Posture Findings and Security Events

Events that appear in the summary view Events > All are generated from these sources:

This page does not show usual system or account events, such as account sign-ins or configuration issues, which appear in the API Audit Logs and System Audit Logs pages of the Events menu.

Configuring Events

You have to configure alerts from Compliance Engine, Intelligence, and other sources to appear on the Events page. For this, configure Notifications for these events. You have to do this for each policy separately, so you can control which rulesets and which environments generate events. To receive alerts from all rulesets and environments, configure this in each Policy.

In the Notification configuration window, make sure to select the Include in the alerts console option.

Alerts Console

The Alerts console shows all the findings in your secured environments. As the list can contain a large number of results, you can move through the list and view new findings that align with the search and filter criteria.

Alerts console elements

Item

Description

1

Filter and Search area

2

Action menu

3

Grouping bar

4

Findings table

You have many options to set up the Alerts console to view the applicable findings conveniently. For each table, CloudGuard automatically saves the changes you make in the table.

Filter and Search Area

The filters bar is at the top of the page and includes:

  • Preconfigured filters

  • Free text filter

  • Time frame filter

  • Action buttons: Clear All and Saved Filters

With the preconfigured filters, you can select to view events based on Organizational Units, severity, environment, and other parameters, or select to show or hide excluded and acknowledged findings. To add a preconfigured filter, click Add Filter and select as many filters as necessary from the list. The selected filters appear in the Search field, and the table is updated automatically based on them.

The free text filter allows you to enter text and use it as a filter. The entered text applies immediately to the current table.

With the time frame filter, you can view the findings according to their creation time. You can select one of the preconfigured periods or click Custom and select a custom date range.

Action Menu

When you select a finding, the actions applicable to this finding become available. Not all actions are available for all findings.

Use the menu for these actions:

  • Create an exclusion for a finding

  • Acknowledge or unacknowledge a finding

  • Create remediation for a finding

  • Immediately remediate an issue with a CloudBot

  • Add comments to the event

  • Close the finding

  • Archive the finding

  • Report issues related to the finding

  • Change the severity of the event

  • Assign an event to a CloudGuard user

For more actions and detailed information about them, see the steps below in Actions.

Findings Table

You can select one or more findings when you click the check box in their row. You can select all shown findings (a maximum of 1000 entries) when you click the check box in the table header.

Organize the table columns as necessary and adjust these parameters:

  • Visibility - To select which columns to see in the table, click Customize on the right.

  • Position - To change the column's location, click the column header and drag it to the desired location.

  • Width - To change the column width, drag the right separator line of its header in the desired direction. To adjust the width by the longest column value, double-click the right separator.

  • Sorting - To change between the default, ascending , or descending order of the entries, click the column header.

To restore the default settings of the table, click Reset Columns in the Action menu.

Group Arrangement

In the Grouping area, you can set up findings with the same parameters together, so they appear in the table below the same group title.

Arrange the findings by:

  • Severity

  • Created Time

  • Environment

  • Source, and so on

To group the findings, drag and drop the related column header into the grouping bar.

The selected header appears on the grouping bar, while all the findings are arranged by applicable groups.

Click the arrow on the left of each group name, to expand the group and see its contents. Click the arrow again to close the group.

To create more than one group level, drag more than one column header to the grouping bar.

The table below is organized by three levels of grouping, based on Severity, Category, and Environment.

The first level is divided into groups by Severity. When you open a group on this level, its content is divided into groups by the second-level parameter, Category. When you open a group on the second level, you see that the third-level parameter (Environment) applies to its content.

When you open the last group, it shows all the findings on this level.

To cancel grouping by a specific parameter, click X next to its header on the grouping bar.

Entity Card

Click a finding in the table to open an Entity Card with the finding details. Click X in the top right corner of the card to close the card and get back to the findings table.

The card contains these tabs:

  • Overview

  • Entity Viewer

  • Occurrences (if applicable)

Overview

The Overview header shows the summary of the finding:

  • Severity as defined in the applicable rule or use case

  • Date of creation

  • Event type (as an icon)

  • Occurrences number (as an icon)

  • Alert type by source engine that discovers it

  • Title of the applicable rule or use case.

  • Ruleset that contains the applicable rule or use case

  • Assignee - a user assigned to manage the finding, for example, set a remediation

  • Category - finding group

The Overview's primary part adds more details about the findings. It includes:

  • Title and link to the rule that did not pass the Compliance Engine finding, Intelligence, or Admission Control event

  • Ruleset

  • Rule or use case description

  • Remediation - See the actions that CloudGuard recommends

  • Last occurrence - It is possible to block the same event blocked more than one time. The alert appears only the first time, and the last occurrence reflects the last time the rule was violated by the same event

  • GSL expression - for more information on GSL, see Governance Specification Language (GSL)

Note - The actual rule is sometimes more complex than a GSL-code representation, so CloudGuard does not show the GSL code in Rulesets > Rule. Some Intelligence rule titles can change after you click the Investigate button.

