Skip to content
SecPod  – Documentation
  • Docs Home
  • Categories
    • Saner Platform
    • Saner Cloud
    • Saner CVEM
    • Security Intelligence
  • More
    • About SecPod
    • Blog
    • Security & Privacy
    • Support Center
    • Resources
  • SCHEDULE A DEMO
  • Toggle website search
Search this website
Menu Close
  • Docs Home
  • Categories
    • Saner Platform
    • Saner Cloud
    • Saner CVEM
    • Security Intelligence
  • More
    • About SecPod
    • Blog
    • Security & Privacy
    • Support Center
    • Resources
  • SCHEDULE A DEMO
  • Toggle website search
  • Docs Home
  • Categories
    • Saner Platform
    • Saner Cloud
    • Saner CVEM
    • Security Intelligence
  • More
    • About SecPod
    • Blog
    • Security & Privacy
    • Support Center
    • Resources
  • SCHEDULE A DEMO

Saner Platform

  • Saner Platform Release Notes
    • Release Notes Saner 6.4.1
    • Release Notes SanerNow 6.4
    • Release Notes SanerNow 6.3.1
    • Release Notes SanerNow 6.3
    • Release Notes SanerNow 6.2.1
    • Release Notes SanerNow 6.2.0.3
    • Release Notes SanerNow 6.2.0.1
    • Release Notes SanerNow 6.2
    • Release Notes SanerNow 6.1.1
    • Release Notes SanerNow 6.1
    • Release Notes SanerNow 6.0
    • Release Notes SanerNow 5.3.1
    • Release Notes SanerNow 5.3
    • Release Notes SanerNow 5.2
    • Release Notes SanerNow 5.1
    • Release Notes SanerNow 5.0
    • Release Notes SanerNow 4.8.0.0
    • Release Notes SanerNow 4.7.0.0
    • Release Notes SanerNow 4.6.0.0
    • Release Notes SanerNow 4.5.0.0
    • Release Notes SanerNow 4.4.0.0
    • Release Notes SanerNow 4.3.0.0
    • Release Notes SanerNow 4.2.2.1
    • Release Notes SanerNow 4.2.2.0
    • Release Notes SanerNow 4.2.1.0
    • Release Notes SanerNow 4.2.0.0
    • Release Notes SanerNow 4.1.1.0
    • Release Notes SanerNow 4.0.0.5
  • Saner Platform Guide
    • Saner Platform Function Guides
    • Saner Device Management User Guide
  • FAQs
    • Saner CVEM Technical FAQs
  • How Tos
    • General
      • How to increase the subscription count for an Account in Saner CVEM
      • How to increment license count for an Organization in Saner CVEM
      • How to provision Saner tools for an Organization
      • How to change subscription type in Saner CVEM
      • How to sign-up with Saner CVEM?
      • How to create a new account in Saner CVEM?
      • How to create a new user in Saner CVEM?
      • How to enable SSO authentication policy in Saner CVEM?
      • How to set alerts in SanerNow?
      • How to view, download and filter the audit logs?
      • How to designate Saner Agent to perform network scan?
      • How to Co-Brand with your logo?
      • How to fetch the details of the mandatory fields from the Okta account?
      • How to create MFA policy for Okta?
      • How to fetch the details of the mandatory fields from the PingID account?
      • How to create MFA policy for PingID?
      • How to fetch the details of the mandatory fields from the PingOne account?
      • How to create MFA policy for PingOne?
      • How to download and install Saner Agent in Mac?
      • How to download and install Saner agent in Linux?
      • How to download and install the Saner agent in Windows?
      • How to update the expiry date of an existing subscription?
      • How to manage users and their preferences using role-based access?
      • How to uninstall SanerNow Agent using SanerNow Offline deployer tool.
      • How to onboard a new organization?
      • How to deploy SanerNow Agent using SanerNow Offline deployer tool.
      • How to install a Saner agent through the command line?
      • How to uninstall the Saner agent through command line?
    • Saner Reports
      • How to configure mail settings to email Report PDF?
      • How to create a custom report in SanerNow?
      • How to schedule for the report back up?
    • Saner Device Management
      • How to create custom groups in Saner CVEM
    • Saner Mail Settings
      • How to create new mail settings in Saner?
      • How to use OAuth-enabled authentication in Saner mail settings
      • How to create OAuth Client ID and Client Secret for Gmail
      • How to create OAuth Client ID and Client Secret for Microsoft 365.
  • Supported OSs and Platforms
    • Operating Systems and Platforms Supported
    • Supported Third-party Applications for Patching

