Investigator

Overview

When a security signal alerts on suspicious activity by a user or a resource, some commonly asked questions during the investigation include:

  • Is the user accessing other accounts?
  • What other actions did the user take around that specific time frame?
  • What are all the actions taken on a resource by the user?
  • What users have interacted with this resource?

For example, suppose you receive a security signal that someone changed the configuration of an Amazon S3 bucket so that it is accessible by everyone, but the action was taken by an assumed role. To investigate, look into who took the action and what other activities they did recently, as that could indicate compromised credentials.

The Cloud SIEM Investigator provides a graphical interface for you to pivot from one affected entity to another, so that you can see user behavior and its impact on your environment.

Visualize and investigate the activity

  1. Navigate to Security > Cloud SIEM and click the Investigator tab.

  2. Select an entity type in the In field dropdown menu.

  3. Select an entity or enter a specific entity name in the Investigate field to see a diagram of the activities associated with the entity.

  4. Click on a node and select View related logs or View in Log Explorer to see the related logs. Use the and filter by dropdown menu to filter by actions.

  1. Navigate to Security > Cloud SIEM and click the Investigator tab, and then the GCP tab.

  2. Select an entity type in the In field dropdown menu.

  3. Select an entity or enter a specific entity name in the Investigate field to see a diagram of the activities associated with the entity.

  4. Click on a node and select View related logs or View in Log Explorer to see the related logs. Use the and filter by dropdown menu to filter by actions.

  1. Navigate to Security > Cloud SIEM and click the Investigator tab, and then the Azure tab.

  2. Select an entity type in the In field dropdown menu.

  3. Select an entity or enter a specific entity name in the Investigate field to see a diagram of the activities associated with the entity.

  4. Click on a node and select View related logs or View in Log Explorer to see the related logs. Use the and filter by dropdown menu to filter by actions.

You can also navigate to the Cloud SIEM Investigator directly from a security signal. In the security signal panel, click Investigate user activity (where user is the user identity in question) to see the Investigator view filtered to the specific user identity.

Further reading

PREVIEWING: esther/docs-9518-update-example-control-sensitive-log-data