Work with risks

The Risks page provides information on risks across all your on-boarded cloud accounts (such as AWS, Azure, and Google Cloud). From it, you can explore, activate, and suppress whole risks or risk triggers, export risk trigger details, identify affected assets, access rules in the context of their policy sets, and create risk reports.

Risks are determined based on CloudFlow risk profiles. To learn how you can set and manage risk profiles see Manage CloudFlow risk profiles.

View risks and risk details

To access the Risks page in CloudFlow, click the RISKS icon on the main menu on the left.

The RISKS page loads, listing risks detected across your cloud inventory on the left and the details of the currently selected risk on the right.

Search and filter risks

Use the Search field to display a Risks list whose titles contain a specific string. The Search field can be used in conjunction with Risk filters to find required risks efficiently.

Risk filters

Use the filters located at the top of the page to view a more focused list of risks. You can filter based on any of the following:

  • Cloud type

  • Account

  • Region

  • Virtual Networks

  • Tags

  • Risk severity

  • Detection date

Important: Configuring one or more filters can potentially result in no risks matching the filter criteria.

Note:

  • Multiple values, single values, or no value can be selected for all filters (except Detection date which can have either a single date range or no value selected)

  • Virtual Networks filter is only enabled when one account is selected

  • Between filters the Boolean AND operator applies

  • Between values within a filter, the Boolean OR operator applies

  • When Detection date has no value selected, the results will show risks detected from when the account was onboarded until the present date.

For more information about tags and working with applications in CloudFlow, see Work with tags.

Risks list

The left panel gives an overview of all active and suppressed risks, list sorting options, and displays key descriptive elements for each risk listed.

  1. The total number of risks associated with your CloudFlow account.

  2. How many risks are suppressed.

  3. The Sort by selector which indicates the ordering of the list:

    • Severity

    • Cloud type

    • Risk name

    • Trigger count

    • Assets count

  4. The Sort direction selector.

  5. Risks list entry:

    Severity color strip

    A thin strip of color indicating the severity of the risk.

    Red = Critical

    Orange = High

    Yellow = Medium

    Blue = Low

    Grey box = Suppressed risk (Suppressed risks are listed at the bottom of the list).
    Cloud type The cloud type of the account the risk was found in.
    Risk name A short description of the risk.
    Triggers The number of rules that trigger the risk.

    Affected assets

    The number and types of assets affected by the risk.

    Note: For Azure NSG risks, this includes VMs attached either to network interfaces or to network interfaces found within subnets.

  6. Select which risks to export a risks report. For more details, see Risks Report.

Risk description

When a risk is selected from the Risks list, a full description of that risk and its Risk triggers appear in the panel to the right.

Risk name The name of the risk as it appears in the risks list panel.
Risk ID

The ID number assigned to the detected risk.
Syntax:

<risk code>-<traffic type>-<security control type>

Risk code includes a letter (listed here) for the traffic direction and an incremental number:

  • O = Outbound traffic
  • I = Inbound traffic
  • D = Between internal networks
  • C = Custom risk defined by the customer

Traffic type is one of the following:

  • I = Traffic coming from or going to the internet
  • NI = Non-internet traffic
  • ASMS = Risk is calculated using ASMS Risk Profile (assumes connection to ASMS is enabled)

Security control type is one of these:

  • SG = AWS security group risks
  • AZFW = Azure Firewall risks
  • NSG = Azure NSG risks
  • GCP = Google Cloud VM instance risks

Example:

I01-I-NSG is a risk on inbound traffic that is coming from the internet, on an Azure NSG.


