All Events
The All Events page aggregates CloudGuard events generated from these sources:
-
Posture Management
-
CDR
-
Serverless Runtime Protection
-
Kubernetes Kubernetes, often abbreviated as “K8s”, orchestrates containerized applications to run on a cluster of hosts. Admission Control
-
Image Assurance of containers and registries
-
Containers Runtime Protection
This page does not show usual system or account events, such as account sign-ins or configuration issues, which appear below the Operational section of the Events menu.
Configuring Events
You have to configure alerts from Compliance Engine, CDR, and other sources to appear on the Events page. For this, configure Notifications for these events. You have to do this for each policy separately, so you can control which rulesets and which environments generate events. To receive notifications from all rulesets and environments, configure this in each Policy.
In the Notification configuration window, make sure to select the Include in the CloudGuard Events page option.
Aggregated Events
The main (All) page shows a summary table for all security events in your environments. As the list can contain a large number of results, you can move through the list and view new findings that align with the search and filter criteria.
You have many options to set up the page so that you can conveniently view the applicable findings. Use the tabs to show separate pages with Posture Findings, CIEM, Threat & Security events, and more. CloudGuard automatically saves the changes you make to each table.
Filter and Search Area
The filters bar is at the top of the page and includes:
-
Preconfigured filters
-
Free text filter
-
Time frame filter
-
Saved filters (Favorites)
With the preconfigured filters, you can select to view events based on various parameters. To add a preconfigured filter, click the icon and select as many filters as necessary from the list. The selected filters appear in the Search field, and the table is updated automatically based on them.
The free text filter allows you to enter text and use it as a filter. The entered text applies immediately to the current table.
With the time frame filter, you can view the findings according to their creation time. You can select one of the preconfigured periods or click Custom and select a custom date range.
Action Menu
When you select a finding, the actions applicable to this finding become available. In addition, you can access the action menu from the finding sliding window. Not all actions are available for all findings.
Use the action menu for these actions:
-
Create an exclusion for a finding
-
Close the finding
-
Acknowledge or unacknowledge a finding
-
Add comments to the event
-
Archive the finding
-
Change the severity of the event
-
Assign an event to a CloudGuard user
-
Report issues related to the finding
-
Immediately remediate an issue with a CloudBot
-
Create remediation for a finding
For more actions and detailed information about them, see the steps below in Actions.
Findings Table
You can select one or more findings when you click the check box in their row.
Organize the table columns as necessary and adjust these parameters:
-
Visibility - To select which columns to see in the table, click Columns on the right.
-
Position - To change the column's location, click the column header and drag it to the desired location.
-
Width - To change the column width, drag the right separator line of its header in the desired direction. To adjust the width by the longest column value, double-click the right separator.
-
Sorting - To change between the default, ascending, or descending order of the entries, click the column header.
To restore the default settings of the table, click Reset in the Columns menu.
Group Arrangement
With the Group By menu, you can set up findings with the same parameters together, so they appear in the table below the same group title.
Arrange the findings by:
-
Action
-
Title
-
Severity
-
Environment, and so on
To group the findings, select a category from the Group By list. All findings are arranged by applicable groups.
Click the arrow on the left of each group name to expand the group and see its contents. Click the arrow again to close the group.
Finding Details
Click a finding in the table to open a sliding window with the finding details. The details can be different based on the finding type and include a different number of tabs.
The finding details contain basic information such as the finding source, environment, applied ruleset, etc. On the Overview tab, see where the finding was found and which rule was triggered. On the Entity Viewer tab, see the underlying finding structure.
The information can include:
- Severity as defined in the applicable rule or use case
-
Date of creation
-
Assignee - a user assigned to manage the finding, for example, set a remediation
-
Title of the applicable rule or use case
-
Ruleset that contains the applicable rule or use case
-
Remediation - See the actions that CloudGuard recommends
-
GSL expression - for more information on GSL, see Governance Specification Language (GSL)
|
Note - The actual rule is sometimes more complex than a GSL-code representation, so CloudGuard does not show the GSL code in Rulesets > Rule. |
On the Overview tab, see the finding description, remediation (if available), and the analysis period.
On the Permissions tab, see the Entitlement Map.
For more information on CIEM findings, see Findings.
The Event Graph is a visual representation of account activity and network activity. It is supported for AWS Amazon® Web Services. Public cloud platform that offers global compute, storage, database, application and other cloud services. and Azure Collection of integrated cloud services that developers and IT professionals use to build, deploy, and manage applications through a global network of data centers managed by Microsoft®.. The location icon appears above the entity for which you opened the Event Graph. To see details about an asset, hover over its icon. To see a table that shows the occurrences of an event, hover over the Occurrences icon.
For an activity event, the graph shows the relationship between the Identity, Issuer, and Target.
For a network event, the graph shows the network topology between Internal and External networks.
