Security Events and Traffic Logs
Security Information Event Management (SIEM) systems are solutions that specialize in combining security information and security event information together into a single management platform. The security and event information will originate from 3rd party security solutions that are configured to forward this information to the SIEM.
Multicloud Defense supports viewing security event information directly within the UI. These events are available under the section. The events are categorized and viewable as follows:
|
Category |
Type |
Description |
|---|---|---|
| Flow Logs | FLOW_LOG | Information related to the different stages of a traffic flow |
| Firewall Events | APPID | Traffic matched based on Application ID (OpenAppID) |
| GEOIP | Traffic sourced from or destined to a Geo IP (MaxMind) | |
| L4_FW | Traffic matched based on layer4 information (Source/Dest IP/Port and Protocol) | |
| MALICIOUS_IP | Traffic sourced from or destined to a malicious IP (Trustwave) | |
| SNI | Traffic matched based on SNI information | |
| Network Threats | AV | Traffic where a virus has been detected (ClamAV) |
| DPI | Traffic where an IDS/IPS threat has been detected (TALOS) | |
| DLP | Traffic where sensitive data is being exfiltration | |
| Web Protection | WAF | Traffic where a web application threat has been detected (ModSecurity) |
| L7DOS | Traffic that is contributing to a layer7 DOS attack | |
| URL Filtering | URLFILTER | Traffic that matches a URL category or URL (BrightCloud) |
| FQDN Filtering | FQDNFILTER | Traffic that matches a FQDN category or FQDN (BrightCloud) |
| HTTPS Logs | HTTP_REQUEST | Information related to web-based traffic (HTTP) |
| TLS_ERROR | Information related to TLS errors | |
| TLS_LOG | Information related to TLS behavior | |
| Traffic Summary Logs | SESSION_SUMMARY | Summary information on each processed traffic session |
Note | Flow Logs are deprecated in 2.10 and later gateway releases. The information contained within each flow Log is made available as part of the session information available in . |
Each of the event categories can be sent to a SIEM using a log forwarding profile. The SIEMs currently supported by Multicloud Defense are:
A log forwarding profile can be operated on using the steps outlined below: