Security Events and Traffic Logs
Security Information Event Management (SIEM) systems are solutions that specialize in combining security information and security event information together into a single management platform. The security and event information will originate from 3rd party security solutions that are configured to forward this information to the SIEM.
Multicloud Defense supports viewing security event information directly within the UI. These events are available under the section. The events are categorized and viewable as follows:
Category |
Type |
Description |
---|---|---|
Flow Logs | FLOW_LOG | Information related to the different stages of a traffic flow |
Firewall Events | APPID | Traffic matched based on Application ID (OpenAppID) |
GEOIP | Traffic sourced from or destined to a Geo IP (MaxMind) | |
L4_FW | Traffic matched based on layer4 information (Source/Dest IP/Port and Protocol) | |
MALICIOUS_IP | Traffic sourced from or destined to a malicious IP (Trustwave) | |
SNI | Traffic matched based on SNI information | |
Network Threats | AV | Traffic where a virus has been detected (ClamAV) |
DPI | Traffic where an IDS/IPS threat has been detected (TALOS) | |
DLP | Traffic where sensitive data is being exfiltration | |
Web Protection | WAF | Traffic where a web application threat has been detected (ModSecurity) |
L7DOS | Traffic that is contributing to a layer7 DOS attack | |
URL Filtering | URLFILTER | Traffic that matches a URL category or URL (Talos) |
FQDN Filtering | FQDNFILTER | Traffic that matches a FQDN category or FQDN (Talos) |
HTTPS Logs | HTTP_REQUEST | Information related to web-based traffic (HTTP) |
TLS_ERROR | Information related to TLS errors | |
TLS_LOG | Information related to TLS behavior | |
Traffic Summary Logs | SESSION_SUMMARY | Summary information on each processed traffic session |
Note |
Flow Logs are deprecated in 2.10 and later gateway releases. The information contained within each flow Log is made available as part of the session information available in . |
Each of the event categories can be sent to a SIEM using a log forwarding profile. The SIEMs currently supported by Multicloud Defense are:
A log forwarding profile can be operated on using the steps outlined below:
Create a Standalone Event or Traffic Log Profile
Procedure
Step 1 |
Navigate to . |
Step 2 |
Click Create. |
Step 3 |
Specify a Profile Name and Description. |
Step 4 |
Specify Type as Standalone. |
Step 5 |
Fill in the appropriate parameters (refer to the SIEM-specific documentation). |
Step 6 |
Click Save. |
Step 7 |
Add the desired Gateway Associations (refer to Add a Gateway Association). |
Edit a Standalone Event or Traffic Log Profile
Procedure
Step 1 |
Navigate to . |
Step 2 |
Check the box next to the Profile you want to Edit. |
Step 3 |
Click Edit. |
Step 4 |
Modify the parameters as desired (refer to the SIEM-specific documentation). |
Step 5 |
Click Save. |
Create a Group Event or Traffic Log Profile
Procedure
Step 1 |
Navigate to . |
Step 2 |
Click Create. |
Step 3 |
Specify a Profile Name and Description. |
Step 4 |
Specify Type as Group. |
Step 5 |
Add as many rows as needed to accommodate for the number of standalone profiles you want to group. |
Step 6 |
Click Save. |
Step 7 |
Add the desired gateway associations (refer to Add a Gateway Association). |
Edit a Group Event or Traffc Log Profile
Procedure
Step 1 |
Navigate to . |
Step 2 |
Check the box next to the Profile you want to Edit. |
Step 3 |
Click Edit. |
Step 4 |
Modify, Add or Remove Standalone Profiles. |
Step 5 |
Click Save. |
View an Event or Traffic Log Forwarding Profile
Procedure
Step 1 |
Navigate to . |
Step 2 |
Select the Profile link you want to view the Details. |
Step 3 |
View the Details information. |
Delete an Event or Traffic Log Profile
Use the following procedure to delete the profile from your dashboard:
Before you begin
You must remove the association between the event or profile and the gateway before you delete the profile from your dashboard. See Remove a Gateway Association for more information.
Procedure
Step 1 |
Navigate to . |
Step 2 |
Check the box next to the Profile you want to Delete. |
Step 3 |
Click Delete. |
Step 4 |
Confirm the Delete operation by clicking Yes or No. |