Cloud App Analyzer Application Discovery

This topic explains Cloud App Analyzer’s Application Discovery feature. Application discovery helps you identify applications and their component microservices within your AWS and Azure environments. This makes it easier to understand how these applications and microservices connect and interact, including identifying potential security issues.

Cloud App Analyzer Application Discovery supports AWS EKS (Elastic Kubernetes Service) and Azure AKS (Azure Kubernetes Service). It provides detailed visualization of applications, including clusters, nodes, pods, deployed containers, and other Kubernetes resources.

A microservice, as defined in the context of Cloud App Analyzer, consists of an interconnected set of cloud resources that collectively perform a set of functions or services. These resources can include compute, networking, and database components among others. Microservices work together to form a larger application.

Cloud App Analyzer analyzes applications and represents them in a dependency graph that clearly visualizes connections between microservices. Microservices are shown as clouds with a dotted outline.

Clicking on a microservice in the Application map opens a dependency graph for the selected microservice. The Microservice map clearly visualizes connections and dependencies among resources. The root node is identified by the red flag .

This graph details the application’s structure and highlights elements with security issues, offering a view of the complex relationships within the cloud environment. By showing where vulnerabilities occur within the application, this visual tool helps prioritize security issues based on their placement and impact.

Also, from the Assets & Securities Issues section, when you discover that a resource is used by applications and select Show Graph, the node representing that resource will be highlighted in the displayed graph.

View Discovered Applications

To access the list of discovered applications:

Do the following:

To view AWS applications

Column	Description
Region	Specifies the geographic location of the AWS data center hosting the application.
Application Name	Provides a reference name for the set of resources identified as an application.
Microservices	Number of microservices that make up the application. Click the number to open the list of contained Microservices:
Application's Main Workload ID	Describes the application's primary function or service.
Workload Type	Indicates the types of resources used. Application discovery works for the workloads based on Lambda functions, ECS clusters, ECS tasks and task definitions, ECS services, EC2 instances, and EKS clusters.
Findings	Shows high-level findings including:
Security Issues	Lists the total detected security issues or misconfigurations. You can view these affected components highlighted in the application dependency graph.
Action	Click to open the dependency graphs of the application.

Column	Description
Region	Specifies the geographic location of the AWS data center hosting the application.
Microservice Name	Provides a reference name for the set of resources identified as an application.
Resources	Number of resources that make up the application. Click the number to open the list of contained resources:
Main Workload ID	Describes the application's primary function or service.
Workload Type	Indicates the types of resources used. Application discovery works for the workloads based on Lambda functions, ECS clusters, ECS tasks and task definitions, ECS services, EC2 instances, and EKS clusters.
Findings	Shows high-level findings including:
Security Issues	Lists the total detected security issues or misconfigurations. You can view these affected components highlighted in the dependency graph.
Action	Click to open the dependency graphs of the application.

To view Azure applications

Column	Description
Region	Specifies the geographic location of the Azure data center hosting the application.
Application Name	Provides a reference name for the set of resources identified as an application.
Microservices	Number of microservices that make up the application.
Main Workload ID	Describes the application's primary function or service.
Workload Type	Indicates the types of resources used.
Security Issues	Lists the total detected security issues or misconfigurations. You can view these affected components highlighted in the application dependency graph.
Action	Click to open the dependency graphs of the application.

Search applications and microservices

You can use the search fields on the Discovered Applications and Discovered Microservices lists to filter the list as per the following:

Region
Application name
Microservice name
Workload ID
Workload type
Resource tags
Resource type
Resource labels
Text search

View Workload Statistics

Use the workload statistics feature to see high-level counts of all discovered workloads across your applications. You can view these statistics directly within an application’s details or from the All Accounts view when working in a multi-account environment.

Supported workload types include the following resources:

AWS Workloads:	Azure Workloads:
EKS cluster EKS namespace ECS cluster ECS service ECS task ECS task definition CloudFormation stack EC2 instance Lambda function Container *	EKS cluster EKS namespace Service Fabric cluster Service Fabric managed cluster Virtual machine scale set Virtual machine scale set instance Virtual machine Container app environment Container app Function app Web app Static app Container instance Container **

AWS Workloads:

Azure Workloads:

EKS cluster

EKS namespace

ECS cluster

ECS service

ECS task

ECS task definition

CloudFormation stack

EC2 instance

Lambda function

Container *

EKS cluster

EKS namespace

Service Fabric cluster

Service Fabric managed cluster

Virtual machine scale set

Virtual machine scale set instance

Virtual machine

Container app environment

Container app

Function app

Web app

Static app

Container instance

Container **

* Containers on AWS: Appear only for statistical purposes, reflecting the count of unique container images running within other workloads. For example, if 10 pods use the same container image, they count as one container. Images stored in ECR are excluded from this total.

** Containers on Azure: Follow the same logic as AWS. The count reflects only unique container images currently active. Images stored in ACR do not affect this total.

Viewing Workload Statistics

From an Application or Microservices List Page

Do the following:

Below the page title, locate the Workloads link next to the total number of discovered workloads.

From the Workload Statistics page, click Discovered Applications to return to the main Discovered Applications page.
1. Click Workloads to open the Workload Statistics page, where you can see all discovered workloads.
2. From the Workload Statistics page, click Discovered Applications to return to the main Discovered Applications page.

From All Accounts View

Do the following:

In the All Accounts view, find the Workloads column in the accounts table to see the workload count for each account.

A Total row at the bottom sums all applications and workloads across every account. Two numbers appear:
- The first shows the total on the current page.
- The second, in brackets, shows the grand total across all pages.

Assign Application Names via Resource Tags

For AWS / Azure

You can identify an application or microservice by applying a specific tag to one of its constituent resources. The special tag used for this purpose is:

algosec:app-discovery:app-name

By assigning the algosec:app-discovery:app-name tag to just one resource (for example, a VM Scale Set, subnet, or firewall), the specified app name can propagate to all parent or child resources. Even in complex environments with many microservices, this hierarchical “bubbling up” ensures consistency and simplifies application naming across your infrastructure.

If multiple algosec:app-discovery:app-name tags are present, the system alphabetically sorts these tag values and uses the top entry. This ensures that parent objects with inherited tags consistently and predictably select a single application name.

Example: Tagging Azure Resources

â See also: