime threat detections from customer resources. Threat Findings provides a single view that collects all runtime threat detection findings from various sources. The unified view provides various filtering options, while offering security context by associating the findings with the relevant cloud resource(s) and resource properties. This uniform solution allows users to explore findings using filters and Bot automation.

TermDescription
Threat FindingA data item refers to the detection of a possible malicious behavior. The finding may refer to a specific event occurring at a specific point in time or a behavior that spans a period of time.

Data for reporting in Threat Findings is retained for 90 days.
Affected ResourceThe cloud resource that is affected by the malicious behavior. The resource may be the one that presents the malicious behavior or the one that is the target of the behavior.
Finding SourceThe tool or mechanism generating the findings.

Feature Support

Threat Findings will display information from the following third party sources:

  • AWS
    • Guard Duty
    • Macie
    • Shield
  • Azure Defender for Cloud
  • GCP Security Command Center

Go to Security > Threat Findings to get started.

Prerequisites & Deployment

Threat Findings relies on the data that is harvested for InsightCloudSec from each Cloud Service Provider you have configured. Before getting started with Threat Findings you will need to ensure you have the following:

  • An existing InsightCloudSec installation (version 22.4.8 or later)

  • Appropriate permissions for your desired Cloud Service Providers. In order to harvest the resource information specific to Threat Findings you will need the specified permissions for the Resource Type(s) (e.g. Threat Finding) identified below. These may already be enabled/configured within your environment as part of your existing platform installation. For general information on policies/roles/permissions for each CSP refer to:

Cloud-specific resources and required permissions

Refer to the details below to validate the individual permissions for each Cloud Service Provider (CSP)

AWS Resource Type & Required Permissions

AWS Resource Type & Required Permissions

text
1
ResourceType.THREAT_FINDING:
2
"guardduty:GetFindings",
3
"guardduty:ListDetectors",
4
"guardduty:ListFindings",
5
"macie2:GetFindings",
6
"macie2:ListFindings",
7
"shield:ListAttacks",
8
"shield:ListProtections"
Azure Resource Type & Required Permissions

Azure Resource Type & Required Permissions

text
1
ResourceType.THREAT_FINDING:
2
"Microsoft.Security/alerts/read"
GCP Resource Type & Required Permissions

GCP Resource Type & Required Permissions

text
1
ResourceType.THREAT_FINDING:
2
"securitycenter.sources.list",
3
"securitycenter.findings.list"

Explore Threat Findings

In InsightCloudSec, navigate to Security > Threat Findings to start viewing threats to your environment.

Filter

Threat Findings has filtering functionality to effectively narrow the scope of and navigate the data.

Add Filter

Filtering allows for narrowing the scope of the resources list using properties like cloud accounts, clusters, resource groups, etc. Some things to note about filtering behavior:

  • Each selected Filter updates dynamically with options appropriate for the property selected.
  • After selecting an initial property, click + Add Filter to add an additional filter and further narrow the scope.
  • If filtering on a Resource Tag:
    • Searching for a tag is case insensitive.
    • New tags are harvested every 12 hours by the ResourceTypeTrigramsProcess background job (see System Settings for more information).

To add a filter:

  1. Click the Add Filters button to open the side panel.
  2. Select and configure a property to get started.
  3. After configuring your desired filters, click Apply to update the scope for the feature.
Save Filters (Optional)

After Adding a Filter, you can save it so that can easily be reused the next time you access the feature. Saved filters are feature-specific (since options vary between features), i.e., a saved filter in Feature "A" will only be available in Feature "A" and will not be available in Feature "B".

To save a filter:

  1. Once filter(s) have been applied, ensure the filters list is expanded by clicking the arrow (>)
  2. Click the ellipsis (...) button, then click Save Filter.
  3. Provide a name for the filter and an optional description.
  4. Select the checkbox for Set as Default Filter to set this filter as the default for the feature.
  5. Select the checkbox for Make this a Public Filter to allow other users to see the filter.
  6. Click OK.

Once a filter has been successfully saved, it can be accessed (along with other saved filters) or edited from the same ellipsis menu.

Trend and Analytics

The Trend and Analytics chart displays the count of threats found per day/hour within a given timeframe, with the option to organize the graph by threat severity.

  • Click a View name to toggle between the Default view (raw counts by day) or the Severities Trend view (raw counts by day organized by severity)
    • If using the Severities Trend view, you can click the severity types along the X axis to filter a particular severity out of the graph
  • Click and drag across the graph to zoom-in the view; the lowest granularity for the graph is hours. If your selected timeframe is less than 72 hours, the X axis will switch from days to hours.
    • If you zoom-in the view, the data display will filter accordingly
  • Use the buttons at the bottom of the view to jump to popular timeframes, e.g., Show All, Last Hour, Last 72 Hours, Last 7 Days
    • Whenever you're finished and would like to return to the default timeframe, click <- Back.