The right section shows the entity, on which the rule fails, its link, the entity type, environment (account, cluster), region, and Organizational Unit.

Entity Viewer

The tab name is the name of the entity. It contains information about the configuration of the protected asset. Use the menu buttons to customize this view.

The entity can have the N/A (not available) status when:

  • The resource creation event was blocked, and it is not possible to create the entity on the environment.

  • The resource creation violation was detected. It is not possible to create the resource on the environment, but the Event can appear before the protected asset update in the CloudGuard backend. It can take up to five minutes for the entity link to appear in the alert.

Occurrences

For Threat and Security events, you can see a separate tab with the details of the event occurrences.

Each time the rule discovers a finding, CloudGuard registers this finding as a separate occurrence. CloudGuard aggregates the findings if they have the same environment, entity, and event (same GSL code). The time interval to group all occurrences in the same security event is 30 minutes. Each five minutes CloudGuard checks the traffic of the previous 30 minutes and alerts if necessary. As CloudGuard does not include the occurrences that were displayed before, some occurrences of the same event can overlap after the others in time intervals.

Click Investigate to open the event log in the Traffic Explorer and examine the actual log information for the selected entity at the event's time frame. To have a clearer view, drag the Source and Destination headers to the grouping bar.

The logs investigation is not available if the related logs passed the retention period.

Events Deletion

Posture findings and security events are deleted from the alerts console when they are considered resolved, that is, the rule is not violated anymore (passed). This happens when:

  • Users correct or remediate the issue that triggered the event.

  • Users voluntarily close the finding - see Closing findings.

  • Users delete the policy (break association between the environment, rules, and notification) - see Policy Deletion.

  • Users delete (offboard) the environment for which the finding is created.

  • Users delete the rule that generated the finding or the ruleset that contains the rule.

  • Users delete the notification to be sent when the finding is generated.

    Note - The passed notification is sent only to the valid (not misconfigured) integrations available at the time of the notification deletion.

Actions

You can create an exclusion from a finding, to exclude more findings equivalent to it. You can exclude the specific ruleset, rule, and entity, or widen the exclusion to include all entities in the rule, all accounts, or all rules in the ruleset.

You cannot apply this action to more than one finding at a time.

  1. Select the finding in the table.

  2. From the menu, select Exclude.

  3. In the Create New Exclusion window, the specific ruleset, rule, environment, and entity are selected, which excludes only this specific combination.

    Clear the choices to widen the exclusion and cover all rules, environments, or entities.

  4. Add a comment to distinguish the exclusion. The comment field is mandatory.

  5. Click Save to create the exclusion.

    The Exclusion icon appears on the Overview header of the Entity Card.

  6. You can manage the exclusion on the Exclusions page in the Posture Management menu.

Best Practice - If you clone a ruleset and run an assessment with it, you can see duplicate findings for the initial and cloned rulesets. Create an exclusion to hide the duplicate findings.

You can acknowledge a finding to show it as read. This does not close the finding or indicate that it is resolved.

  1. Select one or more findings in the table.

  2. From the menu, select Acknowledge.

  3. In the Acknowledge Finding box, optionally, add a comment with the reason for acknowledgment.

    These comments are seen by all users who can see the finding.

  4. Click Acknowledge. The Acknowledgment icon appears on the Overview header of the Entity Card.

    In addition, your comment appears in the Comments section of the Entity Card, with information of the date, time, and user that made it.

It is possible to create a remediation and associate it with the rules underlying findings. These remediations are applied to cloud resources to correct the issues that caused the finding. CloudGuard Cloudbots are an example of remedies.

You cannot apply this action to more than one finding at a time.

  1. Select the finding in the table.

  2. From the menu, select Remediate.

  3. Complete the details for the remediation (see Adding Remediation) and then click SAVE.

  4. The Remediation icon appears on the Overview header of the Entity Card.

Apply a CloudBot solution to a found issue immediately, directly from the findings and events. This is applicable to AWSClosed Amazon® Web Services. Public cloud platform that offers global compute, storage, database, application and other cloud services. and AzureClosed Collection of integrated cloud services that developers and IT professionals use to build, deploy, and manage applications through a global network of data centers managed by Microsoft®. environments, where you already deployed one or more CloudBots.

You cannot do this action for more than one finding at a time.

