Security Findings Explorer

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Cloud Security Posture Management is not available in this site.

Overview

The Findings Explorer allows you to:

  • Review the detailed configuration of a resource
  • Review the detection rules applied to your resources by CSPM
  • Review tags for more context about who owns the resource and where it resides in your environment
  • Read descriptions and guidelines based on industry resources for remediating a misconfigured resource
  • Use the “time selector” to explore your security configuration posture at any point in the past.

In addition to reviewing and responding to findings, you can set notifications for failed findings, and configure signals to correlate and triage misconfigurations in the same view as real-time threats generated by Cloud SIEM and Cloud Workload Security. This allows users to accelerate investigations as the root-cause for many of today’s cloud breaches are misconfigured services that have been nefariously exploited.

Set a findings time window using the dropdown

Findings

A finding is the primary primitive for a rule evaluation against a resource. Every time a resource is evaluated against a rule, a finding is generated with a Pass or Fail status. Resources are evaluated in increments between 15 minutes and four hours (depending on type). Datadog generates new findings as soon as a new scan is completed, and stores a complete history of all findings for the past 15 months so they are available in case of an investigation or audit.

An overview of the Posture Management Findings page

Explore your cloud misconfigurations with Findings

Clicking on an individual finding that has failed to see details about the misconfigured resource, the rule description, its framework or industry benchmark mapping, and suggested remediation steps.

Failed signals in the side panel

Aggregate findings by rule using the query search bar. This view shows a checklist of all of the detection rules that Datadog scans. Filtering by evaluation:fail status narrows the list to all detection rules that have issues that need to be addressed. The side panel shows details of each resource that has been evaluated by the rule.

Filtering by evaluation fail

The side panel shows details of each resource that has been evaluated by the rule.

Ranked order resources in the side panel

Findings can also be aggregated by resource to rank order resources that have failed the most rule evaluations so you can prioritize remediation.

Group and aggregate by resource in search

The side panel lists detection rules that were evaluated against the resource, some of which you may choose to be addressed to improve your security configuration posture.

Group and aggregate by resource in search

Mute findings

Join the Beta!

Muted findings is a beta feature available to all CSPM customers. If you have feedback or questions, contact Datadog support.

Sometimes, a finding does not match the use case for your business, or you choose to accept it as a known risk. To ignore these findings, mute the finding for the impacted resource so you can focus on high-severity and critical findings.

For example, the ‘Block Public Access’ feature is enabled for S3 bucket rule evaluates whether an S3 bucket is publicly accessible. If you have an S3 bucket with static assets that are meant to be publicly shared, you can mute the finding for the S3 bucket.

You can mute pass/fail findings at any time. Muting a finding removes it from the calculation of your posture score.

The Mute findings dialog box contains fields for specifying the reason and duration of the mute
  1. On the finding side panel, select a resource.
  2. Click Mute.
  3. Select a reason for the mute, for example, a fix is pending, it’s a false positive, or it’s an accepted risk.
  4. Enter an optional Description.
  5. Select the duration of the mute.
  6. Click Mute.

Unmute a finding

Muted findings automatically unmute after the specified mute duration expires. You can also manually unmute a finding.

  1. On the finding side panel, select the resource with the muted finding.
  2. Click Unmute.
  3. Select a reason for the unmute, for example, there’s no pending fix, it was a human error, or it’s no longer an accepted risk.
  4. Enter an optional Description.
  5. Click Unmute.

Audit your muted findings

To view your organization’s muted findings:

  • Sort by the Muted column on the Security Findings Explorer.
  • Filter the Security Findings Explorer using the Muted facet.

Further reading