CloudGuard Dome9 Help
Build Queries in Log.ic to hunt out specific threats from your VPC and CloudTrail log files.
Log.ic uses sophisticated queries to filter the information from VPC and CloudTrail logs, to search for information or events of interest. These queries are built with the The CloudGuard Dome9 GSL Language , similar to queries for Compliance assessments.
Log.ic includes several built-in queries, covering a range of common situations that could apply to your cloud environment. You can use these queries 'out-of-the-box' to quickly visualize traffic on your cloud environments. For example,
Inbound traffic - this shows all inbound traffic
Rejected traffic - this shows all rejected traffic to or from your VPC
Malicious accepted traffic - this shows traffic that was accepted by your network, that originated from malicious IP addresses (as determined by threat intelligence sources)
You can also define custom queries, to filter for specific information not covered by built-in queries.
Log.ic has a graphical query builder that you can use to create and test queries. Use this to quickly build queries that are readable and intuitive. Alternatively, you can enter the query directly as text, using the GSL syntax. For example, you can copy the text from an existing query, modify it, and then save it as a new query.
The examples below illustrate how to create queries using both of these methods.
Rules are built up in the Rule GSL box, based on entities and operators that appear below the box. The set of entities and operators that is shown varies incrementally according to the context of the query as you develop it.
- Select your cloud account from the dropdown list in the upper right corner.
- Select the timeframe. The query will search for and retrieve events in this period of time.
Select. This opens the GSL builder page. The rule is built in the Rule GSL box, on the left. You build the rule incrementally. At each stage, the entities that you can select are shown under the box (according to the context of the rule as it is being built). On the right is a dictionary of all the entities you can select, and the data type for each (use this when creating a rule using Free Text).
- Select the source (vpcfl or cloudtrail). This is the first item to be selected in a GSL rule, and is the AWS source of the log information. Vpcfl logs are used for network queries, and Cloudtrail logs for account activity queries.
Next, select a condition (where). This is the only option at this stage. After this, you can select the left parenthesis, to open a clause, or a property (of the source entity).
Select a property from those shown (status/protocol/action/src etc.). In this example, select src. You can then select additional properties, to qualify the src property.
- Select another property to qualify src. In this example, select address, giving src.address.
Select an operator (=, like, regexMatch) and an argument. In this example, select the function isPublic(), which does not require an operator. This gives the query vpcfl where src.address isPublic().
Click to run the query. The results show all traffic that originates from a public IP address. The results will appear in the Network Log Explorer view.
- Click to return to the query builder, or to save it.
- To delete a clause in the query, hover over it and click .
You can enter the text for a query directly in the Free Text box. To create the same query as in the previous example,
- Select the Free Text tab.
- Enter the text of your query in the text box. For example, enter
vpcfl where src.geolocation.countryname='China' and action='ACCEPT' or protocol isPrivate() or packets isEmpty()
- Click to run the query.
You can save a query as a Log.ic Alert and then use this alert in a ruleset and Log.ic policy. Log.ic will continuously apply this policy to the accounts associated with it, and generate findings for alerts that are discovered.
You do this from the Log.ic Explorer view, once you have developed the query you are interested in.