  1. Select a finding or event in the table.

  2. From the menu, select Fix it.

  3. In the Remediate Now window, select a CloudBot and enter required parameters (if applicable).

  4. Optionally, to add one or more CloudBots, click Add.

  5. Click Execute. The Remediation Execution Status window opens. This window shows the results of the bot application in the Bot Trigger and Execution Status columns.

    See the table below:

    Bot Trigger

    Execution Status

    Description

    Failed

    -

    The bot was not triggered because of an endpoint problem.

    Success

    Failed

    You triggered the bot successfully but its execution failed. Click to open the System Audit Logs and see e the audit log entry of the bot event.

    Success

    Success

    You triggered the bot successfully, and its execution was successful. Click to open the System Audit Logs and see the audit log entry of the bot event.

You can add a text comment to the finding. Users who can view the finding on the Events page, based on their permissions, can see the comment.

  1. Select one or more findings in the table.

  2. From the menu, select Comment.

  3. Enter text in the Comment field.

  4. Click Add to save the comment.

You can repeat the steps to add more than one comment to a finding.

You can close a finding found by a source, which is not Compliance, external findings, or Qualys source. This action deletes the alert from the elastic search. You cannot recover the deleted alert in the future.

  1. Select one or more findings in the table.

  2. From the menu, select Close Alert.

  3. Click Close Alert to confirm the action.

You can change the view and see only applicable and important findings if you keep less applicable findings in an archive. Archived findings are not seen in the findings page, and you cannot apply an action to them. Resolved findings are deleted even if they are archived.

To archive findings:

  1. Select one or more findings in the table.

  2. From the menu, select Archive. CloudGuard moves the selected findings to the Archive View.

  3. Toggle the Archive View slider from OFF to ON to see the archived findings.

To change archived findings:

  1. Toggle the Archive View slider from OFF to ON to see the archived findings.

  2. Select one or more findings that are necessary to change.

  3. Click Unarchive to restore the findings in the primary findings view.

  4. Click Close to permanently close the findings.

If you do not agree with one of the alert parameters or think it is erroneous, you can report the alert and provide a reason.

  1. Select one or more findings in the table.

  2. Click the three-dots menu and select Report an issue to report an alert.

  3. Select a reason from the list:

    1. False positive

    2. Wrong severity

    3. Remediation issue

    4. Incorrect information

    5. Other

  4. Optionally, you can add a comment to provide more details.

  5. Click Report.

You can set the severity level for the finding from the list:

  • High

  • Medium

  • Low

  • Critical

  • Informational

For more information on severity levels, see Severity Levels.

Users who can view the finding on the Events page, based on their permissions, can see this attribute. It is useful for filtering the list of findings.

  1. Select one or more findings in the table.

  2. Click the three-dots menu and select Change Severity.

  3. Select the new Severity of the finding from the list. Initially, it is the severity of the rule that found it.

  4. Click Save.

You can assign the finding to a CloudGuard user to take more steps, such as remedial actions.

Users who can view the finding on the Events page, based on their permissions, can see this attribute to filter the list of findings.

To assign findings:

  1. Select one or more findings in the table.

  2. Click the three-dots menu and select Assign.

  3. Select a user email address from the Assign user list. Possible assignees are all users of the CloudGuard account.

  4. Click Save.

To remove findings assignment:

  1. Select one or more findings in the table.

  2. From the menu, select Assign.

  3. From the Assign user list, select Unassigned. This removes the assignment from all users it was assigned to.

  4. Click Save.

You can export selected findings to a CSVClosed Common Vulnerabilities and Exposures is a collection of publicly disclosed vulnerabilities and exposures maintained by the MITRE corporation. file. You can export all findings or those shown in a filtered view on the Events page.

In the findings table, select a time interval and filter the view to show the necessary findings to export (or skip this step to show all findings for the time interval).

  1. Click Export in the top right.

  2. Select how to receive the report file - download directly from the CloudGuard portal or from an email message.

    1. Click CSV Report - Download to save the file in your computer.

      Note - You cannot download the file if the table contains more than 10,000 entries. Apply a filter to decrease the number of entries.

    2. Click CSV Report - Email to receive the download link by email. Enter your email address and follow instructions in the received message.

Use the filter action buttons on the filter bar to save or clear your search criteria.

You can save all your currently applied filters. The saved filters are stored in two groups: public or private.

  1. In the filters area, click Saved Filters.

  2. Enter the filter name.

  3. Select Public for other users to see the filter. If not, the filter is private and only seen by you.

  4. Click Save.

  5. To use the filter, click Saved Filters and select it from the list.

To clear all applied filters, click Clear All in the filters area.

Known Limitations

The Fix it option is not applicable to GCPClosed Google® Cloud Platform - a suite of cloud computing services that runs on the same infrastructure that Google uses internally for its end-user products, such as Google Search, Gmail, Google Drive, and YouTube. environments.

More Links