Insights

Note

Insights is a Beta feature and will be available first in the US East region.

Sysdig Secure (SaaS) has introduced a powerful new visualization tool for threat detection, investigation, and risk prioritization, to help identify compliance anomalies and ongoing threats to your environment. With Insights, all findings generated by Sysdig across both workload and cloud environments are aggregated into a visual platform that streamlines threat detection and forensic analysis.

Insights_landing.png

Highlights:

  • Birds-eye view of findings across environments and timelines, with responsive representations combined with summaries plus the linear events feed

  • Instantly hone in on problem areas or block out noisy results

  • Share views with team members

Access the Insights Page

The Insights page is enabled automatically as the landing page for Sysdig Secure in some cases and must be manually enabled in others. (Note that your Sysdig Secure region may affect availability as well during the roll-out phase.)

  • Default Landing Page: for users that connect a cloud account

  • Manually enable in SysdigLabs:

    • 30-Day Trial users

    • Existing or new Sysdig Secure enterprise users who have not connected a cloud account.

    These accounts must first enable Insights by logging in to Sysdig Secure as Admin and choosing User Profile . Toggle the feature On in SysdigLabs:.

    When Insights is not enabled, these users will see either the Overview page (if enabled) or the Events feed as their default landing page.

Usage

The Insights tool is intuitive and easy to use. Note the following design and usage attributes.

Navigation

Choose the resources you want to view from the top-left dropdown.

  • Cloud User Activity: Detects vulnerabilities and events related to user activity in connected cloud accounts. It includes User, Account, Region, Resource Category, Resource Type, and Resource.

  • Cloud Activity: Detects all findings in connected cloud accounts. Specifically, it includes Account, Region, Resource Category, Resource Type, and Resource.

  • Kubernetes Activity: Detects all findings in connected Kubernetes clusters, namespaces, and workloads. It includes Cluster, Namespace, Pod Owner, and Workload.

  • Composite View: Detects and aggregates all findings from both the Cloud Activity and the Kubernetes Activity views. It includes Account, Region, Resource Category, Resource Type, Resource, Cluster, Namespace, Pod Owner, and Workload.

The default view shown will be based on the findings in your environment. If there are events in Cloud and Kubernetes, the Composite view is default; otherwise the Cloud or Kubernetes Activity view is chosen.

If a particular type of resource is not connected in your environment, that page will show no findings.

Timeline

As with many other Sysdig tools, you scope by timespan using the timeline at the bottom of the page.

timeline.png
  • The default span is 14 days. You can choose other presets (3H, 12H, 1D, 3D, etc.) or set a span using the clickable calendar.

  • Insights display up to 14 days or 999 events, whichever comes first.

Visualization Panel

The power of the Insights tool resides in the Visualization panel.

Experiment with the Visualization panel features:

  • Concentric rings drill down the resources to the most granular findings. Note that the header labels each level in order (Account > Region > Resource Category > ...)

    insights_drill.jpg
  • Hover over a target area for details, and click to isolate in the summary.

    insights_hover.png
  • Change the Timeline.

  • Take advantage of Search | Show | Hide | Exclude.

Activity Panel: Summary

The Summary panel recapitulates the Visualization panel as an ordered list, organized by Severity level and impacted Rule Name.

  • Click a line item to open the details. See at a glance the affected containers, images, rules, user names, etc.

    insights_summary_details.png
  • Take advantage of Search | Show | Hide | Exclude.

Cloud Activity Summary Panel

For AWS Cloud Activity, the summary also includes a link back to view the data in the AWS Console.

insights_console_link.png

Activity Panel: Events

The Events panel replicates the Sysdig Secure Events feed. Click an entry in the time-based list to open its details.

insights_events.png

Search | Show | Hide | Exclude

The Search bar works in conjunction with options in the Activity Summary.

insights_show_hide_exclude.jpg
  • Each line of the Activity Summary includes the Show (=), Hide (!=) and Exclude exclude.png options.

    • Show (=): Click Show to add that finding to the Search bar, and to the page URL. The Visualization will be targeted accordingly.

    • Hide (!=): Click Hide to filter that finding from the Visualization, adding the filter to the Search and the URL.

    • Exclude exclude.png: Click Exclude to refetch the data without the excluded entry. This cuts down on noisy repetitious results (which in some cases could cause the 999-item limit to be exceeded).

    Note that Show and Hide do not trigger a re-fetch of data.

  • Once you have excluded an entry, the Exclude icon exclude.png is displayed in the Visualization header.

    insights_exclusions.jpg
    • Click the icon to view the current exclusions.

    • Clear All Exclusions if desired.

Insights Team-Based Views and Sharing

Note:

  • Your team and user role influence what Insights you have access to.

  • The page URL persists search and filter items, and can be shared with team members with the same level of permissions.

See User and Team Administration for more detail.