Saner Cloud

  • Before You Begin
    • Glossary of Terms
    • Read me First
  • Get Started
    • Saner Cloud Deployment Guides
      • Azure Onboarding
      • Troubleshooting
      • Get Started with Saner CNAPP AWS Cloud Deployment V1.0
      • Onboarding with AWS Credentials(Least Recommended Method)
      • Onboarding with AWS Role(Manual)
      • Onboarding with AWS Role CloudFormation (Automatic): Recommended
    • Roles and Permissions
      • Roles and Permissions for AWS Remediation Access
      • Roles and Permissions for Azure Onboarding, Detection, and Remediation
  • Learn About
    • Excessive Permission Categories Evaluated Across Different Cloud Services
    • Publicly Accessible Resources
    • Patch Aging and Patch Impact
    • SecPod Default Benchmarks
    • Watchlists
    • Cloud Workload Protection Platform(CWPP)
    • Overview of Report Views in Saner Cloud
    • Whitelisting Resources
    • Saner Plasma AI Assistant for Seamless User Interaction
    • Critical Events to Monitor in AWS
    • High-Privilege Actions in Critical Activity Logs for AWS
    • Audit Logs in Saner Cloud
    • Excessive Permissions
    • Alerts in SanerCloud
  • User Guides
    • Cloud Security Remediation Management(CSRM) User Guide
    • Cloud Infrastructure Entitlement Management(CIEM) User Guide
    • Cloud Security Posture Anomaly(CSPA) User Guide
    • Cloud Security Asset Exposure(CSAE) User Guide
    • Cloud Security Posture Management(CSPM) User Guide
  • Tell Me How
    • How to Configure Automation Rule to Remediate Misconfigurations?
    • How to Manage Report Views at Organization-level in Saner Cloud?
    • How to Get a Cohesive View from Saner Cloud Unified Dashboard?
    • How to Use Tags to Quickly Filter Resources?
    • How to Troubleshoot Issues with Audit Logs?
    • How to Manage Groups and Tags in Saner Cloud?
    • How to Manage Report Views for a User Account in Saner Cloud?
    • How to Troubleshoot or Analyze with Critical Activity Logs?
    • How to Setup Alerts Across SanerCloud Tools?
    • How to Take Action on Alert Notifications from SanerCloud?
    • CSAE
      • How to Setup Watchlist Configuration for a Resource?
      • How to Identify Outdated Resources for Cleanup?
      • How does Resource Categorization Work in Saner CSAE?
      • How to Identify Resources Exposed to External Network?
      • How to Understand the Resource Footprint Globally Across Various Regions?
      • How to Make Informed Decisions on Your Expenditure based on Resource Usage Graph?
    • CSPM
      • How to Setup Benchmarks in Saner CSPM?
      • How to Use Quick Evaluation Benchmarks?
      • How to Detect Patterns over a Period with Resource Trends?
      • How to Assess System Compliance and Security Posture?
    • CSPA
      • How to Initiate Patch Remediation from CSPA Dashboard?
      • How to Quickly Identify the Detected and Remediated Anomalies for an Account?
      • How to Prioritize Remediation or Fixes based on Confidence Levels?
      • How to Examine the Overall Anomaly Information for Specific Rules or Checks?
      • How to Search and Retrieve Anomaly Data?
      • How to Whitelist Rules or Resources in Cloud Security Scans?
    • CIEM
      • How to See the Active Version for an IAM Policy?
      • How to Troubleshoot or Analyze with Critical Activity Logs?
      • How to View by Type and Usage for any Identity in CIEM?
      • How to Get Visibility into Cloud Entitlements?
      • How to Use Evidence to Address Policies with Excessive Permission?
      • How to Know the Excessive Permissions on a Specific Service?
      • How to Visually See the Relationship between Identity, Entitlement, Policy, or Permission?
      • How to Determine if a Policy has Excessive Permission?
      • How to Initiate Patch Remediation from CIEM Dashboard?
    • CSRM
      • How to Configure Automation Rule to Remediate Misconfigurations?
      • How to Create a Patching Task for Items Currently in “Approval Pending” State?
      • How to Evaluate Remediation Effort with Patching Impact Chart?
      • How to Prioritize and Address Older or High-Risk Anomalies with Patch Aging?
      • How to Monitor the Overall Status of the Remediation Job?
      • How do I Get to Know the Regions Impacted by a Specific Rule?
      • How to View the Severity of a Missing Patch Affected by a Rule?
      • How to Address Missing Patches Via Remediation Tasks?
      • How to Quickly Access the Necessary Tool for Remediation and Begin Patching Tasks?
  • Frequently Asked Questions
    • Saner Cloud Technical FAQs
  • Saner Cloud Release Notes
    • Saner Cloud – V.1.1 Release Notes
    • Saner Cloud – V.1.0 Release Notes
  • Security Intelligence for Saner Cloud
    • Infrastructure Entitlement Checks in AWS and Azure
      • Implementing Infrastructure Entitlement Checks in Azure
      • Implementing Infrastructure Entitlement Checks in AWS
    • Posture Anomaly Checks in AWS and Azure
      • Implementing Posture Anomaly Checks in AWS
      • Implementing Posture Anomaly Checks in Azure
    • Benchmark Compliance Rules in AWS and Azure
      • AWS
        • Implementing SecPod Default Rules in AWS
          • Implementing SecPod Global Rules in AWS
          • Implementing SecPod Regional Rules in AWS
        • PCI DSS 3.2.1 Rules in AWS
          • Understand SOC2 Regional Rules in Azure
          • Introduction
          • Understand PCI DSS 3.2.1 Global Rules in AWS
          • Understand PCI DSS 3.2. 1 Regional in AWS
        • CIS 3.0.0 and 4.0.0 Rules in AWS
          • Introduction
          • Understand CIS 3.0.0 Global Rules in AWS
          • Understand CIS 4.0.0 Global Rules in AWS
          • Understand CIS 3.0.0 Regional Rules in AWS
          • Understand CIS 4.0.0 Regional Rules in AWS
        • NIST 800-53 Revision 5 Rules in AWS
          • Introduction
          • Understand NIST 800-53 revision 5 Global Rules in AWS
          • Understand NIST 800-53 revision 5 Regional Rules in AWS
        • SOC
          • Implementing SOC 2 Regional Rules in AWS
          • Implementing SOC 2 Global Rules in AWS
        • Implementing HIPAA HITRUST Rules
          • Implementing HIPAA HITRUST Global Rules in AWS
          • Implementing HIPAA HITRRUST Regional Rules in AWS
      • Azure
        • SOC Rules in Azure
          • Understand SOC2 Rules in Azure
          • Understand SOC2 Global Rules in Azure
          • Understand SOC2 Regional Rules in Azure
        • CIS Rules in Azure
          • Understand CIS 1.1.0 Benchmark Compliance Rules in Azure
          • Understand CIS 3.0.0 Benchmark Compliance Rules in Azure
          • Understand CIS 1.2.0 Global Benchmark Compliance Rules in Azure
          • Understand CIS 2.1.0 Global Benchmark Compliance Rules in Azure
          • Understand CIS 3.0.0 Global Benchmark Compliance Rules in Azure
          • Understand CIS 2.0.0 Regional Benchmark Compliance Rules in Azure
          • Understand CIS 2.1.0 Regional Benchmark Compliance Rules in Azure
          • Understand CIS 3.0.0 Regional Benchmark Compliance Rules in Azure
        • NIST 800-53 Revision Rules in Azure
          • Understand NIST 800-53 Revision 5 Rules in Azure
          • Understand NIST 800-53 Revision 5 Global Rules in Azure
          • Understand NIST 800-53 Revision 5 Regional Rules in Azure
        • SecPod Rules in Azure
          • Understand SecPod Global Rules in Azure
          • Understand SecPod Regional Rules in Azure
          • Understand SecPod Default Rules in Azure
        • HIPAA HITRUST Rules in Azure
          • Understand HIPAA HITRUST 14.7.0 Rules in Azure
          • Understand HIPAA HITRUST 14.7.0 Global Rules in Azure
          • Understand HIPAA HITRUST 14.7.0 Regional Rules in Azure
        • PCI DSS Rules in Azure
          • Understand PCI DSS 4.0 Rules in Azure
          • Understand PCI DSS 4.0 Global Rules in Azure
          • Understand PCI DSS 4.0 Regional Rules in Azure

