Feb 25, 202525.2.25

Release Summary

InsightCloudSec is pleased to announce release version 25.2.25. This release includes a new data-centric risk prioritization feature, Azure host assessment updates, and new Query Filters and Insights.

New Permissions: Microsoft Azure

These permissions support the changes to Azure host assessments snapshot storage. All permissions (and any relevant wildcard equivalents) have been added to the appropriate onboarding user roles.

  • "Microsoft.Resources/subscriptions/resourcegroups/write"
Azure deprecation announcements

Azure deprecating virtual network injection for Azure Data Explorer (ADX)/Kusto clusters

Beginning February 1, 2025, Azure will restrict an event hub's system-assigned identity from entering an ADX cluster's virtual network. This means if you are currently using the Azure Least-Privileged Access feature and have deployed it using a virtual network, you will need to migrate to using managed virtual private endpoints instead. We recommend following Azure's detailed migration guide.

Azure Database for MySQL Single Server deprecation announcement

Azure announced the deprecation of Database for MySQL Single Server and retired the service on September, 16, 2024. After March 10, 2025, Azure Database for MySQL Single Server instances will no longer receive security updates or fixes. Non-responsive MySQL Single Server instances that have not migrated to another service will be deleted. Azure recommends migrating to a MySQL Flexible Server instance and will attempt to automatically migrate any non-responsive MySQL Single Server instances. For more information, review the Azure documentation: https://learn.microsoft.com/en-us/azure/mysql/migrate/whats-happening-to-mysql-single-server

To assist with identifying affected resources, InsightCloudSec has added a new Insight available with this version that will flag any MySQL Single Server instances: Azure Database Instance Single Server Migration (MySQL)

After March 10, 2025, the following Insights will be removed:

  • Database Instance without Connection Log Auditing Events (MySQL Single Server)
  • Database Instance not Enforcing Transit Encryption (MySQL Single Server)
  • Database Instance without Log Auditing Enabled (MySQL Single Server)

After March 10, 2025, the following Query Filter will be removed:

  • Database Instance Server Type

Azure Database for PostgreSQL Single Server deprecation announcement

Azure announced the deprecation of Database for PostgreSQL Single Server and retired the service on September, 16, 2024. After March 28, 2025, Azure Database for PostgreSQL Single Server instances will no longer receive security updates or fixes. Non-responsive PostgreSQL Single Server instances that have not migrated to another service will be deleted. Azure recommends migrating to a PostgreSQL Flexible Server instance and will attempt to automatically migrate any non-responsive PostgreSQL Single Server instances. For more information, review the Azure documentation: https://learn.microsoft.com/en-us/azure/postgresql/migrate/whats-happening-to-postgresql-single-server

To assist with identifying affected resources, InsightCloudSec has added a new Insight available with this version that will flag any PostgreSQL Single Server instances: Azure Database Instance Single Server Migration (PostgreSQL)

After March 28, 2025, the following Insights will be removed:

  • Database Instance Allowing Access from Cloud Resources (PostgreSQL Single Server)
  • Database Instance without Infrastructure Encryption Enabled (PostgreSQL Single Server)
  • Database Instance Not Configured to Log Connections (PostgreSQL Single Server)
  • Database Instance Not Configured to Log Disconnections (PostgreSQL Single Server)
  • Database Instance Not Configured to Throttle Connections (PostgreSQL Single Server)
  • Database Instance Log Retention Below Threshold (PostgreSQL Single Server)
  • Database Instance not Enforcing Transit Encryption (PostgreSQL - Single Server)
  • Database Instance not configured to Log Checkpoints (PostgreSQL Single Server)

After March 28, 2025, the following Query Filter will be removed:

  • Database Instance Server Type
Details for self-hosted customers

New

  • Added support for data-centric risk prioritization using sensitive data classifications, which can provide you with a unified approach to managing sensitive data discovery risks across your environments. This capability seamlessly combines Query Filters and Insights with the existing risk scoring and prioritization model introduced with Layered Context but found throughout InsightCloudSec. InsightCloudSec supports sensitive data classification using resource tags but can leverage findings from third-party tools like Amazon Macie, Azure Sensitive Data Discovery, and Google Sensitive Data Protection. Explore the new documentation for additional details. To support this initiative, we've added the following Insights and Query Filters:
    • Resource with Sensitive Data Classifications (Query Filter)
    • Resource without Sensitive Data Classifications (Query Filter)
    • Resource With Missing Data Classification (Insight)
  • The Infrastructure as Code scanning tool mimics now supports validating sensitive data classifications. Explore the setup documentation for details on how this works. This support is available in mimics version 1.3.21.
  • Added the following Insights:
    • Encryption Key Without 90 Day Rotation Period Enforced
    • Instance Without OS Login Enabled
    • Instance Without Shielded VM Configuration Enabled
    • Web App with Allow All Configured for CORS
  • Added the following Query Filter:
    • Web App with Allowed Origins Configured for CORS

Improved

  • Added a link to a Bot's overview page from the Scheduled Events page when events are filtered by a specific Bot.
  • Turned on the new interface for the following pages by default:
    • Security > Exemptions
    • Cloud > Cloud Accounts > Summary
    • Inventory > Resources You can still access the old interface by using the Switch to Legacy UI button.
  • Renamed the Google Service Account with Admin Privileges (GCP) Insight to Service Account with Admin Privileges and updated the Insight details to match this change.
  • Improved loading times for the Scheduled Events page.
  • Azure host assessments can now store created snapshots in a new resource group, rapid7-insightcloudsec-hva-, that is located in the same region as the instance being assessed. This functionality requires a new permission, "Microsoft.Resources/subscriptions/resourcegroups/write". If the permission is not present in the relevant role, snapshots will be created in the same resource group as the instance being assessed.

Fixed

  • Fixed an issue where users with the permissions to modify Harvesting Strategies could deselect a harvesting strategy for cloud accounts.
  • Fixed an issue preventing users from creating a custom Insight with the Resource Not Encrypted or Encrypted with Cloud Managed Key Query Filter.
  • Fixed a data accuracy issue with the Resource Vulnerability Count by Severity Query Filter and improved its performance.