Work with Risks

The Risks page provides information on risks across all your on-boarded cloud accounts (such as AWS, Azure, and Google Cloud). From it, you can explore, activate, and suppress whole risks or risk triggers, export risk trigger details, identify affected assets, access rules in the context of their policy sets, and create risk reports.

Risks are determined based on ACE risk profiles. To learn how you can set and manage risk profiles see Manage Risk Profiles .

View risks and risk details

To access the Risks page in ACE, click the RISKS icon on the main menu on the left.

The RISKS page loads, listing risks detected across your cloud inventory on the left and the details of the currently selected risk on the right.

Search and filter risks

Use the Search field to display a Risks list whose titles contain a specific string. The Search field can be used in conjunction with Risk filters to find required risks efficiently.

Risk filters

Use the filters located at the top of the page to view a more focused list of risks. You can filter based on any of the following:

Cloud type
Account
Region
Virtual Networks
Tags
Risk severity
Detection date

Important: Configuring one or more filters can potentially result in no risks matching the filter criteria.

Note:

Multiple values, single values, or no value can be selected for all filters (except Detection date which can have either a single date range or no value selected)
Virtual Networks filter is only enabled when one account is selected
Between filters the Boolean AND operator applies
Between values within a filter, the Boolean OR operator applies
When Detection date has no value selected, the results will show risks detected from when the account was onboarded until the present date.

For more information about tags and working with applications in ACE, see Work with Tags.

Risks list

The left panel gives an overview of all active and suppressed risks, list sorting options, and displays key descriptive elements for each risk listed.

The total number of risks associated with your ACE account.
How many risks are suppressed.
The Sort by selector which indicates the ordering of the list:
- Severity
- Cloud type
- Risk name
- Trigger count
- Assets count
The Sort direction selector.

Risks list entry:

Severity color strip	A thin strip of color indicating the severity of the risk. Red = Critical Orange = High Yellow = Medium Blue = Low Grey box = Suppressed risk (Suppressed risks are listed at the bottom of the list).
Cloud type	The cloud type of the account the risk was found in.
Risk name	A short description of the risk.
Triggers	The number of rules that trigger the risk.
Affected assets	The number and types of assets affected by the risk. Note: For Azure NSG risks, this includes VMs attached either to network interfaces or to network interfaces found within subnets.

Select which risks to export a risks report. For more details, see Export risk and risk trigger details.

Risk summary

When a risk is selected from the Risks list, a full summary of that risk and its Risk triggers appear in the panel to the right.

The risk summary section contains the following information and options:

Risk title	The name of the risk as it appears in the risks list panel.
Risk ID	The ID number assigned to the detected risk. Note: The risk profile that generated the risk is appended to the end of the Risk ID. For details on risk profiles, see Manage Risk Profiles.
Severity	The severity of the risk (critical, high, medium, low).
Asset type	Type of cloud asset (for example, VM, firewall, subnet).
Cloud type	The name of the cloud vendor.
Description	A description of the risk.
Remediation recommendation	The suggested course of action to resolve the risk.
Suppress risk	Click to suppress the risk, including all of its risk triggers. For more details, see Suppress/Activate risks and risk triggers.
Export to CSV	Click the icon to export the list of risk triggers to a CSV file. For more details, see Export risk and risk trigger details.

Risk triggers

The Risk triggers section displays and details the rules that trigger the risk selected in the left panel. In the Risk triggers section, suppressed and active risk triggers are shown in separate views selected using the Risk triggers view filter.

The Risk triggers header includes:

No. of Risk triggers

The number of rules found that trigger the risk. If this number includes suppressed risk triggers, the number of suppressed risk triggers is indicated in parentheses.

Search filter

When used, only the rules whose names contain the filtered text are displayed.

Risk triggers view

Active: See active risk triggers
Suppressed: See risk triggers that have been suppressed

In the Risk triggers list, the following fields are displayed for every risk trigger:

Hierarchical (Google Cloud)

Indicates that the risk is triggered by a rule that comes from a hierarchical policy.

Evidence

This column lists the evidence (the full path to the rule) that triggered the risk. Path details depend on the vendor:

Vendor	Rule Path Details
AWS
Azure NSG
Azure Firewall
Google Cloud	VPC firewall rules: Hierarchical rules:

Tip: Click on a trigger to display the rule in the policy sets in which it is found. This allows you to:

Review the rule definition.
Review the rule in the context of the SG/NSG to which it belongs.
Remediate the risk by modifying or deleting the rule.

Affected assets

Assets affected by the rule.

When multiple assets are affected, a number is displayed in this column. Click on it to see a list of the affected assets.

Note: For Azure NSG risks, if a risk trigger is part of an NSG attached to a subnet then the subnet name is shown as well as the number of affected VMs contained in the subnet. To review the full list of the VMs, use the Export risk and risk trigger details option.

Detected on

Displays the date the risk trigger was first detected.

Note: Accounts onboarded to ACE before this feature was introduced will display the date the feature was released in ACE (26-March-2024) instead of the date the risk trigger was first detected.