Saner CVEM

  • Saner CVEM Release Notes
    • Release Notes Saner 6.4.1
    • Release Notes SanerNow 6.4
    • Release Notes SanerNow 6.3.1
    • Release Notes SanerNow 6.3
    • Release Notes SanerNow 6.2.1
    • Release Notes SanerNow 6.2.0.3
    • Release Notes SanerNow 6.2.0.1
    • Release Notes SanerNow 6.2
    • Release Notes SanerNow 6.1.1
    • Release Notes SanerNow 6.1
    • SanerNow Risk Prioritization Launch
    • Release Notes SanerNow 6.0
    • Release Notes SanerNow 5.3.1
    • Release Notes SanerNow 5.3
    • Release Notes SanerNow 5.2
    • Release Notes SanerNow 5.1
    • Release Notes SanerNow 5.0
    • Release Notes SanerNow 4.8.0.0
    • Release Notes SanerNow 4.7.0.0
    • Release Notes SanerNow 4.6.0.0
    • Release Notes SanerNow 4.5.0.0
    • Release Notes SanerNow 4.4.0.0
    • Release Notes SanerNow 4.3.0.0
    • Release Notes SanerNow 4.2.2.1
    • Release Notes SanerNow 4.2.2.0
    • Release Notes SanerNow 4.2.1.0
    • Release Notes SanerNow 4.2.0.0
    • Release Notes SanerNow 4.1.1.0
    • Release Notes SanerNow 4.0.0.5
  • Saner CVEM Guide
    • What’s New in Saner CVEM?
    • Getting Started with Saner CVEM
    • Pre-requisites for Saner CVEM Deployment
    • How does Saner CVEM’s deployment architecture work?
  • Saner CVEM Products
    • Overview of Saner Continuous Vulnerability and Exposure Management
    • Saner CVEM Unified Dashboard User Guide
    • Saner CVEM Asset Exposure User Guide
    • Saner CVEM Continuous Posture Anomaly Management User Guide
    • Data Points IT teams can Fetch from Saner CPAM
    • Posture Anomaly Computation Rules
    • Saner CVEM Vulnerability Management User Guide
    • Saner CVEM Compliance Management User Guide
    • Saner CVEM Risk Prioritization User Guide
    • Saner CVEM Patch Management User Guide
    • Saner CVEM Endpoint Management User Guide
    • Saner CVEM Remote Access User Guide
    • Saner CVEM Network Scanner User Guide
    • Saner CVEM Cyber Hygiene Score User Guide
  • How Tos
    • Saner AE
      • How to blacklist and whitelist applications in Saner AE?
      • How to manage asset licenses using Saner AE?
      • How to run an asset scan using Saner AE?
    • Saner CPAM
      • How to create new response in PA tool?
      • How to build your own detection and response in PA tool?
      • How to whitelist an entire PA ID?
      • How to configure Posture Anomaly tool for custom detection?
      • How to fix Anomalies from PA dashboard?
      • How to fix anomalies detected in your account from All Anomalies Page?
      • How to fix anomalies from PA Summary page?
      • How to delete PA scan preferences?
      • How to schedule PA Scans on Daily, Weekly, and Monthly basis?
      • How to launch Posture Anomaly scans?
    • Saner VM
      • How to automate and schedule vulnerability scans?
      • How to exclude vulnerabilities in Saner VM tool
      • How to manage excluded vulnerabilities in Saner VM?
      • How to remediate vulnerabilities from vulnerability management dashboard?
    • Saner CM
      • How to run a compliance scan?
      • How to custom create a security policy?
      • How to align with PCI security compliance management?
      • How to align with NIST 800-171 security compliance management?
      • How to align with NIST 800-53 security compliance management?
      • How to align with HIPAA security compliance management using Saner CM?
    • Saner PM
      • How to fix firmware in Saner?
      • How to exclude patches in Saner PM?
      • How to manage excluded patches in Saner PM?
      • How to automate patch management in Saner PM?
      • How to roll back patches in Saner PM?
      • How to specify Service Level Agreement (SLA) using Remediation SLA in Saner PM?
      • How to apply missing patches in Saner PM?
      • How to apply the most critical patches in Saner PM?
      • How to perform custom remediation for applications that require paid patches using Saner PM
      • How to check the status of patching activity?
    • Saner EM
      • How to collect all security events from Windows Events Log?
      • How to check password policy set in Windows systems?
      • How to check status of DEP in Windows systems?
      • How to check faulty Anti-Virus (AV) status in Windows systems?
      • How to check for Anti-Virus (AV) status in Windows systems?
      • How to check account lockout policy on Windows systems?
      • How to check if Bit-locker protection is OFF in Windows systems?
      • How to list all inactive users on Windows systems?
      • How to list all guest accounts in Windows systems?
      • How to list all Administrator accounts on Windows systems?
      • How to list last-logon details of users on Windows systems?
      • How to identify all users in Windows systems?
      • How to collect all services that are currently running in Windows systems?
      • How to list all Groups in Windows systems?
      • How to collect all keyboard and pointing devices connected to Windows systems?
      • How to collect all storage devices connected to Windows systems?
      • How to investigate total RAM or CPU threshold (greater than or equal to 80%) in Windows systems?
      • How to collect operating systems information in Windows?
      • How to investigate disks running out of space (<100 MB) in Windows systems?
      • How to collect and investigate disk information on Windows systems?
      • How to collect all installed patches in Windows systems?
      • How to collect all software patches that are hidden in the Windows Update server?
      • How to check the status of Windows Update Server (WSUS/SCCM)?
      • How to collect BIOS information such as serial number, version, manufacturer in Windows systems?
      • How to collect all the important missing patches in Windows systems?
      • How to check wireless security in Linux systems?
      • How to collect mounted disk information on Linux systems?
      • How to check wireless signal quality in Linux systems?
      • How to check all firewall policies on Linux systems?
      • How to collect all Dynamic Host Configuration Protocol (DHCP) information on Linux systems?
      • How to collect DNS information on Linux systems?
      • How to collect ARP entries that are created when a hostname is resolved to an IP address and then to a MAC addressing in Linux?
      • How to check wireless signal quality in Windows systems?
      • How to check wireless security in Windows systems?
      • How to collect all open ports in Windows systems?
      • How to collect all network interfaces in Windows systems?
      • How to investigate DNS cache on Windows systems?
      • How to check all firewall policies on Windows systems?
      • How to collect DNS information on Windows systems?
      • How to collect all the applications with an unknown publisher in Linux systems?
      • How to perform system tuning?
      • How to collect all software licenses in Windows systems?
      • How to identify potentially unwanted programs such as torrent downloaders or unnecessary toolbars running on Windows systems?
      • How to collect a list of applications that are started when you boot your computer?
      • How to collect all the applications with an unknown publisher in Windows systems?
      • How to collect all software licenses in Mac systems?
      • How to collect ARP entries that are created when a hostname is resolved to an IP address and then to a MAC addressing Windows?
      • How to collect all families of operating systems such as Windows, Unix, and macOS?
      • How to collect environment variables set in all operating systems?
      • How to collect all the applications with an unknown publisher in Mac systems?
      • How to delete and quarantine a file?
      • How to start and stop the processes in Saner?
      • How to block blacklisted applications in Saner?
      • How to enable/disable devices in Saner
      • How to manually import devices into Saner?
      • How to deploy software in Saner EM?
      • How to enable and disable firewall settings in Saner AE?
      • How to collect all shared resources on Windows systems?
      • How to collect all Dynamic Host Configuration Protocol (DHCP) information on Windows systems?
      • How to connect to a client machine graphically using Saner Remote Access
  • FAQs
    • Saner CVEM Technical FAQs

