Setup finding rules using entity filters

What Are Findings and Finding Rules?

• Findings: Findings are security discoveries that are based on the analysis of your IAM posture. They identify potential risks or weaknesses in how users and resources are configured or accessed. Findings are generated based on the rules you create, using entity filters to select relevant data. For example, a finding might identify that a user has access to a sensitive resource without appropriate controls in place, or that a user’s permissions are too broad for their role.

• Finding Rule: A finding rule defines the criteria that need to be met in order for a finding to be generated. The rule is based on the entity filters you select, and it can be customized with different fields such as the name, severity, and description of the finding. Depending on the severity level you set, the findings will be grouped accordingly and displayed in the IAM Risk Analyzer for further review and action.

Creating finding rules is a crucial part of monitoring and understanding the security posture of your identity and access management (IAM) system. Findings are security discoveries based on how access to resources is structured and managed. A finding rule allows you to set specific criteria that will help identify potential security risks or gaps in your system. These findings are then grouped and displayed in the IAM Risk Analyzer, where you can analyze them in detail.

Steps to Set Up Entity Filters and Create Finding Rules

1. Navigate to the Rules & Playbooks Section

   • In the navigation sidebar, go to the Rules & Playbooks section and select the Finding Rules tab.
2. Create a New Rule

   • Click on the Create Rule button located at the top right corner of the page. This will open a modal where you can configure your new rule.
3. Select Entity Filters

   • In the modal, choose the entity filters you want to apply for this rule. These filters will help you select specific data (like users, resources, or connections) that you want to evaluate for findings.

4. Enter Rule Details

   • Name: Give your rule a descriptive name.

   • Description: Provide a brief description to explain the purpose of the rule.

   • Severity: Choose the severity level of the finding (e.g., informational, low, medium, high, critical) based on the importance of the risk identified by this rule.

   • Optional Fields: You can also add recommendations, references, and mitigations to provide additional context or actions related to the rule.

5. Preview Entities

   • Once you’ve entered the rule details, you can preview the entities that match the filters you’ve set. The table on the right-hand side will show you the selected entities.

6. Save the Rule

   • When you’re satisfied with your configuration, click on Save. This will create the rule and it will appear in the Finding Rules table within the Rules & Playbooks section.

7. View Findings

   • After a short processing time (typically 1-5 minutes), your findings will start to be generated based on the rule you created. These findings are security discoveries that highlight potential risks or misconfigurations within your IAM system.

   • You can view these findings in the IAM Risk Analyzer by going to the Findings tab.

Example

Let's say you want to create a rule that flags any user who has access to a highly sensitive resource but doesn't have the appropriate role. You would:

1. Set up filters to look for users (identities) with access to sensitive resources.

2. Apply a severity of high to indicate that this is a serious risk.

3. Optionally, provide recommendations on how to reduce access or assign appropriate roles to these users.

Once the rule is created, the system will automatically generate a finding whenever a user with inappropriate access to a sensitive resource is detected. These findings will be displayed in the IAM Risk Analyzer for you to review and take action on.