Runtime (CDR) module
The Runtime page is the home for cloud audit-log detections. Two stacked sections: findings (events) and incidents (grouped events).
Findings
Individual events that match a CDR rule. Each one has:
| Column | Notes |
|---|---|
| Severity | CRITICAL / HIGH / MEDIUM / LOW. |
| Time | Event timestamp. |
| Rule | The detection name. |
| Identity | Who performed the action. |
| Source IP | Caller IP. |
| Region | Cloud region. |
| Resource | Target ARN / ID. |
| MITRE | The mapped ATT&CK technique. |
| Status | OPEN, INVESTIGATING, RESOLVED, FALSE POSITIVE. |
Incidents
Auto-grouped findings that share an actor (identity, source IP) and a time window. An incident with eight privilege-escalation findings from one identity is one thing to triage, not eight.
| Column | Notes |
|---|---|
| Title | Auto-generated from the dominant tactic. |
| Severity | Maximum across grouped findings. |
| Status | OPEN, INVESTIGATING, CONTAINED, RESOLVED. |
| Identity | The common actor. |
| Findings | Count of grouped events. |
| First / Last seen | Time window. |
Click an incident to open the detail panel:
- Timeline of every grouped finding, in chronological order.
- MITRE tactics chart, which phases of the kill chain are present.
- Suggested response actions (Disable user, Revoke session, Detach policy, ...).
- Notes field for collaborative investigation.
Filters
- Severity, Status.
- Cloud provider.
- MITRE tactic: Privilege Escalation, Discovery, Persistence, Defense Evasion, ...
- Identity: free text.
- Source IP: free text.
Response actions
For supported detections we surface response actions:
| Action | Effect |
|---|---|
| Disable user | Suspends the IAM identity (cloud-specific). |
| Revoke session | Invalidates active console / API tokens. |
| Detach policy | Removes a recently-attached policy. |
| Quarantine SG | Replaces a security group's rules with deny-all. |
By default all are suggestions only. Auto-execution is opt-in per rule, in Settings → Notifications → CDR.
Tips
- Group by identity in the findings tab to see which accounts are noisiest.
- Cross-reference with CIEM. If the actor is a service account flagged as over-privileged, the incident is significantly more dangerous.
- Auto-response carefully. Auto-disabling an IAM user is final; recovering can be painful. Start with notification-only and graduate to auto-response once you trust the rules in your environment.
What's next
- CDR concept
- CIEM module, the posture sibling