Security Intelligence

  • Network Scanner Product Support Matrix
  • Privilege levels for authenticated scans using Saner Network Scanner
  • Overview of Security Content and Intelligence
  • Security Content Statistics
  • Application and OS Remediation Coverage
  • Compliance Benchmark Coverage
  • List of Vulnerability to Exploit/Malware Mapping covered in Saner
  • OVAL Definitions Family-wise Distribution
  • OVAL Definitions Class-wise Distribution
  • OVAL Definitions Platform Coverage
View Categories
  • Home
  • Docs
  • Saner Cloud
  • User Guides
  • Cloud Security Posture Anomaly(CSPA) User Guide

Cloud Security Posture Anomaly(CSPA) User Guide

Print Friendly, PDF & Email
Evaluate Deviations with Saner CSPA

Posture anomaly (PA) is a critical aspect of assessing deviations in resources across the cloud. These anomalies are typically identified using statistical algorithms and security best practices. Saner CSPA, however, uncovers unusual or anomalous data points based on predefined rules and thresholds.

How Does Saner CSPA Analyse Posture Anomaly?

Saner CSPA establishes specific conditions or thresholds derived from domain expertise. It analyzes the dataset and compares each data point against these defined rules, flagging any data point that violates a rule. The scanner is configured to run continuously, day after day, to identify unwanted elements or anomalies within the organization and to either fix or whitelist these anomalies using pre-built response schemes.

The centralized dashboard supports visualization and lists all anomalies, categorizing them based on confidence levels. This provides an instant solution to either fix or whitelist exceptions that are deemed acceptable within the organization. Additionally, the dashboard offers intuitive insights into which anomalies should be whitelisted and what actions should be taken to mitigate non-compliance.

Below are the actions you can perform on the detected anomalous data in the Cloud Entitlement Dashboard:

  • Assess the system’s confidence level in determining if a detected issue or misconfiguration poses a risk: The Posture Anomaly Distribution view on the Saner CSPA dashboard summarizes the total count of all detected anomalies and classifies each detected anomaly into high, medium, or low confidence.
  • Analyze, prioritze, and address misconfigurations or vulnerabilities across the different resource categories. From the Posture Anomaly Radar, see the count of anomalies in a specific resource category.
  • View the security posture of cloud environments, displayed in a column format. This column layout helps prioritize fixes based on confidence levels, the number of affected resources, and severity. It also highlights areas that may violate regulatory requirements, such as lacking multi-factor authentication (MFA) or having outdated credentials. Additionally, the details view emphasizes specific issues that could disrupt services or introduce vulnerabilities. Finally, it provides regional insights to ensure that anomalies are addressed in geographically critical areas.
  • Get a visual representation of all the anomalies detected in the Saner Cloud account as well as the anomalies that are normalized(remediated)

With the Whitelist functionality, exclude certain checks or rules during a cloud security scan for several valid reasons and view the whitelisted IDs from the Posture Anomaly Details section on the dashboard.

Salient Highlights

AI Assistant Integration

The summarization grid in the various dashboards enables the AI assistant to retrieve responses related to the relevant data.

By clicking the green icon within the summarization grid, the AI assistant dynamically fetches and displays the summary in a tooltip within the dashboard.

Posture Anomaly Confidence Levels

  • Assess the system’s confidence in determining whether a detected issue or misconfiguration poses a risk.
  • The Posture Anomaly Distribution view summarizes all detected anomalies and categorizes them into high, medium, or low confidence levels.

Anomaly Analysis and Prioritization

  • Analyze and prioritize misconfigurations and anomalies across different resource categories.
  • Use the Posture Anomaly Radar to view the count of anomalies within specific resource categories.

Security Posture Visualization

Cloud environment security posture is displayed in a column format for easy prioritization of fixes.

  • Columns provide insights into:
    • Confidence levels and severity of anomalies.
    • Number of affected resources.
    • Violations of regulatory requirements, such as missing multi-factor authentication (MFA) or outdated credentials.
  • Regional insights highlight geographically critical areas for anomaly remediation.

Detailed Issue Insights

  • Emphasizes specific issues that could disrupt services or introduce vulnerabilities.
  • Identifies violations of compliance requirements and areas needing immediate attention.

Anomaly Visualization

Get a visual representation of all detected anomalies, including anomalies that have been normalized (remediated).

