Overview

Incidents are misconfigurations detected in runtime resources. You can View and Filter Incidents, as well as Fix, Suppress or Create an Issue for an Incident.

📘

Note

If Traceability is enabled, Bridgecrew traces misconfigurations in runtime resources to errors in IaC files for the corresponding buildtime resource. This allows fixing misconfigurations at their source and assures they will not be propagated upon next deployment. See Traceability.

Viewing Incidents

• You can review, manage and fix open runtime Incidents across cloud providers (AWS, Azure, GCP) and Kubernetes workloads.
• Incidents are grouped by Policy. Within a grouping, there is one row/Incident for each resource which is not compliant with the specific Policy.
• For each Policy you can see the Policy Name and severity and you can access more detailed information.

For each specific Incident the following is displayed:

• Resource ID
• The ID of the Account in which the non compliant resource was detected
• The date on which the Incident was first detected
• Resource Properties (see details below)

The resource properties shown are:

• Traced - if traceability is enacted, bridgecrew creates tags used to associate specific runtime resources with their corresponding, IaC files in buildtime
• Unencrypted - an open lock icon indicates that a resource is not encrypted, and thus potentially vulnerable
• Public - a globe icon indicates that a resource is publicly accessible, and thus potentially vulnerable

Search

You can search within each Policy grouping.

Actions

You can Fix a misconfiguration, Suppress it to prevent further reporting, or create a JIRA issue.

Fix Incident

Incidents can be fixed directly in the cloud, runtime environment if the remediation stack is installed. However, it is best practice to correct errors in IaC files in buildtime to assure that the correction is propagated with future updates.

View and Fix Incident in Projects

For traced resources, you can open the error on the Projects page in a new tab and fix it at its origin to assure that it will not be included in future deployments.

Suppress

You can Suppress an Incident so that it will no longer be considered open. You can Suppress based on a range of groupings. For more information, see Suppress.

Create Issue

Create JIRA tickets based on selected resources. For more information, see Suppress.

Filtering

Overview

A rich set of filters is available in the left navigation pane, as well as preset filters for key views.

If you select multiple options for a certain filter (for example, Source), the relationship between the options is OR.
If you select filters of different types (for example, Status and Category) the relationship between them is AND. In other words, if you select Status = Open, and Category = IAM, only open IAM Incidents will be displayed.

Filter by Incident status

You can select one status only.

• Open - to view Incidents that have not been Fixed or Suppressed.
• Suppressed -to view Incidents that have been Suppressed.
• Passed - to view Incidents that have been fixed and not detected again in later runs

Filter by Source

You can select one or more source, such as AWS, Azure or GCP accounts or Kubernetes workloads.

Filter by Category

You can select one or more Policy category, such as IAM, Monitoring or Networking.

Filter by Severity

You can select one or more Policy severity grouping: critical, high, medium, low.

Filter by Date Range

You can filter for Incidents first detected within a specified timeframe.

Filter by Benchmark

You can view Incidents associated with one or more benchmark.

Filter by Tag

You can view Incidents which are tagged with a specific key-value pair (if defined). You can indicate multiple key-value pairs.

Use Preset Filters

The preset filters at the top of the Incidents page help you quickly view Incidents of most interest.

Create Custom Presets

To create and save a custom preset filter:

1. Use the various filters on the Incidents page to achieve the filtering you want to be able to replicate with a single click.
2. From the kebab menu in the upper-right corner, select “Save filters as preset”.

3. Enter a name for your custom preset and a description.

Resource Property Filters (Pie Charts)

In addition to assessing an Incident’s impact based on the related Policy, it is helpful to look at the properties of the resource.
The pie chart widgets display the breakdown of Incidents based on resource properties as explained below.

• Traced - Incidents for resources which are traced to corresponding buildtime resources. These Incidents can be viewed on the Projects page and fixed in their corresponding buildtime resource. This assures that the Fix will still be in effect after the next update. For information on enabling traceability, see Configure Code Repository Settings.
• Unencrypted - unencrypted resources are potentially more vulnerable than others
• Public - resources that are publicly accessible are potentially more vulnerable than others

The pie charts are interactive. For example, press the purple segment on the Traced pie chart to view only Incidents for Traced resources, or press the gray segment to see only Incidents for non Traced resources.
The relationship between these filters and other types of filters on the page is OR.

Sort

Select Sort at the top-right of the page to sort the Incidents displayed by Severity (from highest to lowest) or Frequency within resources (from highest to lowest)

Screenshot

Download a CSV Report

To download an Incident report in a CSV file press the down arrow at the top of the Incidents page.

The CSV file includes a list of Incidents (not an Industry report) that includes:

• Incident Type
• Status
• Severity
• Category
• Violation ID
• Title
• Benchmarks
• Custom Policy – y/n
• Resource
• Source ID
• URL of the specific Incident