Tip: To view the <risk code>-<traffic type>-<security control type> as meaningful text, hover over the Risk ID:
Color-coded Severity level

The severity level assigned to the risk can be one of the following color-coded severity designations. If the risk is suppressed, the word "Suppressed" is displayed instead of a color-coded severity:

  • Critical ..............(red)
  • High.................. (orange)
  • Medium............ (yellow)
  • Low ...................(blue)
  • Suppressed.... (grey)

Note: Suppressed risks have a Comment icon next to the word Suppressed. Click on the icon to view or edit the comment.
Asset type

The affected asset (equipment) type, such as (AWS) EC2 Instance, (Azure) VM, or (Google Cloud) VM Instance.
Cloud type The logo and name of the cloud type.
Description

A full explanation of the nature of the risk.

Example:

Inbound rules of the form "From Any with service Any : PASS" are usually more open than is necessary. Allowing all services allows many services that are known to be risky, most of which you probably do not use in your business. Allowing access from all sources may allow access to from risky locations. This subnet is connected from internet, elevating the level of risk.
Remediation recommendation

A suggested course of action to resolve the risk.

Example:

Restrict the rules to refer to only the source IPs and services you really use.

Risk triggers

The Risk triggers section displays and details the rules that trigger the risk selected in the left panel. In the Risk triggers section, suppressed and active risk triggers are shown in separate views selected using the Risk triggers view filter.

The Risk triggers header includes:

No. of Risk triggers

The number of rules found that trigger the risk. If this number includes suppressed risk triggers, the number of suppressed risk triggers is indicated in parentheses.
Search filter When used, only the rules whose names contain the filtered text are displayed.
Risk triggers view

  • Active: See active risk triggers

  • Suppressed: See risk triggers that have been suppressed

In the Risk triggers list, the following fields are displayed for every risk trigger:

Evidence

This column enumerates the evidence (e.g. rules) that triggered the risk. The evidence name is also a link to the rule in the relevant policy set.

Clicking on a trigger displays, in a new tab, the policy sets in which it is found.

This allows you to:

  • Review the rule definition.

  • Review the rule in the context of the SG/NSG to which it belongs.

  • Remediate the risk by modifying or deleting the rule.
Affected assets

Assets affected by the rule.

When multiple assets are affected, a number is displayed in this column. Click on it to see a list of the affected assets.

Note: For Azure NSG risks, if a risk trigger is part of an NSG attached to a subnet then the subnet name is shown as well as the number of affected VMs contained in the subnet. To review the full list of the VMs, use the Export risk trigger details option.

Detected on

Displays the date the risk trigger was first detected.

Note: Accounts onboarded to CloudFlow before this feature was introduced will display the date the feature was released in CloudFlow (26-March-2024) instead of the date the risk trigger was first detected.

Note: The detected date is reset in the following situations:

  • If an account is removed and then reimported to CloudFlow

  • For AWS: When a rule is changed
Last used

Displays the last used date for each rule.

To enable:

  • AWS and Azure: Enable flow logging for the relevant AWS VPC, Azure NSG or Azure Firewall.

  • Google Cloud: Enable logging for each rule.

    Note: Google Cloud monitors for TCP and UDP protocols only.

Otherwise, it will indicate if no traffic has been logged or if flow logs / logs are disabled.
Suppress Trigger icon

Click the icon to suppress the rule that is triggering the risk. For details on suppressing / activating risk triggers, see Suppress/Activate risks and risk triggers.

Additional fields for suppressed risk triggers:

Suppressed for

Indicates if this risk is suppressed for:

  • This risk only

  • All risks
Date suppressed The date (mmm-dd-yyyy) the risk was suppressed.
Comment Click on the Comment icon to view or edit the suppressed comment.

Suppress/Activate risks and risk triggers

CloudFlow identifies the risks across all your onboarded accounts and displays them on the Risks page; however, you can modify which risks appear by suppressing /activating the risks themselves or the risk triggers that generate the risks.

You can suppress or activate a risk, including all of its risk triggers.

Do the following:

From the left pane, select the risk you want to suppress or activate.

Details about the risk appear in the right pane, with an option to either suppress or activate the risk, depending on the current status of the risk.