Whitelist Functionality

  • Exclude specific checks or rules during cloud security scans for valid reasons.
  • View whitelisted IDs in the Posture Anomaly Details section for easy reference.

Explore the Dashboard Views
ComponentWhat it Conveys?
Posture Anomaly DistributionThe Posture Anomaly Distribution assesses the system’s confidence level in determining if a detected issue or misconfiguration poses a risk.
Each detected anomaly is classified as high, medium, or low confidence:
— High Confidence: indicates that most anomalies are significant and require immediate attention.
— Medium Confidence: suggests that some anomalies need further validation or investigation.
— Low Confidence: refers to minor anomalies, which may involve less critical issues or potential false positives.

The Posture Anomaly Distribution view on the Saner CSPA dashboard summarizes the following:

Total Anomalies:
The total count of all detected anomalies.

Breakdown of Anomalies:
Anomalies are categorized based on a machine learning algorithm threshold or through pre-assigned severity levels. This means that Saner CSPA is almost certain that these anomalies represent legitimate risks:
— Red: High confidence anomalies. For example, Publicly accessible S3 bucket containing sensitive information, Misconfigured IAM roles with over-permissive policies exposing critical systems
— Orange: Medium confidence anomalies. For example, Unusual but authorized use of privileged accounts, A resource not encrypted where encryption is recommended but not required
— Yellow: Low confidence anomalies. For example, Access from an unusual IP address that aligns with a known employee’s travel, Temporary policy change flagged as non-compliant but corrected soon after

This breakdown helps prioritize actions, ensuring that critical issues are addressed first while allocating appropriate resources to less critical ones.
Posture Anomaly DensityPosture Anomaly Density helps quickly identify clusters or areas with concentrated security posture issues for further prioritization and remediation. Saner CSPA
dashboard presents data in bubble chart visualization with each circle representing a group of anomalies. The size of the circle corresponds to the volume of anomalies in that category.

Clicking on the chart navigates you to the
Posture Anomaly Parameters, providing the details of the anomaly: ID, Title, and the number of Resources that have an anomaly. Additionally, you have the option to export the data into a CSV file.
Posture Anomaly RadarPosture Anomaly Radar in cloud security helps analyze, prioritze, and address misconfigurations or vulnerabilities across the different resource categories. Saner CSPA
dashboard highlights the resource categories that have the most significant posture anomalies. Resource categories across:

— AWS include: Security, Identity and Compliance, Compute(Management &Governance, Networking &Content Delivery)
— Azure include: Compute, Resource Management, Monitoring, Security

Hover your mouse on the radar to see the count of anomalies in a specific resource category. Additionally, you have the option to export the data into a CSV file.
Posture Anomaly DetailsPosture anomalies refer to misconfigurations, policy violations, or deviations from best practices that could expose cloud environments to risks and result in data breaches, downtime, and more. The “Posture Anomaly Details” visualization in Saner CSPA dashboard offers a comprehensive view of the security posture of cloud environments, displayed in a column format. This layout helps prioritize fixes based on confidence levels, the number of affected resources, and severity. It also highlights areas that may violate regulatory requirements, such as lacking multi-factor authentication (MFA) or having outdated credentials. Additionally, the details view emphasizes specific issues that could disrupt services or introduce vulnerabilities. Finally, it provides regional insights to ensure that anomalies are addressed in geographically critical areas.

Here’s a breakdown of what the columns represent:

ID: Unique identifier for each anomaly detection rule (e.g., CSPA-AWS-2023-0004) that helps track findings

Title: Describes the specific issue identified (For example, “Finds Groups with lesser instances” or “Finds IAM User with active password but no MFA”) that provides insight into what kind of misconfiguration or anomaly is being detected

Summary: Indicates the total number of resources evaluated and the count of anomalies identified. For example, “22 instances of resources are checked, of which 11 are found to have anomalies”

Profile: Specifies the cloud service under which the anomaly was detected (e.g., aws account)

Region: Highlights the number of regions affected by the anomaly. Useful for assessing the geographical spread of the issue.

Confidence Level: Indicates the system’s confidence level in determining if a detected issue or misconfiguration poses a risk. Anomalies are categorized based on a machine learning algorithm threshold or through pre-assigned severity levels. This means that Saner CSPA is almost certain that these anomalies represent legitimate risks:
— Red: High confidence anomalies. Indicates the count of anomalies that are significant and require immediate attention.
— Orange: Medium confidence anomalies. Suggests the count of anomalies that need further validation or investigation.
— Yellow: Low confidence anomalies. Refers to the count of minor anomalies, which may involve less critical issues or potential false positives.
This breakdown helps prioritize actions, ensuring that critical issues are addressed first while allocating appropriate resources to less critical ones.

Resources: Lists the number of affected resources associated with the anomaly.

Category: Classifies the anomaly (e.g., security or governance-related).

Detected: Timestamp when the anomaly was identified (e.g., 2024-12-17).

Fix: Implies action or recommendations to resolve the anomaly (indicated by a wrench icon).

By following the link under “ID” column or on clicking the “more” link under Summary column, users can access additional details about the anomaly that includes: a brief summary, anomaly data, anomaly status, anomaly trends over time, and region wise mapping.

Additionally, users can take various actions from the view, such as sorting or filtering, searching for keywords, selecting the number of records to view, exporting the records into a spreadsheet (CSV), turning on and off the whitelisted anomalies(eye symbol) from display, and viewing the security posture of assets(anomalous and normalized).
Anomaly Trends over TimeAnomaly trends over time are commonly used to monitor and manage anomalies detected in cloud infrastructure. The Saner CSPA dashboard provides a graphical representation of the count of anomalies related to misconfigurations, policy violations, or security incidents over a specific period. The data displayed on the dashboard is updated after each scan.
Region Wise MappingRegion-wise mapping in cloud posture provides a geographical perspective on the security posture of cloud environments. The “Region Wise Mapping” visualization on Saner CSPA dashboard displays the total number of affected regions and anomalies on a world map and helps understand the distribution of resources across the cloud.

The dots indicate the specific regions with anomalies. By moving your cursor over the dots, you can pin-point anomalies or vulnerabilities specific to regions.
All AnomaliesThe “All Anomalies” in Saner CSPA offers a visual representation of both anomalous and normalized(remediated) anomalies in the Saner Cloud account.

