Tutorial: Send only Cyber Shield log events of interest to your SIEM
A use case for using the customization rules for Cyber Shield log events is provided here.
CloudConnexa Log Streaming writes logs to your AWS S3 bucket. Your SIEM or other log collection systems can then ingest these logs.
The volume of Cyber Shield log events streamed for a large, busy CloudConnexa deployment can be overwhelming. Log streaming configuration enables you to customize Cyber Shield log events that are streamed directly from the source, rather than filtering the relevant ones using your Security Information and Event Management (SIEM) system.
Here are some examples of how you can use the customization rules to hone in on just the Cyber Shield log events that are important to you.
Network Focus: From all the networks connected to your WPC, if you are interested in the Cyber Shield Blocked Domain or Blocked Traffic log events from just a few, or you want events from all the connected networks except a few. For example, if you want Cyber Shield to log events from only the connected 'HQ network' or all connected networks except the 'HQ network'.
User Group Focus: From all the User Groups connecting to your WPC, if you are interested in the Cyber Shield Blocked Domain or Blocked Traffic log events from just a few, or you want events from all the User Groups except a few. For example, if you want Cyber Shield to log events from only the users in the 'Contractor' User Group or all User Groups networks except the 'Management' User Group.
Host Focus: From all the Hosts connected to your WPC, if you are interested in the Cyber Shield Blocked Domain or Blocked Traffic log events from just a few, or you want events from all the connected Hosts except a few. For example, if you want Cyber Shield to log events from only the Hosts named 'webserver' and 'ftpserver', or all Hosts networks except the Host named 'news_server'.
To configure the customization rules, refer to Customize the streamed log events