CloudGuard Dome9 Help
The Log.ic Explorer
CloudGuard Log.ic is a tool to search for and visualize events of interest in the network traffic or event activity of AWS cloud accounts. It gathers and presents information from AWS logs for the cloud accounts, enriched with information from additional sources such as threat intel feeds, and IP reputation and geolocation databases.
The Log.ic Explorer visualizes the log information in an intuitive, near-realtime view. There are two main views in the Explorer. You can view to view network activity, from VPC flow logs, in the Network Logs view, or activity on our account resources, from CloudTrail logs, in the Account Activity view.
The Explorer shows information based on queries. Log.ic includes many built-in queries for a variety of scenarios, which you can select. You can also build custom queries, using the intuitive Dome9 GSL query language. See Log.ic Queriesfor more about queries.
- quickly identify unwanted network traffic, from unknown or suspicious sources
- identify gaps in cloud security settings or misconfigurations
- monitor and analyze user activity on your cloud environments for unusual behavior
Log.ic Explorer Views
The Explorer has these views, showing different types of activity in your account.
The Network Logs view shows you a visualization of network traffic in your cloud environment. You can use this to identify traffic from unwanted sources, or gaps in network security settings (which you can then fix using other features of Dome9), as well as activity
Log.ic analyzes network flow logs to visualize the activity on your cloud network. You use queries to filter this information to show traffic of interest. Dome9 has included many common queries with Log.ic, and you can create additional custom queries with a graphical query builder based on the Dome9 Governance Specification Language (GSL).
Log.ic combines cloud inventory and configuration information with real-time monitoring data from a variety of sources including VPC Flow Logs, CloudTrail, GuardDuty, Inspector, as well as current threat intelligence feeds, IP reputation and geolocation databases. This results in enhanced visualization that highlights suspicious traffic from legitimate traffic. For example, sources of network traffic from other AWS elements are shown according to type, and malicious external sources are marked as such.
Log.ic can give you near real-time views of network activity. You can also view and analyze past network activity. You can configure it to send you real-time alerts for specific events or event types that occur in your cloud environment, so that you will be aware and able to respond immediately.
The Account Activity view shows activity on your cloud account resources, based on AWS CloudTrail logs.
This view shows network logs filtered by a query.
- Navigate to the Log.ic Explorer page in the Log.ic menu.
- In the Welcome page, click Start Now for Explore Network activity, and then select the AWS account
- The Network Activity Explorer page opens, showing, initially, the default query applied to the flow logs of the account.
- Click , in the upper left, to open the Query menu.
- Select a Query from the list of queries. A description of the query, and the GSL syntax for it, are shown on the right.
- Click Select this query. The Explorer page will be refreshed, with the selected query applied to the log data for the account.
This view has the following elements:
- The query is shown at the top:
- The account on which the query is applied, and the time frame, are in the upper right. The time frame is the period of time back from the present time for traffic to be included in the query. To change the account and/or time frame for the view, select a new value from the list, and then click START.
The central part of the view shows entities in the cloud account, and the network traffic with them, based on the query and the time frame. The entities are grouped into three zones, External, DMZ, and Internal, according to the exposure of the entity to the internet (this is similar to the Clarity view). External entities are exposed (have internet addresses), while Internal entities have no exposure to the internet.
Statistics for the displayed network traffic are shown in the pane on the right. The statistics are based on the nature of the query (in the example below, the query filters for malicious traffic). Many elements of the statistics are links to further information.
You can control the view with these controls:
- zoom: select a point in the center section of the view, and use your mouse scroll wheel to zoom the display in or out.
- select an entity in the view, to show details, in the pane on the right. Many details are links, to additional information.
Click in the central part of the view (not on an entity), to return to the previous view, of all entities.
- Group entities (declutter) to declutter the view. In the example below, entities are grouped by VPC.
Click on one of the groups. The pane on the right shows a list of entities in the group.
You can examine the actual log information for a selected entity. The information is based on the flow logs, but enriched by Dome9 with additional contextual information.
Select an entity in the view, and then click OPEN LOGS in the pane on the right.
Logs for the selected entity will be shown in a new tab.
Click on an entry to show more detail.
The logs are selected using a query, shown at the top of the view. Click to edit the query.
Run a Query marked to show account activity in the Account Activity view. The results of the query are shown in the Account Activity Explorer view, for the the selected account.
The view shows a list of events, with details about source, user, and type. The statistics pane on the right shows summary details for all events in the view.
Click on an entry to show more detail.