The red tiles highlight critical issues that require immediate attention, while the green tiles provide assurance about resource categories that are not problematic.

Anomalous data is displayed in red tiles, with each tile representing a specific category of detected anomaly in the cloud environment. Each red tile includes the following information:

— Anomaly ID (for example, CSPA-AWS-2024-0078)
— A brief description of the anomaly (for example, “frequent CloudTrail console login events”)
— A count displayed on each tile that indicates the number of anomalies for the specific rule

Green tiles represent normalized data, indicating instances of conditions that aren’t flagged as anomalous.
WhitelistSometimes, it’s necessary to exclude certain checks or rules during a cloud security scan for several valid reasons. Below are some common scenarios and how to handle them using Saner CSPA.

1. A rule may flag an issue that is irrelevant to a specific environment. For instance, a rule might identify an S3 bucket as publicly accessible, but this might be intentional to host a public website.
2. Not all checks are applicable to every environment or project. For example, a check enforcing multi-factor authentication (MFA) for all IAM users might not be relevant if the organization exclusively uses federated access.
3. Legacy systems or older architectures might not support certain security best practices or compliance requirements. For example, a legacy application may utilize outdated encryption protocols that cannot be updated immediately.

Saner CSPA provides a way to assess and exclude these anomaly ids from the scan. To whitelist anomalies, simply click the Whitelist link on the CSPA dashboard. Select the IDs you wish to whitelist by checking the corresponding checkbox(es), then click Save. On the other hand, you can whitelist individual resources from the Posture Anomaly Details page. Just click the individual id on the Whitelisting page and navigate to the Anomaly details page for further action.

You can view the whitelisted IDs from the Posture Anomaly Details section on the dashboard by clicking the eye icon. 

Learn How To

How to Prioritize Remediation or Fixes based on Confidence Levels?

Determine if a Detected Issue or Misconfiguration Poses a Risk…

Confidence Level indicates if the system is certain in determining if a detected issue or misconfiguration poses a risk.

Anomalies in Saner CSPA are categorized based on a machine learning algorithm threshold or through pre-assigned severity levels. This means that the system is almost certain that these anomalies represent legitimate risks:

— Red: High confidence anomalies. Indicates that most anomalies are significant and require immediate attention.

— Orange: Medium confidence anomalies. Suggests that some anomalies need further validation or investigation.

— Yellow: Low confidence anomalies. Refers to minor anomalies, which may involve less critical issues or potential false positives.

This breakdown helps prioritize actions, ensuring that critical issues are addressed first while allocating appropriate resources to less critical ones.

Look into the Confidence Level to make informed decisions from the:

— Posture Anomaly Details view within the CSPA dashboard

— Posture Anomaly Distribution(High, Medium, and Low) on the CSPA dashboard

How to Quickly Identify the Detected and Remediated Anomalies for an Account?

Anomalies Indicated by Color Codes

The “All Anomalies” in Saner CSPA offers a visual representation of all the anomalies detected in the Saner Cloud account as well as the anomalies that are normalized(remediated).

Anomaly data is indicated in 2 different sections indicated by distinct color codes:

— Red: highlights critical issues that require immediate attention

— Green: provides assurance about resource categories that are not problematic and remediated

Move your cursor over the tile to see more information about the Posture Anomaly(PA) ID such as:

— The number of anomalies for the specific rule

— Anomaly ID (for example, CSPA-AWS-2024-0078)

— A brief description of the anomaly (for example, “frequent CloudTrail console login events”)

Click on the Red tile to navigate to the Posture Anomaly Details page. You have an option to remediate all the anomalies within the relevant PA ID by clicking the wrench icon.

How to Whitelist Rules or Resources in Cloud Security Scans?

Overview

Sometimes, it’s necessary to exclude certain checks or rules during a cloud security scan for valid reasons. Here’s why and and how to handle using Saner CSPA…

Why Exclude a Rule or Check?
  1. Irrelevant Findings: A rule might flag an issue that is intentional for your environment.
    Example: An S3 bucket is flagged as publicly accessible, but this is required because it hosts a public website.
  2. Non-Applicability: Not all checks apply to every environment or project.
    Example: A check enforcing multi-factor authentication (MFA) for all IAM users is irrelevant if your organization exclusively uses federated access.
  3. Legacy Systems: Older architectures or legacy systems might not fully support certain security best practices immediately.
    Example: A legacy application might still rely on outdated encryption protocols that cannot be updated without significant effort.
How to Exclude or Whitelist “Rules” in Saner CSPA?

Saner CSPA allows you to assess and exclude specific anomaly IDs from scans. Follow these steps to whitelist anomalies:

Step 1: Navigate to the CSPA dashboard

Step 2: Click the Whitelist link on the top-right of the page

Step 3: Select the anomaly IDs you wish to exclude by checking the corresponding checkboxes

Step 4: Click Save to confirm your changes

Result: The Whitelisted anomalies display in the Posture Anomaly Details block on the dashboard. Click the eye icon within the block to see the anomalies you just whitelisted.

How to Exclude or Whitelist “Resources” in Saner CSPA?

Step 1: From the Posture Anomaly Details block on the dashboard, click on the ID that you want to whitelist. The Details page for that ID opens.

Step 2: From the Anomaly Data block on the Details page, click the checkbox to select the relevant anomaly

Step 3: Select the checkbox corresponding to the ID

Step 4: Click the Whitelist menu icon, next to the search box within the Anomaly Data block. Hover over the icon to see the name.

The Confirmation message displays prompting you to confirm if you want to whitelist the selected resources.

Step 5: Click the Whitelist button to confirm your selection.

Step 6: To see the whitelisted ids, click the eye icon within the Anomaly Data block. Hover over the icon to see the name.

[OPTIONAL] To remove the whitelisted ids, just select the checkbox(es) and click the Remove button on the top-right next to the search box within the window.

View the Whitelisted IDs

To review the whitelisted IDs:

Step 1: Navigate to the Posture Anomaly Details section on the dashboard.

Step 2: Click the eye icon to view all the whitelisted IDs.

Alternatively, access the “All Anomalies” link on the top-right of the dashboard and search for the id you whitelisted. If the ID does not display on the page, understand that its whitelisted.