  • To suppress an active risk:

    1. Click Suppress risk.

    2. Provide a mandatory comment in the Suppress Risk dialog popup.

      Note: When the risk is suppressed:

      A Comment icon appears next to the Suppressed severity status.

      • Click the Comment icon to view or edit it.

      • The comment can be updated as long as the risk is suppressed.

  • To activate a suppressed risk:

    Click Activate risk.

    Note: When a suppressed risk is activated, its severity returns to the same level as it was before it was suppressed.

Note: A given risk trigger may identify more than one risk. Risk triggers can be suppressed for an individual risk (the risk in focus) or for all risks.

  • To suppress a risk trigger:

    1. From the left pane, select the risk you want to focus on. The risk triggers for that risk are displayed in the lower part of the right pane.

      Tip: You can use the Risk triggers search filter (located in the right pane) to help find the risk trigger you want to suppress.

    2. Make sure Active is selected as your Risk triggers view.

    3. Locate the row of the risk trigger you want to suppress and click the icon to suppress the risk trigger.

    4. Enter a mandatory comment in Suppress trigger dialog that is displayed. Include relevant information such as your name and the reason you are suppressing the risk trigger.

    5. Optional: Select the Suppress this trigger for all risks checkbox, to suppress all risks for this specific rule in the policy set.

    6. Click Save. The screen refreshes and the risk trigger you suppressed no longer appears in the list of active risk triggers.

      Tip: Select Suppressed as your Risk triggers view to see the newly suppressed risk trigger in the list of suppressed risk triggers.

  • To activate a suppressed a risk trigger:

    1. From the left pane, select the risk that you wish to focus on.

      The risk triggers for that risk are displayed in the lower part of the right pane.

    2. Make sure Suppressed is selected as your Risk triggers view.

    3. Locate the row of the risk trigger you want to activate and click the icon to activate the risk trigger.

      Tip: Select Active as the Risk triggers view to see the newly activated risk trigger in the list of active risk triggers.

      Note: Suppressed trigger information (such as date suppressed and the mandatory comment) is no longer associated with a trigger once it is activated.

Export risk trigger details

Export a list of risk triggers detected by CloudFlow to a CSV file for easy sharing and further analysis.

Note: The exported CSV file includes triggers for the selected risk. Each line in the CSV file describes a unique combination of trigger and affected asset, and also includes additional details for each asset, for example the public IP address and subnets for each asset.

If you are using one or more filters at the time of export, the exported CSV will include the same data as you see on the CloudFlow user interface. I.e. the filtered results.

Do the following:

  1. From the left pane, select the risk that you wish to focus on. Details about the risk and its risk triggers are displayed in the right pane.

  2. Click the icon on the top right.

    Your CSV file is automatically downloaded to your default download location. The file name includes the risk name and current date, for example I01-I-NSG Inbound From Any allow Any service rules from Public IPs - Risk Triggers Dec-31-2020.csv

The contents of this file are as follows, unedited/unformatted:

Here are the contents of a different file, presented here as a table:

Status Evidence Affected asset Private IPs Public IPs Subnet ID Subnet range Suppress Comment Date Suppressed
Active AlgoSecAWSAccount:myserv-1:vpc-252d67c:FF-SG3:inbound AlgoSecAWSAccount:myserv-2:AwsVPC:vpc-63f825fc:Working broken AMI 142.26.28.61          
Suppressed-this risk only AlgoSecAWSAccount:myserv-1:vpc-252d67c:FF-SG1:inbound AlgoSecAWSAccount:myserv-1:AwsVPC:vpc-252d67c:VMware SD-WAN Edge by VeloCloud 142.26.9.146   subnet-09616444 172.31.0.0/20 suppressed by John Nov-08-2020
Suppressed-all risks AlgoSecAWSAccount:myserv-1:vpc-3562ff0cf3fd6ed37:allow-all-SG:inbound AlgoSecAWSAccount:myserv-1:AwsVPC:vpc-3562ff0cf3fd6ed37:CKP-CloudGuard-R80.10-SA 10.631.1.5, 10.548.3.4, 52.193.49.104     Suppress comment 1 Nov-09-2020

Note: This example shows three rules, each affecting a single asset. The third asset has a public IP, which means that it is accessible from the internet.

