All Events

The All Events page aggregates CloudGuard events generated from these sources:

This page does not show usual system or account events, such as account sign-ins or configuration issues, which appear below the Operational section of the Events menu.

Configuring Events

You have to configure alerts from Compliance Engine, CDR, and other sources to appear on the Events page. For this, configure Notifications for these events. You have to do this for each policy separately, so you can control which rulesets and which environments generate events. To receive notifications from all rulesets and environments, configure this in each Policy.

In the Notification configuration window, make sure to select the Include in the CloudGuard Events page option.

Aggregated Events

The main (All) page shows a summary table for all security events in your environments. As the list can contain a large number of results, you can move through the list and view new findings that align with the search and filter criteria.

You have many options to set up the page so that you can conveniently view the applicable findings. Use the tabs to show separate pages with Posture Findings, CIEM, Threat & Security events, and more. CloudGuard automatically saves the changes you make to each table.

Filter and Search Area

The filters bar is at the top of the page and includes:

  • Preconfigured filters

  • Free text filter

  • Time frame filter

  • Saved filters (Favorites)

With the preconfigured filters, you can select to view events based on various parameters. To add a preconfigured filter, click the icon and select as many filters as necessary from the list. The selected filters appear in the Search field, and the table is updated automatically based on them.

The free text filter allows you to enter text and use it as a filter. The entered text applies immediately to the current table.

With the time frame filter, you can view the findings according to their creation time. You can select one of the preconfigured periods or click Custom and select a custom date range.

Action Menu

When you select a finding, the actions applicable to this finding become available. In addition, you can access the action menu from the finding sliding window. Not all actions are available for all findings.

Use the action menu for these actions:

  • Create an exclusion for a finding

  • Close the finding

  • Acknowledge or unacknowledge a finding

  • Add comments to the event

  • Archive the finding

  • Change the severity of the event

  • Assign an event to a CloudGuard user

  • Report issues related to the finding

  • Immediately remediate an issue with a CloudBot

  • Create remediation for a finding

For more actions and detailed information about them, see the steps below in Actions.

Findings Table

You can select one or more findings when you click the check box in their row.

Organize the table columns as necessary and adjust these parameters:

  • Visibility - To select which columns to see in the table, click Columns on the right.

  • Position - To change the column's location, click the column header and drag it to the desired location.

  • Width - To change the column width, drag the right separator line of its header in the desired direction. To adjust the width by the longest column value, double-click the right separator.

  • Sorting - To change between the default, ascending, or descending order of the entries, click the column header.

To restore the default settings of the table, click Reset in the Columns menu.

Group Arrangement

With the Group By menu, you can set up findings with the same parameters together, so they appear in the table below the same group title.

Arrange the findings by:

  • Action

  • Title

  • Severity

  • Environment, and so on

To group the findings, select a category from the Group By list. All findings are arranged by applicable groups.

Click the arrow on the left of each group name to expand the group and see its contents. Click the arrow again to close the group.

Finding Details

Click a finding in the table to open a sliding window with the finding details. The details can be different based on the finding type and include a different number of tabs.

The finding details contain basic information such as the finding source, environment, applied ruleset, etc. On the Overview tab, see where the finding was found and which rule was triggered. On the Entity Viewer tab, see the underlying finding structure.

Entity Viewer

The Entity Viewer tab contains information about the configuration of the protected asset. Use the menu buttons to customize this view.

The entity can have the N/A (not available) status when:

  • The resource creation event was blocked, and it is not possible to create the entity on the environment.

  • The resource creation violation was detected. It is not possible to create the resource on the environment, but the Event can appear before the protected asset update in the CloudGuard backend. It can take up to five minutes for the entity link to appear in the finding.

Events Deletion

Posture findings and security events are deleted from the Events page when they are considered resolved, that is, the rule is not violated anymore (passed). This happens when:

  • Users correct or remediate the issue that triggered the event.

  • Users voluntarily close the finding - see Closing findings.

  • Users delete the policy (break association between the environment, rules, and notification) - see Policy Deletion.

  • Users delete (offboard) the environment for which the finding is created.

  • Users delete the rule that generated the finding or the ruleset that contains the rule.

  • Users delete the notification to be sent when the finding is generated.

    Note - The passed notification is sent only to the valid (not misconfigured) integrations available at the time of the notification deletion.

Actions

You can also access the action menu from the finding sliding window.

Use the filter action buttons on the filter bar to save or clear your search criteria.

Known Limitations

The Fix it option is not applicable to GCPClosed Google® Cloud Platform - a suite of cloud computing services that runs on the same infrastructure that Google uses internally for its end-user products, such as Google Search, Gmail, Google Drive, and YouTube. environments.

More Links