Observe the Reduction in Total Count

Take note of the current count that has reduced after excluding(whitelist) the rule/check/resource from the cloud security scan. Also observe that the whitelisted resource is not present in the “All Anomalies” page.

How to Search and Retrieve Anomaly Data?

Search and Retrieve Results

You can search for the following anomaly data by keying in the criteria and retrieve the relevant results in the dashboard view:

  • Rule ID
  • CSPA ID
  • Profile Name
  • Region
  • Category
  • Creation Date
  • Detected Date
  • Title

How to Initiate Patch Remediation from CSPA Dashboard?

Overview

Remediation of findings from Saner CSPA dashboard involves systematically addressing the anomalies by identifying and resolving identity-related risks within your AWS account directly from the interface with ease.

Initiate the Patching Task in One of the Ways
Option1: By Accessing the Fix (Wrench) Icon from the Posture Anomaly Details Block on the Dashboard

Step 1: Go straight to the Posture Anomaly Details block in the CSPA dashboard and click on the Fix (wrench) icon corresponding to an anomaly.

Step 2: Automatic Redirection to CSRM:

The application automatically redirects you to Cloud Security Resource Management(CSRM) and opens the CSPA Tabular Listing to begin the patching activity.

Step 3: Follow the Wizard

The wizard guides you through the process of selecting and applying the necessary patches.

Option 2: From the Posture Anomaly Details Page

Step1: Click the Fix (wrench) icon corresponding to the relevant Anomaly ID

Step2: Automatic Redirection to CSRM:

Clicking the fix icon automatically redirects you to CSRM with the CSPA module opened, allowing you to directly create the patching task using the wizard.

Step3: Follow the Wizard

The wizard guides you through the process of selecting and applying the necessary patches.

This method makes it easier to manage your patching tasks and risk remediation in CSPA.

Option 3: From the “Anomaly data” widget within the Anomaly ID Page

Commonly Asked Questions
How does Saner CSPA detect anomalies in my cloud infrastructure?

After completing the posture anomaly scan on a designated account, Saner CSPA does a computation on the gathered data and displays the results within the relevant views on the dashboard.

What can I infer from the Posture Anomaly Distribution View in CSPA Dashboard?

The Posture Anomaly Distribution view on the Saner CSPA dashboard summarizes the total anomalies and also categorizes anomalies based on severity levels. This breakdown helps prioritize actions, ensuring that critical issues are addressed first while allocating appropriate resources to less critical ones.

The Posture Anomaly Distribution view summarizes the following:

Total Anomalies: The total count of all detected anomalies.

Breakdown of Anomalies: Anomalies are categorized based on a machine learning algorithm threshold or through pre-assigned severity levels. This means that Saner CSPA is almost certain that these anomalies represent legitimate risks:

— Yellow: Low confidence anomalies

— Red: High confidence anomalies

— Orange: Medium confidence anomalies

Each detected anomaly is classified into the following confidence levels:

High Confidence: indicates that most anomalies are significant and require immediate attention.

Medium Confidence: suggests that some anomalies need further validation or investigation.

Low Confidence: refers to minor anomalies, which may involve less critical issues or potential false positives.

What does the “High” Confidence level comprise of?

High confidence level indicates that most anomalies are significant and require immediate attention.

Examples:

— Publicly accessible S3 bucket containing sensitive information

— Misconfigured IAM roles with over-permissive policies exposing critical systems

What does the “Medium” Confidence level comprise of?

Medium confidence level suggests that some anomalies need further validation or investigation.

Examples:

— Unusual but authorized use of privileged accounts

— A resource not encrypted where encryption is recommended but not required

What does the “Low” Confidence level comprise of?

Low confidence level refers to minor anomalies, which may involve less critical issues or potential false positives.

Examples:

— Access from an unusual IP address that aligns with a known employee’s travel

— Temporary policy change flagged as non-compliant but corrected soon after

Any recommendations on resolving anomalies based on severity? How do I prioritize my actions based on the severity?

Minimize risks effectively by addressing High anomalies first, followed by Medium anomalies, and lastly the resolve the low anomalies.

How can I export the anomaly data?

Just go ahead and click the CSV icon available within a view in the Saner CSPA dashboard to export the data into a CSV file for further analysis

What is Posture Anomaly Density and why is it important?

With the Posture Anomaly Density you can quickly identify clusters or areas in your cloud environment with concentrated security posture issues. It provides a high-level overview of concentrated security issues, enabling efficient prioritization and management of resources to improve your overall security posture.

How is the anomaly data visualized on Saner CSPA dashboard?

The data is visualized using a bubble chart with each circle representing a group of anomalies. The size of the circle corresponds to the volume of anomalies within that category. Larger bubbles indicate a higher concentration of security posture issues.

What additional information can I get about the anomaly parameters and how?

Clicking on the bubble navigates you to the Posture Anomaly Parameters that provides detailed information including:
ID: unique identifier of the anomaly
Title: brief description of the anomaly
Number of resources: count of affected resources with the anomaly

How can I use the Posture Anomaly Parameters?

Analyze and prioritize remediation activities using the Anomaly data, Anomaly status(anomalous or normalized) and so on.

What do I interpret from the various sizes of the bubbles?

Clusters of large bubbles indicate areas in your cloud environment with a significant concentration of anomalies. Review and prioritize these areas for investigation and remediation.

What does the Posture Anomaly radar help you with?

The Posture Anomaly radar view allows you to analyze, prioritize, and address misconfigurations or vulnerabilities in different categories, including Management and Governance, Compute, Networking, and more. In the Saner CSPA dashboard, the radar highlights the areas with the most significant posture anomalies, enabling you to concentrate on the categories that need immediate attention.

How can I view detailed anomaly count in the radar?

Hover your mouse over a specific area on the radar chart to view the count of anomalies in that resource category.

What areas are covered in the Posture Anomaly radar?

Common areas include:

— Management & Governance: Issues related to policy enforcement and administrative control
— Compute: Vulnerabilities in virtual machines or containerized environments
— Networking & Content Delivery: Misconfigurations in firewall rules, open ports, or network traffic
— Security, Identity, and Compliance: Issues in permissions, roles, and privileges assigned to users, groups, applications, and services

What are anomaly trends over time?