Based on the asset type, permissions, and connected services, asset details can have these symbols:
Icon |
Meaning |
Explanation |
---|---|---|
|
Risk score |
Read more in Risk Calculation |
|
Read more in Entitlement Map |
|
|
Business priority |
Read more in Business Priority |
|
Network exposure |
Read more in Network Exposure and IAM Exposure |
To see a table of events for an asset, click its icon.
The table shows other events that occurred for the asset within the past 30 days. The table row of the selected event is highlighted in blue.
The logs investigation is not available if the related logs passed the retention period.
For more information, see Intelligence Security Events.
For Threat and Security events, on the Occurrences tab, you see the details of the event occurrences.
Each time the rule discovers a finding, CloudGuard registers this finding as a separate occurrence. CloudGuard aggregates the findings if they have the same environment, entity, and event (same GSL code). The time interval to group all occurrences in the same security event is 30 minutes. Every five minutes CloudGuard checks the traffic of the previous 30 minutes and alerts if necessary. As CloudGuard does not include the occurrences that were displayed before, some occurrences of the same event can overlap after the others in time intervals.
Click Investigate to open the event log in the Traffic Explorer and examine the actual log information for the selected entity at the event's time frame. To have a clearer view, drag the Source and Destination headers to the grouping bar.
The logs investigation is not available if the related logs passed the retention period.
For more information, see Intelligence for Kubernetes Containers.
On the CVE tab, see the list of CVEs found in the container registry images sorted by severity.
Fields for Kubernetes images:
-
Title - The specific ID or type for which the finding is created based on the finding category.
-
ImageScan findings have the title with the name of the image
-
Common Vulnerabilities and Exposures (CVE The Common Vulnerabilities and Exposures (CVE) system provides a reference-method for publicly known information-security vulnerabilities and exposures.) findings have the title with the CVE ID
-
-
Description - The issue description, for example, the CVE description as it appears in the National Vulnerability Database (NVD).
-
Environment - The Kubernetes cluster that contains the image with the finding.
For more information, see Vulnerability Findings (Image Assurance).
Entity Viewer
The Entity Viewer tab contains information about the configuration of the protected asset. Use the menu buttons to customize this view.
The entity can have the N/A (not available) status when:
-
The resource creation event was blocked, and it is not possible to create the entity on the environment.
-
The resource creation violation was detected. It is not possible to create the resource on the environment, but the Event can appear before the protected asset update in the CloudGuard backend. It can take up to five minutes for the entity link to appear in the finding.
Events Deletion
Posture findings and security events are deleted from the Events page when they are considered resolved, that is, the rule is not violated anymore (passed). This happens when:
-
Users correct or remediate the issue that triggered the event.
-
Users voluntarily close the finding - see Closing findings.
-
Users delete the policy (break association between the environment, rules, and notification) - see Policy Deletion.
-
Users delete (offboard) the environment for which the finding is created.
-
Users delete the rule that generated the finding or the ruleset that contains the rule.
-
Users delete the notification to be sent when the finding is generated.
Note - The passed notification is sent only to the valid (not misconfigured) integrations available at the time of the notification deletion.
Actions
You can also access the action menu from the finding sliding window.
You can create an exclusion from a finding, to exclude more findings equivalent to it. You can exclude the specific ruleset, rule, and entity, or widen the exclusion to include all entities in the rule, all accounts, or all rules in the ruleset.
You cannot apply this action to more than one finding at a time.
-
Select the finding in the table.
-
From the menu, select Exclude.
-
In the Create New Exclusion window, the specific ruleset, rule, environment, and entity are selected, which excludes only this specific combination.
Clear the choices to widen the exclusion and cover all rules, environments, or entities.
-
Add a comment to distinguish the exclusion. The comment field is mandatory.
-
Click Save to create the exclusion.
The Exclusion icon appears on the Overview header of the Entity Card.
-
You can manage the exclusion on the Exclusions page in the CSPM/CIEM/CDR/Workload Protection > Admission Control or Vulnerabilities menu. See Configuring CloudGuard Exclusions.
|
Best Practice - If you clone a ruleset and run an assessment with it, you can see duplicate findings for the initial and cloned rulesets. Create an exclusion to hide the duplicate findings. |
You can acknowledge a finding to show it as read. This does not close the finding or indicate that it is resolved.
-
Select one or more findings in the table.
-
From the menu, select Acknowledge.
-
In the Acknowledge Finding box, optionally, add a comment with the reason for acknowledgment.
These comments are seen by all users who can see the finding.
-
Click Acknowledge. The Acknowledgment icon appears on the Overview header of the Entity Card.
In addition, your comment appears in the Comments section of the Entity Card, with information of the date, time, and user that made it.
It is possible to create a remediation and associate it with the rules underlying findings. These remediations are applied to cloud resources to correct the issues that caused the finding. CloudGuard Cloudbots are an example of remedies.
You cannot apply this action to more than one finding at a time.
-
Select the finding in the table.
-
From the menu, select Remediate.
