CloudGuard Dome9 Help

Log.ic Overview


CloudGuard Log.ic allows you to visualize and analyze network activity and traffic into and out of  your cloud environment.  With this, you can identify traffic from unwanted sources, or gaps in network security settings (which you can then fix using other features of the Dome9 console).

Log.ic analyzes network flow logs to visualize the activity on your cloud network, and uses queries to show you traffic of interest. Dome9 has included many common queries with Log.ic, and you can create additional custom queries with a graphical query builder based on the Dome9 Governance Specification Language (GSL).

Log.ic combines cloud inventory and configuration information with real-time monitoring data from a variety of sources including VPC Flow Logs, CloudTrail, AWS Inspector, as well as current threat intelligence feeds, IP reputation and geolocation databases. This results in enhanced visualization that highlights suspicious traffic from legitimate traffic. For example, sources of network traffic from other AWS elements are shown according to type, and malicious external sources are marked as such. Similarly, outbound network traffic from your account to a suspicious external destination on the internet will 

Log.ic can give you near real-time views of network activity.  You can also view and analyze past network activity. You can configure Log.ic to send you real-time alerts for specific events or event types that occur in your cloud environment, so that you will be aware and able to respond immediately. 

Benefits

  • near real-time view of events
  • fine-tuned queries for specific events and threat hunting
  • enriched contextual information from various log sources allows you to gain a quicker and clearer understanding of events that occur on your network

Use Cases

1. Streamline Network Security Operations: With CloudGuard Log.ic you can conduct network operations such as:

  • Security architecture review based on real-time traffic analysis
  • Gain visibility into your traffic flow
  • Troubleshoot and identify misconfigurations that are causing intrusions and policy violations
  • Identify unusual account activity
  • Detect malicious sources that are sending traffic to your network assets

2. Reduce meantime for threat detection: On average, it takes about 200 days for incident responders to detect a breach. With CloudGuard Log.ic, you can identify and zoom in on a suspected asset and understand the full context from both a configuration and traffic activity perspective, thereby reducing your mean time to detect threats.

3. Detect Privilege Escalation/Credential Compromise: Dome9 has the full context of your account activity and the types of assets in your environment. Using CloudGuard Log.ic, you can create lists of asset types that shouldn’t be instantiated. If someone obtains unauthorized privileges to launch an expensive EC2 instance that is perhaps used for crypto-mining operations or to steal API keys, and is now being misused, CloudGuard Log.ic can detect such unauthorized IAM changes or specific EC2 type traffic and immediately provide detailed alerts. 

4. Expedite and assist in Compliance Validation: Using the Explorer, you can see a live action replay of traffic that can be used to prove that your cloud environment is adhering to various compliance standards (Control effectiveness). 

5. Detect unusual or abnormal use of your cloud resources, network activity, logins, etc. For example, detect activity form forbidden geographic locations, suspicious port usage, or abnormal login/authentication attempts.

See also

Log.ic Queries

Visualize Activity

Log.ic Alerts