Appearance
View Discovery Snapshots
Every time an adapter runs discovery, AttackLens creates a snapshot: a point-in-time record of each resource found in the connected cloud account. Snapshots are the raw data that feeds the asset inventory, posture evaluation, and attack graph.
INFO
Requires Auditor role or higher.
What is a Snapshot?
A snapshot captures the complete state of a single discovered resource at a specific point in time. Each snapshot contains:
- Resource ID: The provider-specific unique identifier (e.g., an Azure Resource ID, AWS ARN, or GCP resource name).
- Resource Type: The provider-specific resource type (e.g.,
Microsoft.Compute/virtualMachines,AWS::EC2::Instance). - Provider: Which cloud provider the resource belongs to (Azure, AWS, GCP).
- Properties: Every configuration attribute collected from the provider's API, including security-relevant settings like encryption, network exposure, and IAM bindings.
- Tags: User-defined labels attached to the resource in the cloud provider.
- Captured At: The exact timestamp when this snapshot was taken.
AttackLens maintains a history of snapshots for each resource. The most recent snapshot is marked as the latest and is used for posture evaluation and attack graph computation.
Viewing Snapshots
Navigate to Discovery > Snapshots to view the snapshot list.
The snapshot list shows all latest snapshots across all adapters. You can filter the list by:
- Resource type: Show only snapshots for a specific resource type (e.g., virtual machines, storage accounts).
Each entry in the list displays:
| Field | Description |
|---|---|
| Resource ID | The unique identifier of the discovered resource. |
| Resource Type | The provider-specific type of the resource. |
| Provider | The cloud provider (Azure, AWS, GCP). |
| Captured At | When the snapshot was taken. |
Snapshot Detail
Click a snapshot to view its full detail.
The snapshot detail page displays:
Resource Identification
- Resource ID: The full provider-specific identifier.
- Resource Type: The exact resource type string.
- Provider: The cloud provider.
- Adapter Connection: Which adapter collected this snapshot.
Properties
The properties section shows every attribute collected from the provider's API. Properties are displayed as a structured key-value list and include:
- Basic metadata: Name, location/region, creation time, status.
- Configuration: Size, tier, SKU, version, and other service-specific settings.
- Security settings: Encryption at rest, encryption in transit, TLS version, public access settings.
- Network configuration: IP addresses, subnets, firewall rules, NSG associations.
- IAM bindings: Role assignments, policies, service account bindings.
- Computed properties: AttackLens-calculated properties prefixed with
_computed_*that summarize security-relevant state (e.g.,_computed_isPublic,_computed_encryptionEnabled).
TIP
Computed properties (prefixed with _computed_) are calculated by AttackLens during discovery. They normalize provider-specific settings into consistent boolean or categorical values that can be evaluated by security policies across all providers.
Tags
Tags are the user-defined labels from the cloud provider. They are displayed as key-value pairs and are useful for filtering and organizing resources.
Snapshot History and Resource Diff
AttackLens keeps historical snapshots for each resource. When a new discovery run occurs, the previous snapshot is superseded by the new one. This allows you to see how a resource's configuration has changed over time.
How Diffs Work
When a discovery run completes, AttackLens compares the new snapshot against the previous one for each resource:
| Change Type | Description |
|---|---|
| New | The resource was not found in the previous discovery run. This is the first time it appears. |
| Removed | The resource was present in the previous run but is no longer detected. It may have been deleted or moved out of scope. |
| Changed | The resource exists in both runs, but one or more properties have different values. |
| Unchanged | The resource exists in both runs with identical properties. |
Reviewing Changes
Changes between snapshots are surfaced in several places:
- Adapter detail page: The last sync summary shows the count of new, removed, and changed resources.
- Asset detail page: The asset's discovery section shows the latest snapshot data and highlights any recent changes.
- Dashboard: The discovery widget shows overall resource counts and recent changes.
Filtering Snapshots by Resource Type
To view snapshots for a specific resource type:
- Navigate to Discovery > Snapshots.
- Use the resource type filter to select one or more types.
This is useful when you want to inspect all resources of a particular kind -- for example, reviewing all storage accounts to check encryption settings, or all virtual machines to verify security group associations.
Statistics
Navigate to Discovery > Stats to view aggregate statistics about the discovery data:
- Total snapshot count: The total number of resource snapshots across all adapters.
Snapshot Retention
AttackLens retains the latest snapshot for each resource indefinitely. Historical snapshots (non-latest) are retained according to the configured retention policy. This ensures that current resource data is always available for posture evaluation while keeping storage usage manageable.
Next Steps
- Understand discovery for a conceptual overview of the discovery process.
- Manage adapters to configure and monitor your adapter connections.
- Trigger a manual discovery to create new snapshots immediately.