Logz.io Security Analytics accounts come with pre-built views to help you understand the security compromises, vulnerabilities, threats, and events in your system. You can see these security events in Summary, Threats, and Research. Read on for details.
When you first sign in to Logz.io Security Analytics, you’re presented with a 24-hour summary of security events. The heatmap at the top of the page shows the most frequently occurring events. When a correlation rule is triggered, that’s considered a security event.
Moving down the page, you can see the number of events and how many unique correlation rules were triggered. Additionally, you can see the rules broken down by severity and a list of the log messages generated by the events.
Logz.io Security Analytics compares the IP addresses in your logs against publicly available threat feeds of potential bad actors. When a correlation is identified with a specific log message, a threat is flagged in your system and the log is enriched with additional security context. The results are shown here on the Threats page.
The Threats page shows:
- The most active geographic location generating threats
- A severity breakdown
- A detailed list of threats
In the Threat details table (on the lower right), you can click an attacker IP address to show the IP Investigation dashboard. This dashboard gives you a more detailed view of a specific IP address, including each log line that contains this IP address.
The Research page offers the full Kibana experience, so you can dig deep into your security logs and fully understand any events and threats. As with Kibana in your Operations accounts, you can also create your own visualizations and dashboards.
Logz.io Security Analytics also ships with a series of pre-made dashboards for different security use cases. To see the available dashboards, click the Dashboard button in Kibana’s left menu.