Insight Rules
Insight rules are the detection logic that powers the Insights feed. Each rule is defined by a state bot model that evaluates conditions against your context graph and generates alerts when those conditions are met.
How Insight Rules Work
Each insight rule consists of:
| Component | Description |
|---|---|
| Query | A Gremlin traversal or SQL query that identifies resources matching a security condition |
| Severity | Critical, High, Medium, or Low — determines how the insight is prioritized |
| Analyzer | The analyzer the rule belongs to (e.g., AWS IAM, Code Security) |
| Alert Template | The message shown when the rule triggers |
When a rule evaluates, it checks each resource against the query condition. If the condition is met and the resource was not previously flagged, a new insight is created. If the condition is no longer met, the insight is automatically closed.
Enabling and Disabling Rules
You can enable or disable individual insight rules from the Insights page:
- Navigate to Insights
- Find the insight rule you want to manage
- Toggle the rule's enabled/disabled status
When a rule is disabled:
- No new alerts will be created for that rule
- Existing open alerts remain visible but will not be reopened if they were previously closed
- The rule continues to evaluate in the background so that existing alert states stay current
- Disabled rules are excluded from the security risk score calculation
When a rule is re-enabled:
- New alerts will be created for any resources that match the rule condition
- The rule resumes contributing to the security risk score
Insight Rule Severity
Each rule has a fixed severity level that determines its priority in the Insights feed and its weight in risk calculations:
| Severity | Description |
|---|---|
| Critical | Immediate action required — active exploitation risk or severe exposure |
| High | Should be addressed promptly — significant security weakness |
| Medium | Plan to fix — moderate risk that should be tracked |
| Low | Informational — best practice deviation with limited direct risk |
Dynamic Insights
Some insights are generated dynamically based on runtime conditions rather than static rules. Dynamic insights follow the same severity model and appear in the Insights feed alongside rule-based insights. When a dynamic insight triggers, it counts toward the relevant analyzer's active insights.
Relationship to Analyzers
Every insight rule belongs to exactly one analyzer. When you view an analyzer's sightlines, the insight rules for that analyzer are what populate the finding counts and severity breakdowns.
To see which rules belong to an analyzer, navigate to the analyzer page and review its Insight Feed Alerts section.
Related
- Insights — Unified view of all active insights
- Analyzer Groups — How analyzers are organized into security domains