Cloud SIEM scans logs for malicious IPs using threat feeds as threat intelligence sources and enriches the original logs. The Threats Overview dashboard aggregates all suspected IPs from all sources in a single dashboard.
You can filter the dashboard by feed name, feed confidence, or country of origin. You can also filter by log type to check for malicious IPs reported by a specific security product.
Once you are ready to investigate a particular IP, click the IP drilldown link. It will lead you to the IP Investigation dashboard for the selected IP. There you’ll be able to see the details of its activity in your environments and investigate the original logs for further information.
Logz.io enriches logs with appearances of malicious and suspected IPs, DNSs, and URLs, to make them easier and faster to track, investigate, and remediate. Below is the list of enrichment fields.
|logzio_security.ioc.malicious_ip||The malicious or suspected IP. It is also a drilldown link. Click on it to open the IP Investigation dashboard and quickly pull up the relevant logs and a summary of the IP’s activity.|
|logzio_security.origin_feeds||The name of the threat intelligence feed that defined the IP as malicious. To research the feed, the last time the feed was synced, and more, go to Threats > Threat Intelligence Feeds from the top menu and review the feed information.|
|logzio_security.severity||Threats are ranked by severity on a scale of 1-5, 5 being the highest, to help reduce false-positives and to promote response to higher-risk threats. Severity is extrapolated from the feed’s confidence. Feed confidence is determined by Logz.io and is not configurable.|
|logzio_security.context||Additional context as provided by the threat intelligence feed.|