Anomaly trends over time refer to the monitoring of the number of anomalies related to misconfigurations, policy violations, or security incidents in cloud infrastructure across a defined period. This tracking allows for the evaluation of changes and helps assess the effectiveness of remediation effort.

How does the Saner CSPA dashboard represent anomaly trends?

The dashboard provides a graphical representation of the anomaly count over time, making it easy to visualize patterns, spikes, or reductions in anomalies.

How often is the anomaly trend data updated?

The data displayed on the dashboard is updated after each scan of your cloud environment, making sure that the trends reflect the latest information.

Why are anomaly trends important and how can I use the trend data to improve my security posture on the cloud?

Anomaly trends assist in tracking progress, identifying patterns, and optimizing resources. By analyzing trends, you can identify persistent issues requiring deeper investigation, monitor the effectiveness of implemented security measures, and predict and prepare for potential future risks.

What do sudden spikes in anomalies indicate?  

They may indicate misconfigurations introduced by recent changes in the system. It’s essential to investigate the spike immediately to address critical issues and mitigate risks. The “Anomaly Trends over Time” graphical visualization on the dashboard provides a count of anomalies related to misconfigurations, policy violations, or security incidents over a specific period. The data displayed on the dashboard is updated after each scan.

How do I check which anomaly is affecting most of my resources under “Management & Governance” category?

On the Saner CSPA dashboard, navigate to the Posture Anomaly Details view and filter by the requisite category, in this case “Management & Governance”. The corresponding results are retrieved and displayed in the grid view.

How can I utilize the region-wise mapping data to improve my cloud security posture?

Utilize regional insights to prioritize remediation efforts in areas with a higher frequency of anomalies, ensure compliance with region-specific regulatory and data sovereignty requirements, and monitor regions crucial to business operations with increased diligence.

What is Region-Wise Mapping in Saner Cloud Security Posture(CSPA)?

Region-Wise Mapping provides a geographical perspective of the security posture of cloud environments. It displays the distribution of anomalies and resources across different cloud regions on a world map.

Saner CSPA dashboard highlights the total number of regions and anomalies on a world map. Dots on the map represent specific regions, helping to visualize where anomalies or vulnerabilities are located.

How can I check which anomaly is affecting the most resources and the least resources?

The “All Anomalies” feature in Saner CSPA offers a visual representation of both anomalous and normalized data indicators.

The red tiles highlight critical issues that require immediate attention, while the green tiles provide assurance about resource categories that are not problematic.

Anomalous data is displayed in red tiles, with each tile representing a specific category of detected anomaly in the cloud environment. Each red tile includes the following information:

— Anomaly ID (for example, CSPA-AWS-2024-0078)

— A brief description of the anomaly (for example, “frequent CloudTrail console login events”)

— A count displayed on each tile that indicates the frequency or occurrence of that specific anomaly

Green tiles represent normalized data, indicating resource categories that do not have any anomalies.

What constitutes posture anomalies in the cloud environment?

Typically, misconfigurations, policy violations, or deviations from best practices in cloud environments lead to data breaches, downtime, or other risks.

What does the Posture Anomaly visualization in Saner CSPA dashboard display?

The column-based view provides detected anomalies in cloud environments, prioritizing fixes based on confidence levels, affected resources, severity, and compliance with regulatory requirements.

What kind of issues does the Posture Anomaly view convey?

The view highlights issues such as lacking multi-factor authentication (MFA), outdated credentials, service disruptions, vulnerabilities, and region-specific anomalies.

How do I track findings from the Saner CSPA dashboard?

In the Posture Anomaly visualization view within the CSPA dashboard, see the ID column that represents the unique identifier of each anomaly detection rule(for example, CSPA-AWS-2023-004). Use this ID to search and track findings.

What does each column in the Posture anomaly view describe?

Refer to the topic “Understand the Common Elements and Standard Operations” for related details.

What details can users access by clicking the anomaly “ID” or “more” in the “Summary”?

Users can view additional information like a brief summary, anomaly data, status, trends over time, and region-wise mapping.

What actions can users perform in the additional details view?

— Sorting and filtering anomalies

— Viewing the security posture of anomalous and normalized resources”

— Searching using keywords

— Selecting the number of records to display

— Exporting data to a spreadsheet (CSV)

—Toggling the display of whitelisted anomalies

How does regional insights help in addressing anomalies?

 Users can focus on geographically critical areas, ensuring anomalies are resolved in regions that may have higher operational or compliance significance.

Why is it important to prioritize fixes based on confidence levels and severity?

Prioritizing ensures that critical issues with a high likelihood of impact are addressed first, minimizing risks to cloud environments.

Can I customize the views to focus on specific type of anomalies?

Yes, users can filter by categories, regions, or other parameters to focus on specific anomalies of interest.

How to Exclude Anomalies in Saner CSPA?

Saner CSPA allows you to assess and exclude specific anomaly IDs from scans. Follow these steps to whitelist anomalies:

Whitelist from the Dashboard:
Step1: Navigate to the CSPA dashboard
Step2: Click the Whitelist link
Step3: Select the anomaly IDs you wish to exclude by checking their corresponding checkboxes
Step4: Click Save to confirm your changes

Whitelist Individual Resources:
Step1: Open the Posture Anomaly Details page
Step2: Click on the individual anomaly ID you want to exclude
Step3: Click Save to confirm your changes

How to view the Whitelisted IDs?

To review your whitelisted IDs:
Step1: Navigate to the Posture Anomaly Details section on the dashboard
Step2: Click the eye icon to view all whitelisted IDs

Share This Article :
  • X
  • LinkedIn
Still stuck? How can we help?

Saner Documentation Feedback

Cloud Infrastructure Entitlement Management(CIEM) User GuideCloud Security Asset Exposure(CSAE) User Guide
Table of Contents
  • How to Prioritize Remediation or Fixes based on Confidence Levels?
  • How to Quickly Identify the Detected and Remediated Anomalies for an Account?
  • How to Whitelist Rules or Resources in Cloud Security Scans?
  • How to Search and Retrieve Anomaly Data?
  • How to Initiate Patch Remediation from CSPA Dashboard?
Copyright 2025 - SecPod. All Rights Reserved. Privacy Policy.
SanerNow Version 6.3.x