Note: The detected date is reset in the following situations:

If an account is removed and then reimported to ACE
For AWS: When a rule is changed

Last used

Shows either the date the rule was most recently used or a status message that varies based on the Security Control:

AWS SG

Azure NSG

Azure Firewall

Azure Firewall (classic)

Google Cloud

Suppress Trigger icon

Click the icon to suppress the rule that is triggering the risk. For details on suppressing / activating risk triggers, see Suppress/Activate risks and risk triggers.

Additional fields for suppressed risk triggers:

Suppressed for

Indicates if this risk is suppressed for:

This risk only
All risks

Date suppressed

The date (mmm-dd-yyyy) the risk was suppressed.

Comment

Click on the

Comment icon to view or edit the suppressed comment.

Suppress/Activate risks and risk triggers

ACE identifies the risks across all your onboarded accounts and displays them on the Risks page; however, you can modify which risks appear by suppressing /activating the risks themselves or the risk triggers that generate the risks.

Suppress/Activate risks

Suppress/Activate risk triggers

Export risk and risk trigger details

Export a snapshot of risks and risk trigger information for easy sharing with relevant stakeholders and further analysis.

Export a risks report to a PDF file

Report	Description
Report Name	The name of the file created when exporting the PDF. Note: ACE by default suggests a report name that includes the current date.
Export Risks	Report options: All risks: Generate a report with all risks matching the risk filters Selected risks: Generate a report with risks selected by the user
Include affected assets count only	When selected (default), the report only displays the number of assets affected by the risk. Deselect the checkbox to include a list of all affected assets in the report.
Description	By default, the description field includes any risk filters selected.

Page Type	Description
Cover Page	Title of the report, the date and time it was generated, the user name of the person that generated it, and the Tenant ID.
Summary Page	Lists The filters on which the report is based. The number of risks, associated triggers, affected assets found. The breakdown of the risks by severity (critical, high, medium and low) with the number of triggers and assets associated with each severity level.
List of Risks	The risks are listed by name, showing their color-coded severity, number of associated triggers and number of affected assets. Each risk name links to its own page in the report describing the risk in detail.
Risk Details Pages	Each Risk Details page provides the following information: Risk title Number of risk triggers Affected assets Risk ID Severity Asset type Risk description Remediation recommendation (when available) Account / Subscription / Project ID Rule details (based on vendor type) Click the Policy name to open the Policy page in ACE to view the policy with the relevant rule highlighted.

Export a risks report to a CSV file

Report	Description
Report Name	The name of the file created when exporting the CSV. Note: ACE by default suggests a report name that includes the current date.
Export Risks	Report options: All risks: Generate a report with all risks matching the risk filters Selected risks: Generate a report with risks selected by the user

Export risk trigger details of a selected risk to a CSV file

Status	Evidence	Affected asset	Private IPs	Public IPs	Subnet ID	Subnet range	Suppress Comment	Date Suppressed
Active	AlgoSecAWSAccount:myserv-1:vpc-252d67c:FF-SG3:inbound	AlgoSecAWSAccount:myserv-2:AwsVPC:vpc-63f825fc:Working broken AMI	142.26.28.61
Suppressed-this risk only	AlgoSecAWSAccount:myserv-1:vpc-252d67c:FF-SG1:inbound	AlgoSecAWSAccount:myserv-1:AwsVPC:vpc-252d67c:VMware SD-WAN Edge by VeloCloud	142.26.9.146		subnet-09616444	172.31.0.0/20	suppressed by John	Nov-08-2020
Suppressed-all risks	AlgoSecAWSAccount:myserv-1:vpc-3562ff0cf3fd6ed37:allow-all-SG:inbound	AlgoSecAWSAccount:myserv-1:AwsVPC:vpc-3562ff0cf3fd6ed37:CKP-CloudGuard-R80.10-SA	10.631.1.5, 10.548.3.4,	52.193.49.104			Suppress comment 1	Nov-09-2020

Access rules in the context of their policy sets

You can access rules in the context of their policy sets from the Risks page.

From the left pane, click on a risk.
Click on a link of interest in the evidence column.

The Network Policies page appears with the relevant policy set showing its inbound and outbound rules tabs.

For each rule, the number of risks at each level is shown by colored-coded circles. Hover over the circles to see the number of risks and the severity level text.

Notes about risk triggers and affected assets

ACE supports risks for policies that are not attached to any network interface, subnet, or virtual machine.

Azure Only: In certain scenarios, an Azure NSG may be protecting several assets, such as VMs, yet a particular NSG rule only safeguards a portion of these assets. This situation often arises when an NSG rule, designed to target a single IP address, is applied to a subnet that encompasses multiple VMs. In such cases, ACE displays in the affected assets result only the VM effectively protected by this rule (the VM holding that specific IP).

In the following example, the NSG incoming rule has a rule destination 10.1.0.3. Although the NSG is applied to a subnet containing 3 virtual machines and to an additional interface with a single virtual machine, ACE only considers VM3 an affected asset because it is the only virtual machine whose traffic is impacted by the rule destination.

Risks and risk triggers are displayed when the risk triggers (SG/NSG rules) belong to the set of rules matching the user input for the following filters:

Cloud type
Account
Region

Work with Risks

View risks and risk details

Search and filter risks

Risk filters

Risks list

Risk summary

Risk triggers

Suppress/Activate risks and risk triggers

Export risk and risk trigger details

Access rules in the context of their policy sets

Notes about risk triggers and affected assets

Sorry about that

Great!