Findings
Set up & manage Insights & Findings within BalkanID, enabling users to define rules, prioritize findings, and automate actions to mitigate risks effectively.
Purpose
The IAM Risk Analyzer allows organizations to prioritize risks and findings by defining custom rules based on system-generated or user-defined insights. This feature ensures that the platform highlights actionable findings tailored to the organization’s unique requirements.
Goals
1. Define Insights: Enable users to identify and label entities with specific risks or attributes.
2. Generate Findings: Combine multiple insights into actionable findings that trigger alerts or playbooks.
3. Automate Actions: Empower users to take swift action on findings using playbooks and user actions.
4. Enable Contextual Understanding: Provide detailed information about insights and findings, including risk severity, mitigation options, and reference links.
Key Concepts
1. Insights
An Insight is a system or user-defined label that identifies a potential risk or characteristic associated with an entity.
System-Generated Insights Examples:
Weak MFA
Over Entitled
Duplicate Connection
User-Generated Insights Examples:
SoD Violation
Privileged
Details of an Insight:
Insight Name: Descriptive name (e.g., Okta Weak MFA)
Description: Context of the insight (e.g., “Identities with weak Okta MFA factors.”)
Details: Additional information about the risk (e.g., “Weak MFA methods: SMS or call.”)
Inherent Risk Rating: Pre-assigned risk level for the insight (Low, Medium, High).
Proposed Mitigations: Steps to mitigate the risk (e.g., Enforce TOTP, biometric login).
References: Links to external guidelines or frameworks (e.g., PCI DSS, MITRE).
2. Findings
A Finding aggregates multiple insights into an actionable risk alert. Findings provide a broader risk context and are used to trigger automated workflows.
Example Finding:
Name: Weak MFA Okta User with SoD Violation
Description: “User has weak MFA on Okta and violates SoD policies by accessing finance applications.”
Risk Rating: High
Components:
Weak MFA Insight
SoD Violation Insight
3. Key Relationships
Insights → Findings: Findings are built from one or more insights.
Entities → Insights: Insights are associated with entities (e.g., users, connections).
Finding Rules: Logical expressions that define how findings are generated from insights.
Creating an Insight
Step 1: Define Insight
Navigate to the Configure > Rules & Playbooks > Insights section.
Click Create Insight and enter:
Name: A descriptive title (e.g., Okta Weak MFA).
Description: Explanation of the insight.
Details: Add specifics like weak MFA methods or resource details.
Risk Rating: Assign an inherent risk level.
Proposed Mitigations: Suggest actions to resolve the issue.
References: Add relevant links or frameworks for context.
Step 2: Select Entities
Define the entities this insight applies to (e.g., users, connections).
Apply entity filters to narrow the scope (e.g., MFA methods = SMS or call).
Step 3: Review and Save
Verify the details of the insight and save it.
Creating a Finding Rule
Step 1: Select Insights and Entities
Navigate to Configure > Rules & Playbooks > Finding Rules section.
Click Create Finding Rule and enter:
Name: Descriptive title (e.g., Weak MFA with SoD Violation).
Description: Explanation of the risk.
Select Insights: Choose insights to include in the rule.
Entity Filters: Add filters to refine the scope of the findings.
Step 2: Assign Risk Rating
Assign a Finding Risk Rating to represent the combined risk level.
Step 3: Review and Save
Confirm selections in a review modal and save the finding rule.
Viewing Insights and Findings
Navigate to the IAM Risk Analyzer dashboard > Findings section.
Click on a finding to:
View the contributing insights and details.
Take user actions (e.g., Review Access, Notify, Execute a Playbook, Execute a Webhook).
Use filters to view:
Insights: A list of all active insights with details.
Findings: Aggregated alerts with risk ratings.
Last updated
Was this helpful?
