Events

Events that appear in the summary view Events > All Events are generated from these sources:

This page does not show usual system or account events, such as account sign-ins or configuration issues, which appear in the API Audit Logs and System Audit Logs pages of the Events menu.

Configuring Events

You have to configure alerts from Compliance Engine, Intelligence, and other sources to appear on the Events page. For this, configure Notifications for these events. You have to do this for each policy separately, so you can control which rulesets and which environments generate events. To receive alerts from all rulesets and environments, configure this in each Policy.

In the Notification configuration window, make sure to select the Include in CloudGuard Events pages option.

All Events

The Events view shows all the findings in your secured environments. As the list can contain a large number of results, you can move through the list and view new findings that align with the search and filter criteria.

Alerts console elements

Item

Description

1

Filter and Search area

2

Action menu

3

Grouping bar

4

Findings table

You have many options to set up the Alerts console to view the applicable findings conveniently. For each table, CloudGuard automatically saves the changes you make in the table.

Filter and Search Area

The filters bar is at the top of the page and includes:

  • Preconfigured filters

  • Free text filter

  • Time frame filter

  • Action buttons: Clear All and Saved Filters

With the preconfigured filters, you can select to view events based on Organizational Units, severity, environment, and other parameters, or select to show or hide excluded and acknowledged findings. To add a preconfigured filter, click Add Filter and select as many filters as necessary from the list. The selected filters appear in the Search field, and the table is updated automatically based on them.

The free text filter allows you to enter text and use it as a filter. The entered text applies immediately to the current table.

With the time frame filter, you can view the findings according to their creation time. You can select one of the preconfigured periods or click Custom and select a custom date range.

Action Menu

When you select a finding, the actions applicable to this finding become available. Not all actions are available for all findings.

Use the menu for these actions:

  • Create an exclusion for a finding

  • Acknowledge or unacknowledge a finding

  • Create remediation for a finding

  • Immediately remediate an issue with a CloudBot

  • Add comments to the event

  • Close the finding

  • Archive the finding

  • Report issues related to the finding

  • Change the severity of the event

  • Assign an event to a CloudGuard user

For more actions and detailed information about them, see the steps below in Actions.

Findings Table

You can select one or more findings when you click the check box in their row. You can select all shown findings (a maximum of 1000 entries) when you click the check box in the table header.

Organize the table columns as necessary and adjust these parameters:

  • Visibility - To select which columns to see in the table, click Customize on the right.

  • Position - To change the column's location, click the column header and drag it to the desired location.

  • Width - To change the column width, drag the right separator line of its header in the desired direction. To adjust the width by the longest column value, double-click the right separator.

  • Sorting - To change between the default, ascending , or descending order of the entries, click the column header.

To restore the default settings of the table, click Reset Columns in the Action menu.

Group Arrangement

In the Grouping area, you can set up findings with the same parameters together, so they appear in the table below the same group title.

Arrange the findings by:

  • Severity

  • Created Time

  • Environment

  • Source, and so on

To group the findings, drag and drop the related column header into the grouping bar.

The selected header appears on the grouping bar, while all the findings are arranged by applicable groups.

Click the arrow on the left of each group name, to expand the group and see its contents. Click the arrow again to close the group.

To create more than one group level, drag more than one column header to the grouping bar.

Entity Card

Click a finding in the table to open an Entity Card with the finding details. Click X in the top right corner of the card to close the card and get back to the findings table.

The card contains these tabs:

  • Overview

  • Entity Viewer

  • Occurrences (if applicable)

Overview

The Overview header shows the summary of the finding:

  • Severity as defined in the applicable rule or use case

  • Date of creation

  • Event type (as an icon)

  • Occurrences number (as an icon)

  • Alert type by source engine that discovers it

  • Title of the applicable rule or use case.

  • Ruleset that contains the applicable rule or use case

  • Assignee - a user assigned to manage the finding, for example, set a remediation

  • Category - finding group

The Overview's primary part adds more details about the findings. It includes:

  • Title and link to the rule that did not pass the Compliance Engine finding, Intelligence, or Admission Control event

  • Ruleset

  • Rule or use case description

  • Remediation - See the actions that CloudGuard recommends

  • Last occurrence - It is possible to block the same event blocked more than one time. The alert appears only the first time, and the last occurrence reflects the last time the rule was violated by the same event

  • GSL expression - for more information on GSL, see Governance Specification Language (GSL)

Note - The actual rule is sometimes more complex than a GSL-code representation, so CloudGuard does not show the GSL code in Rulesets > Rule. Some Intelligence rule titles can change after you click the Investigate button.

The right section shows the entity, on which the rule fails, its link, the entity type, environment (account, cluster), region, and Organizational Unit.

Entity Viewer

The tab name is the name of the entity. It contains information about the configuration of the protected asset. Use the menu buttons to customize this view.

The entity can have the N/A (not available) status when:

  • The resource creation event was blocked, and it is not possible to create the entity on the environment.

  • The resource creation violation was detected. It is not possible to create the resource on the environment, but the Event can appear before the protected asset update in the CloudGuard backend. It can take up to five minutes for the entity link to appear in the alert.

Occurrences

For Threat and Security events, you can see a separate tab with the details of the event occurrences.

Each time the rule discovers a finding, CloudGuard registers this finding as a separate occurrence. CloudGuard aggregates the findings if they have the same environment, entity, and event (same GSL code). The time interval to group all occurrences in the same security event is 30 minutes. Each five minutes CloudGuard checks the traffic of the previous 30 minutes and alerts if necessary. As CloudGuard does not include the occurrences that were displayed before, some occurrences of the same event can overlap after the others in time intervals.

Click Investigate to open the event log in the Traffic Explorer and examine the actual log information for the selected entity at the event's time frame. To have a clearer view, drag the Source and Destination headers to the grouping bar.

The logs investigation is not available if the related logs passed the retention period.

Events Deletion

Posture findings and security events are deleted from the alerts console when they are considered resolved, that is, the rule is not violated anymore (passed). This happens when:

  • Users correct or remediate the issue that triggered the event.

  • Users voluntarily close the finding - see Closing findings.

  • Users delete the policy (break association between the environment, rules, and notification) - see Policy Deletion.

  • Users delete (offboard) the environment for which the finding is created.

  • Users delete the rule that generated the finding or the ruleset that contains the rule.

  • Users delete the notification to be sent when the finding is generated.

    Note - The passed notification is sent only to the valid (not misconfigured) integrations available at the time of the notification deletion.

Actions

Use the filter action buttons on the filter bar to save or clear your search criteria.

Known Limitations

The Fix it option is not applicable to GCPClosed Google® Cloud Platform - a suite of cloud computing services that runs on the same infrastructure that Google uses internally for its end-user products, such as Google Search, Gmail, Google Drive, and YouTube. environments.

More Links