Risks Report

The Risks Report presents a snapshot of risks and risk triggers found at a specific time based on the filters applied when you created the report.

To create a Risks Report:

  1. Customize the report results by using filters as needed.

  2. (Optional) Use the checkbox next to each risk to select specific risks to include in the report.

    Note:

    • Use the checkbox located above the list of risks to toggle all checkboxes on or off.

  3. Click the icon on the top right.

    The Export Report to PDF popup appears.

    Note: The option to export Selected risks is disabled when no checkboxes for specific risks are selected on the risks page to include in the report (see Step 2).

  4. Fill in the details as required:

    Report Description
    Report Name

    The name of the file created when exporting the PDF.

    Note: CloudFlow by default suggests a report name that includes the current date.
    Export Risks

    Report options:

    • All risks: Generate a report with all risks matching the risk filters

    • Selected risks: Generate a report with risks selected by the user
    Include affected assets count only When selected (default), the report only displays the number of assets affected by the risk. Deselect the checkbox to include a list of all affected assets in the report.
    Description By default, the description field includes any risk filters selected.

  5. Click Export.

    Note: Reports can contain a maximum of 2000 risk triggers. When there are more than 2000 risk triggers, the following message will be displayed:

  6. Locate your successfully created Risks Reports in your Downloads folder.

The following table contains a brief summary of the Risks Report contents:

Page Type Description
Cover Page Title of the report, the date and time it was generated, the user name of the person that generated it, and the Tenant ID.
Summary Page

Lists

  • The filters on which the report is based.

  • The number of risks, associated triggers, affected assets found.

  • The breakdown of the risks by severity (critical, high, medium and low) with the number of triggers and assets associated with each severity level.
List of Risks The risks are listed by name, showing their color-coded severity, number of associated triggers and number of affected assets.
Each risk name links to its own page in the report describing the risk in detail.
Risk Details Pages

Each Risk Details page provides the following information:

  • Risk title

  • Number of risk triggers
  • Affected assets

  • Risk ID

  • Severity

  • Asset type
  • Risk description
  • Remediation recommendation (when available)
  • Account / Subscription / Project ID
  • Rule details (based on vendor type)
  • Click the Policy name to open the Policy page in CloudFlow to view the policy with the relevant rule highlighted.

Access rules in the context of their policy sets

You can access rules in the context of their policy sets from the Risks page.

  1. From the left pane, click on a risk.

  2. Click on a link of interest in the evidence column.

    The Network Policies page appears with the relevant policy set showing its inbound and outbound rules tabs.

    For each rule, the number of risks at each level is shown by colored-coded circles. Hover over the circles to see the number of risks and the severity level text.

Notes about risk triggers and affected assets

CloudFlow supports risks for policies that are not attached to any network interface, subnet, or virtual machine.

Azure Only: In certain scenarios, an Azure NSG may be protecting several assets, such as VMs, yet a particular NSG rule only safeguards a portion of these assets. This situation often arises when an NSG rule, designed to target a single IP address, is applied to a subnet that encompasses multiple VMs. In such cases, CloudFlow displays in the affected assets result only the VM effectively protected by this rule (the VM holding that specific IP).

In the following example, the NSG incoming rule has a rule destination 10.1.0.3. Although the NSG is applied to a subnet containing 3 virtual machines and to an additional interface with a single virtual machine, CloudFlow only considers VM3 an affected asset because it is the only virtual machine whose traffic is impacted by the rule destination.

Risks and risk triggers are displayed when the risk triggers (SG/NSG rules) belong to the set of rules matching the user input for the following filters:

  • Cloud type

  • Account

  • Region