Data Display

The main Threat Findings page displays a list of Threat Findings (with a total and percentage displayed at the top) with sortable/interactive columns.

DetailsDescription
SearchField that enables free text search of the filtered data.
Event SourceIdentifies the source of the Threat Finding.
Finding TypeIdentifies the Finding Type and links to expanded data.

Clicking on the link for an individual Finding Type opens a detail pane that contains additional detail for that finding, as well as a JSON display/download option.
CountProvides a count of the findings for the event source.
SeverityIdentifies the severity of the Threat Finding (e.g. High, Medium, Low). Severities are determined by data reported through the individual 3rd-party severity information.
Resource Name & IDDisplays the Resource Name and ID. Clicking on the individual Resource ID opens the detailed resource view. This view contains the option to download the source data as well as a tabbed view (Properties, Public Access, Insight Findings, Thread Findings, etc.)
Resource TypeDisplays the Resource Type, for example Instance or Serviceaccesskey.
Last DetectedProvides the time the Threat Finding was last seen. This will vary based on when the data was last harvested.

Threat Findings and Automation (Bots)

InsightCloudSec supports the ability to build automation around notifications through our Bot capability out-of-the-box with Threat Findings. Users can export findings to SIEM (e.g. Splunk) or generate notifications for a specific scope of findings to an specific email or Slack channel. Your Bot can be scoped with two resource types associated with Threat Findings:

  • The Threat Findings resource and the Resource(s) (e.g., EC2 instances) on which a Threat Finding as been identified.

For more details about Bot configuration refer to our documentation on BotFactory & Automation. In general Bots can be created in one of three ways:

JSON Threat Findings Bot Template
json
1
{
2
"resource_id": "divvybot:1:1234",
3
"name": "Threat Findings Bot",
4
"description": "",
5
"notes": null,
6
"insight_id": null,
7
"source": null,
8
"insight_name": null,
9
"insight_severity": null,
10
"owner": "divvyuser:1234:",
11
"owner_name": "Rapid7",
12
"state": "RUNNING",
13
"date_created": "2022-12-14 11:00:15",
14
"date_modified": "2022-12-21 14:29:28",
15
"category": "Security",
16
"badge_scope_operator": null,
17
"instructions": {
18
"resource_types": [
19
"threatfinding"
20
],
21
"filters": [
22
{
23
"name": "divvy.filter.threat_finding_by_category_and_confidence",
24
"config": {
25
"confidence": [
26
"low",
27
"medium",
28
"high"
29
],
30
"category": [
31
"incident",
32
"anomaly"
33
]
34
}
35
}
36
],
37
"actions": [
38
{
39
"name": "divvy.action.send_bulk_email",
40
"config": {
41
"message_subject": "Found a threat!",
42
"preamble": "start",
43
"message_body": "{{resource.serialize(indent=2)}}",
44
"conclusion": "end",
45
"recipient_list": [
46
"john_smith@rapid7.com"
47
],
48
"recipient_tag_keys": [],
49
"walk_resource_group": false,
50
"recipient_badge_keys": [],
51
"separator": "",
52
"send_via_bcc": false,
53
"html_message": false,
54
"skip_duplicates": true,
55
"send_empty_email": false,
56
"replacement_strings": []
57
},
58
"run_when_result_is": true
59
},
60
{
61
"name": "divvy.action.mark_non_compliant",
62
"config": {},
63
"run_when_result_is": true
64
}
65
],
66
"groups": [
67
"divvyorganizationservice:1",
68
"divvyorganizationservice:2"
69
],
70
"badges": [],
71
"exclusion_badges": null,
72
"hookpoints": [
73
"divvycloud.resource.created",
74
"divvycloud.resource.modified"
75
],
76
"schedule": null,
77
"schedule_description": null
78
},
79
"valid": true,
80
"errors": [],
81
"severity": "low",
82
"detailed_logging": false,
83
"scope": [
84
"divvyorganizationservice:1",
85
"divvyorganizationservice:2"
86
]
87
}
88

Creating a Threat Findings Bot from a Template

Import an automation template

  1. In InsightCloudSec, go to Automation > BotFactory.
  2. On the Templates tab, select the Import Template option.
  3. In the JSON window, paste the JSON automation template, provided above.
  4. Click Submit to verify and store the template for future use.
  5. Review Creating Bots for more information on next steps.