Insights

Sysdig Secure (SaaS) has introduced a powerful visualization tool for threat detection, investigation, and risk prioritization, to help identify compliance anomalies and ongoing threats to your environment.

With Insights, all findings generated by Sysdig across both workload and cloud environments are aggregated into a visual platform that streamlines threat detection and forensic analysis.

Highlights:

  • Birds-eye view of findings across environments and timelines, with responsive representations combined with summaries plus the linear events feed

  • Instantly hone in on problem areas or block out noisy results

  • Share views with team members

The Insights tool is intuitive and easy to use. Note the following design and usage attributes.

Log in to Sysdig Secure and select Insights.

Choose the resources you want to view from the top-left dropdown.

  • Cloud User Activity: Detects vulnerabilities and events related to user activity in connected cloud accounts. It includes User, Account, Region, Resource Category, Resource Type, and Resource.

  • Cloud Activity: Detects all findings in connected cloud accounts. Specifically, it includes Account, Region, Resource Category, Resource Type, and Resource.

  • Kubernetes Activity: Detects all findings in connected Kubernetes clusters, namespaces, and workloads. It includes Cluster, Namespace, Pod Owner, and Workload.

  • Node and Pod Activity:

  • Host and Container Activity:

The default view shown will be based on the findings in your environment.

If a particular type of resource is not connected in your environment, that page will show no findings.

Timeline

As with many other Sysdig tools, you scope by timespan using the timeline at the bottom of the page.

  • The default span is 14 days. You can choose other presets (3H, 12H, 1D, 3D, etc.) or set a span using the clickable calendar.

  • Insights display up to 14 days or 999 events, whichever comes first.

Visualization Panel

The power of the Insights tool resides in the Visualization panel.

Experiment with the Visualization panel features:

  • Concentric rings drill down the resources to the most granular findings. Note that the header labels each level in order (Account > Region > Resource Category > ...)

  • Hover over a target area for details, and click to isolate in the summary.

  • Change the Timeline.

  • Take advantage of Search | Show | Hide | Exclude.

Activity Panel: Summary

The Summary panel recapitulates the Visualization panel as an ordered list. It can be grouped by Rule or User activity.

Group by Rule

  • Click a line item to open the details. See at a glance the affected containers, images, rules, user names, etc.

  • Take advantage of Search | Show | Hide | Exclude.

Group by User | Rule

View the Summary grouped by User to help detect outlier behavior.

Expand the user entry to view details and click the arrow to switch to the event feed for that user, with events listed in reverse chronological order.

Cloud Activity Summary Panel

For AWS Cloud Activity, the summary also includes a link back to view the data in the AWS Console.

Activity Panel: Events

The Events panel replicates the Sysdig Secure Events feed. Click an entry in the time-based list to open its details.

Search | Show | Hide | Exclude

The Search bar works in conjunction with options in the Activity Summary.

  • Each line of the Activity Summary includes the Show (=), Hide (!=) and Exclude

    options.

    • Show (=): Click Show to add that finding to the Search bar, and to the page URL. The Visualization will be targeted accordingly.

    • Hide (!=): Click Hide to filter that finding from the Visualization, adding the filter to the Search and the URL.

    • Exclude

      : Click Exclude to refetch the data without the excluded entry. This cuts down on noisy repetitious results (which in some cases could cause the 999-item limit to be exceeded).

    Note that Show and Hide do not trigger a re-fetch of data.

  • Once you have excluded an entry, the Exclude icon

    is displayed in the Visualization header.

    • Click the icon to view the current exclusions.

    • Clear All Exclusions if desired.

Insights Team-Based Views and Sharing

Note:

  • Your team and user role influence what Insights you have access to.

  • The page URL persists search and filter items, and can be shared with team members with the same level of permissions.

See User and Team Administration for more detail.