CloudGuard Log.ic Explorer

In this topic:

    Introduction

    CloudGuard Dome9 Log.ic is a tool to visualize & help you analyze network traffic and event activity on AWS cloud accounts. It gathers and presents information from AWS logs for your cloud accounts, enriched with information from additional sources such as threat intel feeds, and IP reputation and geolocation databases. 

    There are two main views in the Explorer. You can view to view network activity, from VPC flow logs, in the Network Logs view, and activity on our account resources, from CloudTrail logs, in the Account Activity view.

    You can use queries for both views to show specifically filtered information.

    Benefits

    • quickly identify unwanted traffic, from unknown or suspicious sources
    • identify gaps in cloud security settings or misconfigurations
    • monitor and analyze user activity on your cloud environments for unusual behavior

    Magellan Explorer Views

    Network Logs

    The Network Logs view shows you a visualization of network traffic in your cloud environment.  You can use this to identify traffic from unwanted sources, or gaps in network security settings (which you can then fix using other features of Dome9), as well as activity

    CloudGuard Log.ic analyzes network flow logs to visualize the activity on your cloud network. Using queries you can filter this information to show traffic of interest. Dome9 has included many common queries with CloudGuard Log.ic, and you can create additional custom queries with a graphical query builder based on the Dome9 Governance Specification Language (GSL).

    CloudGuard Log.ic combines cloud inventory and configuration information with real-time monitoring data from a variety of sources including VPC Flow Logs, CloudTrail, GuardDuty, Inspector, as well as current threat intelligence feeds, IP reputation and geolocation databases. This results in enhanced visualization that highlights suspicious traffic from legitimate traffic. For example, sources of network traffic from other AWS elements are shown according to type, and malicious external sources are marked as such. Similarly, outbound network traffic from your account to a suspicious external destination on the internet will 

    CloudGuard Log.ic can give you near real-time views of network activity.  You can also view and analyze past network activity. You can configure it to send you real-time alerts for specific events or event types that occur in your cloud environment, so that you will be aware and able to respond immediately. 

    Account Activity 

    The Account Activity view shows activity on your cloud account resources, based on AWS CloudTrail logs.

    Queries 

    You can use queries with the Explorer to filter the information, to show specific network information of interest. These queries are built with the Dome9 Governance Specification Language (GSL), similar to queries for Compliance assessments.

    CloudGuard Log.ic includes several built-in queries, covering a range of common situations that could apply to your cloud environment. You can use these queries 'out-of-the-box' to quickly visualize traffic on your cloud environments. For example, 

    Inbound traffic - this shows all inbound traffic 

    Rejected traffic - this shows all rejected traffic to or from your vpc

    Malicious accepted traffic - this shows traffic that was accepted by your network, that originated from malicious IP addresses (as determined by threat intelligence sources)

    You can also define custom queries, to filter for specific information not covered by built-in queries. 

    Build Queries

    CloudGuard Log.ic has a graphical query builder that you can use to create and test queries. Use this to quickly build queries that are readable and intuitive. Alternatively, you can enter the query directly as text, using the GSL syntax. For example, you can copy the text from an existing query, modify it, and then save it as a new query.

    The examples below illustrate how to create queries using both of these methods.

    Example 1: create a query using graphic query builder 

    Rules are built up in the Rule GSL box, based on entities and operators that appear below the box. The set of entities and operators that is shown varies incrementally according to the context of the query as you develop it.

    1. Select your cloud account from the dropdown list in the upper right corner.
    2. Select the timeframe. The query will search for and retrieve events in this period of time.
    3. SelectGSL_Builder_button.png. This opens the GSL builder page. The rule is built in the Rule GSL box, on the left. You build the rule incrementally. At each stage, the entities that you can select are shown under the box (according to the context of the rule as it is being built). On the right is a dictionary of all the entities you can select, and the data type for each (use this when creating a rule using Free Text).


    4. Select the source (vpcfl or cloudtrail). This is the first item to be selected in a GSL rule, and is the AWS source of the log information. Vpcfl logs are used for network queries, and Cloudtrail logs for account activity queries.
    5. Next, select a condition (where). This is the only option at this stage. After this, you can select the left parenthesis, to open a clause, or a property (of the source entity).
      GSL-Builder-where.png
    6. Select a property from those shown (status/protocol/action/src etc.). In this example, select src. You can then select additional properties, to qualify the src property.
      GSL-Builder-where-src.png
    7. Select another property to qualify src. In this example, select address, giving src.address.
    8. Select an operator (=, like, regexMatch) and an argument. In this example, select the function isPublic(), which does not require an operator. This gives the query vpcfl where src.address isPublic().
      GSL-Builder-where-src_isPublic.png
    9. Click , to run the query. The results show all traffic that originates from a public IP address. The results will appear in the Network Log Explorer view.
      GSL-Builder-query-example-result.png
    10. Click  to return to the query builder, or  to save it.
    11. To delete a clause in the query, hover over it and clickGSL-delete-clause-icon.png.

    Example 2: create a query by entering text directly

    You can enter the text for a query directly in the Free Text box. To create the same query as in the previous example,

    1. Select the Free Text tab.
    2. Enter the text of your query in the text box. For example, enter
      vpcfl where src.geolocation.countryname='China' and action='ACCEPT' or protocol isPrivate() or packets isEmpty()
    3. Click  to run the query.

    Run Queries

    run from one of the Explorer views

    Explore Network Logs

    Select a Query from the query menu. A description of the query, and the GSL definition, are shown on the right. Queries marked  are based on VPC Flow Logs, and will open the Explorer Network Logs view when run. Select a cloud account in the upper right, and a time frame, then click .

    The results of the query are shown in the Network Logs Explorer view, for the the selected account.

    This view has the following elements:

    • The query is shown at the top:

    • The account on which the query is applied, and the timeframe, are in the upper right. The timeframe is the period of time back from the present time for traffic to be included in the query.

    • The network traffic in the selected account, based on the query and the timeframe. The traffic is grouped into three zones, External, Implicitly Private, and Internal, according to the exposure of the entity to the internet (this is similar to the Clarity view). External entities are exposed (have internet addresses), while Internal entities have no exposure to the internet. 

    • Statistics for the displayed network traffic is shown on the right. The statistics are based on the nature of the query (in the example below, the query filters for malicious traffic)

    • Click  on the left to open the Query menu. This shows the queries available for the current view. The Dome9 Queries tab shows predefined queries, while My Queries shows custom queries that you have manually defined (described above). Predefined queries are further grouped into categories.

    Controls

    You can control the Network logs explorer view with these controls:

    • zoom: select a point in the center section of the view, and use your mouse scroll wheel to zoom the display in or out.
    • select an entity or a connection between entities, to show details, in the pane on the right.
    • Group entities (declutter) to declutter the view. 
    • VPC logs (enriched): click on one of the segments in the view, and then click  in the upper right, to show the AWS VPC logs for the filtered items in the view, including geolocation, classification (malicious).

      The VPC logs are enriched with additional information from other sources, such as geolocation, malicious sources, etc, that Dome9 correlates with the information in the VPC logs.
    • autorefresh - enable the Auto Refresh, in the upper right, to update the view automatically, according to selected refresh period.

    Explore Activity logs

    Run a Query marked  to show account activity in the Account Activity view. The results of the query are shown in the Account Activity Explorer view, for the the selected account.

    Magellan-account-activity-explorer-view.png

    The view shows a list of events, with details about source, user, and type. The statistics pane on the right shows summary details for all events in the view.

    Click on an entry to show more detail.

    Magellan-account-activity-explorer-detail.png