{P}eelOpsBETA
TutorialFeature

Stop Playing 'Spot the Difference' With Your Security Data

{P}eelOps Team
Jan 20, 2025
4 min read

You know that sinking feeling.

Something changed in your AWS environment. You're 90% sure that security group didn't have port 22 open to the world yesterday. But now it does. And you need to figure out when it happened, who did it, and whether you should start updating your resume.

So you pull up yesterday's output. Then today's output. Two walls of JSON. Hundreds of lines each. Your eyes start to blur. You're pretty sure you just scrolled past the same line twice.

This is what execution comparison was built to fix.

Why This Matters (A Real Story)

Last month, one of our beta users got a call from their CISO: "Are we exposed to that new RCE vulnerability?"

They needed to check which EC2 instances were running the affected software. They'd run the same command three days ago during routine checks. But now? Something was different in the output. Twenty new instances had spun up.

Old way: Export both results, paste into a diff tool, manually parse the differences, spend 20 minutes building a timeline.

With execution comparison: Side-by-side view, differences highlighted, answer in 30 seconds.

That's 19.5 minutes they got back. The CISO got their answer before the coffee got cold.

How It Actually Works

Every time you run a command in {P}eelOps, we save the results. Not just the data - the full context: timestamp, parameters, which connector, everything.

Then when you need to compare, we do the heavy lifting.

The Three-Click Workflow

  1. Go to Executions - Find the two runs you want to compare
  2. Select and Compare - Hit the compare button
  3. See What Changed - Differences highlighted in living color

That's it. No exports. No external tools. No copy-paste gymnastics.

What You'll See

The comparison view highlights:

  • Green = Added - New entries that appeared since last time
  • Red = Removed - Things that were there before but aren't now
  • Orange = Modified - Same item, different values

Both panels scroll together. Click to expand nested objects. Focus on what matters.

Real Scenarios (Because Theory Is Boring)

"Who Added That Security Group Rule?"

You run your weekly AWS security group audit. The comparison shows a new inbound rule on port 3389 (RDP) from 0.0.0.0/0.

That's... not great.

You can see exactly when it appeared (between last Tuesday and today), which gives your investigation a starting point. Check CloudTrail for that timeframe. Find the culprit. Fix the rule. Update your access policies so it doesn't happen again.

Time to discovery: 30 seconds. Time it would have taken manually: "I'll get to it after lunch" (which means tomorrow).

"Did Someone Get Admin Rights They Shouldn't Have?"

Daily Okta admin user check. Yesterday: 5 admins. Today: 6 admins.

The comparison shows exactly who was added. You didn't approve this. Neither did your manager.

Turns out someone's "temporary" elevated access from last month's project never got revoked. The comparison caught what the ticketing system forgot.

"What Changed Before the Outage?"

Production went down at 3 PM. You have execution history from your hourly checks. Compare 2 PM to 3 PM.

Three EC2 instances disappeared from the load balancer. That's your smoking gun. Now you know where to look in the deployment logs.

Pro Tips From the Trenches

Set Up Scheduled Commands

Use the Tracker feature to run your critical checks automatically. Daily Okta admin reviews. Weekly AWS security group audits. Hourly production health checks.

This builds your baseline automatically. When something breaks, you'll have the "before" snapshot ready.

Focus on the Scary Stuff

Not every change is worth investigating. Prioritize:

  • IAM policies and permissions (who can do what)
  • Security group and firewall rules (what's exposed)
  • Admin and privileged accounts (who has the keys)
  • Critical resource configurations (what keeps the lights on)

Create Comparison Alerts

Set up notifications for tracked commands. When the comparison detects changes, you get an alert. You don't have to remember to check - the system tells you when something moved.

The Bottom Line

Look, we're not going to pretend this is revolutionary AI blockchain quantum computing.

It's a diff tool. Built for security and IT data. Understands JSON structure. Works on your phone. Saves everything automatically so you have the history when you need it.

Sometimes the best features aren't flashy. They just save you from squinting at two walls of text at 11 PM, wondering if you're comparing the right files, while your Slack notifications pile up.

Your eyes will thank you. Your on-call rotation will thank you.

Try it: Run any command twice, then hit Compare. See what we mean.

Enjoyed this post?

Subscribe to get new posts and product updates delivered to your inbox.