-
Complete the details for the remediation (see Adding Remediation) and then click SAVE.
-
The Remediation icon appears on the Overview header of the Entity Card.
Apply a CloudBot solution to a found issue immediately, directly from the findings and events. This is applicable to AWS and Azure environments, where you already deployed one or more CloudBots.
You cannot do this action for more than one finding at a time.
-
Select a finding or event in the table.
-
From the menu, select Fix it.
-
In the Remediate Now window, select a CloudBot and enter required parameters (if applicable).
-
Optionally, to add one or more CloudBots, click Add.
-
Click Execute. The Remediation Execution Status window opens. This window shows the results of the bot application in the Bot Trigger and Execution Status columns.
See the table below:
Bot Trigger
Execution Status
Description
Failed
-
The bot was not triggered because of an endpoint problem.
Success
Failed
You triggered the bot successfully but its execution failed. Click to open the System Audit Logs and see e the audit log entry of the bot event.
Success
Success
You triggered the bot successfully, and its execution was successful. Click to open the System Audit Logs and see the audit log entry of the bot event.
You can add a text comment to the finding. Users who can view the finding on the Events page, based on their permissions, can see the comment.
-
Select one or more findings in the table.
-
From the menu, select Comment.
-
Enter text in the Comment field.
-
Click Add to save the comment.
You can repeat the steps to add more than one comment to a finding.
You can close a finding found by a source, which is not Compliance, external findings, or Qualys source. This action deletes the alert from the elastic search. You cannot recover the deleted alert in the future.
-
Select one or more findings in the table.
-
From the menu, select Close Alert.
-
Click Close Alert to confirm the action.
You can change the view and see only applicable and important findings if you keep less applicable findings in an archive. Archived findings are not seen in the findings page, and you cannot apply an action to them. Resolved findings are deleted even if they are archived.
To archive findings:
-
Select one or more findings in the table.
-
From the menu, select Archive. CloudGuard moves the selected findings to the Archive View.
-
Toggle the Archive View slider from OFF to ON to see the archived findings.
To change archived findings:
-
Toggle the Archive View slider from OFF to ON to see the archived findings.
-
Select one or more findings that are necessary to change.
-
Click Unarchive to restore the findings in the primary findings view.
-
Click Close to permanently close the findings.
If you do not agree with one of the alert parameters or think it is erroneous, you can report the alert and provide a reason.
-
Select one or more findings in the table.
-
Click the three-dots menu and select Report an issue to report an alert.
-
Select a reason from the list:
-
False positive
-
Wrong severity
-
Remediation issue
-
Incorrect information
-
Other
-
-
Optionally, you can add a comment to provide more details.
-
Click Report.
You can set the severity level for the finding from the list:
-
High
-
Medium
-
Low
-
Critical
-
Informational
For more information on severity levels, see Severity Levels.
Users who can view the finding on the Events page, based on their permissions, can see this attribute. It is useful for filtering the list of findings.
-
Select one or more findings in the table.
-
Click the three-dots menu and select Change Severity.
-
Select the new Severity of the finding from the list. Initially, it is the severity of the rule that found it.
-
Click Save.
You can assign the finding to a CloudGuard user to take more steps, such as remedial actions.
Users who can view the finding on the Events page, based on their permissions, can see this attribute to filter the list of findings.
To assign findings:
-
Select one or more findings in the table.
-
Click the three-dots menu and select Assign.
-
Select a user email address from the Assign user list. Possible assignees are all users of the CloudGuard account.
-
Click Save.
To remove findings assignment:
-
Select one or more findings in the table.
-
From the menu, select Assign.
-
From the Assign user list, select Unassigned. This removes the assignment from all users it was assigned to.
-
Click Save.
You can export selected findings to a CSV file. You can export all findings or those shown in a filtered view on the Events page.
In the findings table, select a time interval and filter the view to show the necessary findings to export (or skip this step to show all findings for the time interval).
-
Click Export in the top right.
-
Select how to receive the report file - download directly from the CloudGuard portal or from an email message.
-
Click CSV Report - Download to save the file on your computer.
Note - You cannot download the file if the table contains more than 10,000 entries. Apply a filter to decrease the number of entries.
-
Click CSV Report - Email to receive the download link by email. Enter your email address and follow the instructions in the message received.
-
Use the filter action buttons on the filter bar to save or clear your search criteria.
You can save all your currently applied filters. The saved filters are stored in two groups: public or private.
-
In the filters area, click Saved Filters.
-
Enter the filter name.
-
Select Public for other users to see the filter. If not, the filter is private and only seen by you.
-
Click Save.
-
To use the filter, click Saved Filters and select it from the list.
To clear all applied filters, click Clear All in the filters area.
Known Limitations
The Fix it option is not applicable to GCP Google® Cloud Platform - a suite of cloud computing services that runs on the same infrastructure that Google uses internally for its end-user products, such as Google Search, Gmail, Google Drive, and YouTube. environments.
More Links