Intelligence Security Events

You can configure Intelligence to trigger an alert when specific events occur in your cloud or cluster network. You or other recipients receive this alert as an email or as a different type of notification, so that you can respond to the event almost immediately.

To receive alerts, you must set up a policy. The policy includes a ruleset with specific Intelligence alert definitions, which are applied to selected cloud environments (VPCs) or KubernetesClosed Kubernetes, often abbreviated as “K8s”, orchestrates containerized applications to run on a cluster of hosts. clusters. With this policy, you associate a notification that specifies where you want to receive the alerts. Intelligence includes a number of preconfigured, CloudGuard-managed rulesets and policies.

In the Intelligence menu, you can set up your rulesets and policies.

Benefits

  • Automatic and continuous monitoring of your cloud environments and clusters based on queries configured for your enterprise needs

  • Automatic generation of near real-time alerts based on specific events and thresholds, issued to user-configured notification targets

  • Built-in rulesets that cover many of the same enterprise needs, to apply to your environments and Kubernetes clusters out-of-the-box

Malicious IP Classification

For Intelligence rules that identify malicious IPs, CloudGuard uses the Check Point's ThreatCloud technology. The table below explains the meaning of each IP category.

Class

Description

Unclassified

The service could not classify the IP. There is not sufficient data about this resource.

Adware

The IP domains operate in the gray areas of the law, collecting private data on the users, and show unwanted content or a website that contains sub-application to download.

their

The IP domains contain malicious software, for example, hacking websites.

Benign

Legitimate IP that is not malicious.

CnC Server

Command and control of malware.

Compromised Server

Legitimate IP that was hacked and operates a malicious function.

Phishing

The IP domains attempts to get sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money), frequently for malicious reasons, by masquerading as a trustworthy entity in electronic communication.

Infection Source

The IP domains can infect their visitors with malware.

Web Hosting

The IP domains allow you to rent out space for websites to have your business in.

File Hosting

The IP domains allow you to rent out space for storage to have your business in.

Parked

The IP domains permanently do not have content. Possibly, they contain advertising content on pages that have been registered but do not (at this time) have initial content.

Scanner

The IP is a known Internet scanner.

Anonymizer

The IP is a known Tor (The Onion Router) anonymity proxy server.

Cryptominer

The IP domains are used for crypto mining.

Spam

The IP domains are used for spam.

Compromised Host

The victim's IP.

Actions

  1. Navigate to the Rulesets page in the CDR > Threat Monitoring menu.

  2. Select the ruleset to which the rule is added (or create a new one based on the steps below).

  3. Click New Rule in the top right.

  4. Enter a name and description for the rule.

  5. Optionally, enter remediation text for the rule, indicating what steps can be taken to resolve the issue indicated by the rule. Afterward, the Event page shows the text.

  6. Select the severity of the rule.

  7. Enter a definition for the finding. This consists of the following details:

    1. For AWSClosed Amazon® Web Services. Public cloud platform that offers global compute, storage, database, application and other cloud services. and AzureClosed Collection of integrated cloud services that developers and IT professionals use to build, deploy, and manage applications through a global network of data centers managed by Microsoft®. rules, the source of the alert for traffic or activity logs.

    2. The GSL statement for the alert.

    3. The entity on which the event occurred (source or destination). This is applicable for events from VPC Flow Logs only.

  8. Click Save.

An Intelligence policy has a ruleset (containing event definitions), one or more environments on which the events are applied, and Notifications indicating where findings must be sent.

  1. Navigate to the Policies page in the CDR > Threat Monitoring menu.

  2. Click Add Policy on the right.

  3. Select a platform on which the policy applies and click Next.

  4. Select one or more environments on which the policy applies and click Next.

  5. Select one or more rulesets for the policy from the list and click Next.

  6. Select one or more notifications from the list.

  7. Click Save.

An Intelligence ruleset is a set of rule definitions. The rules inquire about specific events in VPC or CloudTrail logs, based on a Governance Specification Language (GSL) definition.

Intelligence includes some built-in rulesets. You can include them in policies and apply them to your environment.

In addition, you can create customized rulesets for your specific needs.

  1. Navigate to the Rulesets page in the CDR > Threat Monitoring menu.

  2. Click Add Ruleset on the right.

  3. Enter a name and description for the ruleset and select the platform.

  4. Click Create.

You can see the events generated by Intelligence policies on the Threat and Security Events page of the Events menu. This page shows the events only if you set Include in the alerts console option in the notification attached to the policy.

See Posture Findings and Security Events for more details about the Events page.