Alerts and Analysis – Cisco Cloud Security

Alerts and Analysis

Based on the combination of roles, observations, and other threat intelligence, Secure Cloud Analytics generates alerts, which are actionable items that represent possible malicious behavior as identified by the system.

To build on the previous example, a New Internal Device observation on its own does not constitute possible malicious behavior. However, over time, if the entity transmits traffic consistent with a domain controller, then the system assigns a Domain Controller role to the entity. If the entity subsequently establishes a connection to an external server that it has not established a connection with previously, using unusual ports, and transfers large amounts of data, the system would log a New Large Connection (External) observation and an Exceptional Domain Controller observation. If that external server is identified as on a Talos watchlist, then the combination of all this information would lead Secure Cloud Analytics to generate an alert for this entity’s behavior, prompting you to take further action to research and remediate the malicious behavior.

When you open an alert in the Secure Cloud Analytics web portal UI, you can view the supporting observations that led the system to generate the alert. From these observations, you can also view additional context about the entities involved, including the traffic they transmitted, and external threat intelligence if it is available. You can also see other observations and alerts that entities were involved with, and you can determine if this behavior is tied to other potentially malicious behavior.

Public Cloud Monitoring Configuration for Amazon Web Services

Cisco Secure Cloud Analytics public cloud monitoring is a visibility, threat identification, and compliance service for Amazon Web Services (AWS). Secure Cloud Analytics consumes network traffic data, including virtual private cloud (VPC) flow logs, from your AWS public cloud network. It then performs dynamic entity modeling by running analytics on that data to detect threats and indicators of compromise. Secure Cloud Analytics consumes VPC flow logs directly from your AWS account using a cross-account IAM role with the proper permissions. In addition, Secure Cloud Analytics can consume other sources of data, like CloudTrail and IAM (Identity and Access Management), for additional context and monitoring. Figure 8-37 illustrates the Cisco validated design for AWS three-tier architecture.


Figure 8-37 Cisco validated design for AWS three-tier architecture

To configure an S3 bucket to store your flow logs as well as Secure Cloud Analytics to ingest these flow logs, follow these steps:

1. In AWS, enable VPC flow logging for a VPC and then configure an S3 bucket to which you export the flow logs.

2. In AWS, configure an IAM access policy and IAM role to allow Secure Cloud Analytics the permission to access and ingest the flow logs.

3. In the Secure Cloud Analytics web portal UI, update the configuration with the S3 bucket and IAM role to enable AWS flow log data ingestion.

Leave a Comment