Getting Started with Warden Threat Detection

1. What is Warden Threat Detection

Warden Threat Detection monitors your cloud infrastructure logs 24/7 and analyzes logs from your infrastructure to perform UEBA to detect anomalies after learning the normal behavior of the users in the organization. It establishes a baseline for each organization or each user based on their previous activity patterns. It can detect any anomalous behavior when there are deviations from these “normal baseline” patterns. It can be due to a credential compromise, cryptojaking, or could be an early sign of insider threats. Read more

2. Setting up Threat Detection Integration 

Threat Detection supports multiple clouds including Amazon Web Service, Google Cloud Platform and Huawei Cloud.

It is a separate integration from your previous Cloud Posture scanning. 

Click here to see How to set up Threat Detection Integration

Amazon Web Service

Before you can set up Warden Threat Detection in your AWS environment, it requires following Pre-requisites in your AWS infrastructure. Read more

  • An AWS CloudTrail Trail.
  • An AWS S3 bucket that receives logs from the trail.
  • SSE-KMS encrypted SNS Topic configured to receive event notifications from the same S3 Bucket

Google Cloud Platform

Create a new project in your GCP organization and use it to host the integrations’s resources. You can create a new Service account and pub/sub Topics for log integration. Warden will sync logs from the dedicated log sink via GCP Pub/sub subscription you provided.  Read more

Huawei Cloud

Enable the Cloud Trace Service in Huawei Cloud and provide Access Key, OBS bucket, and SMN Topic for log integration. Read more

Alibaba Cloud

Enable the Action Trail in Alibaba Cloud and provide Access Key, OSS bucket, and MNS Topic for log integration. Read more

3. Customize your Monitoring Configuration to Reduce Noise

After you are done with the onboarding procedure, a default monitoring group is automatically set up for monitoring all Critical to Low severity changes in your infrastructure. 

Pro tip: Fine-grained scope configuration in the Monitoring Group meets all your special needs. For example, you can even create your own notification setting for critical alerts when suspicious exfiltration activities are detected on the bucket containing PCI data. All you need to do is flag the critical resources in your cloud environment.

Click here to see How to Customize your Monitoring Configuration 

4. Respond Faster with Speedy Investigation 

In addition to detection, Warden automated the alert analysis process to help and guide you to easily investigate suspicious activities and quickly identify the root cause of potential threats.

For example, if unusual user activity is detected in new geolocation, you can find anomaly summary information, such as what is the unusual location and how many times access was triggered from there. Moreover, you can investigate activities in a single click to be accessible for all baseline activities, together with flagged anomalies by this user. 

If you need further investigation on IP or resources, it is available to pivot on whatever value you want to quickly identify the cause and impact of this incident.

Click here to read more about the investigation.