CloudGuard Dome9 Help

Log.ic Queries

Build Queries in Log.ic to hunt out specific threats from your VPC and CloudTrail log files.

Queries 

Log.ic uses sophisticated queries to filter the information from VPC and CloudTrail logs, to search for information or events of interest. These queries are built with the The CloudGuard Dome9 GSL Language , similar to queries for Compliance assessments.

Log.ic includes several built-in queries, covering a range of common situations that could apply to your cloud environment. You can use these queries 'out-of-the-box' to quickly visualize traffic on your cloud environments. For example, 

Inbound traffic - this shows all inbound traffic 

Rejected traffic - this shows all rejected traffic to or from your VPC

Malicious accepted traffic - this shows traffic that was accepted by your network, that originated from malicious IP addresses (as determined by threat intelligence sources)

You can also define custom queries, to filter for specific information not covered by built-in queries. 

Build Queries

Log.ic has a graphical query builder that you can use to create and test queries. Use this to quickly build queries that are readable and intuitive. Alternatively, you can enter the query directly as text, using the GSL syntax. For example, you can copy the text from an existing query, modify it, and then save it as a new query.

The examples below illustrate how to create queries using both of these methods.