What is Warden Threat Detection

How can you protect cloud infrastructure seamlessly? Warden empowers your business with all the protection and 24/7 monitoring you need. Warden can help you detect threats in real-time, to quickly identify attacks or any suspicious activity and respond faster before it causes more damage. 

Cyber attacks will never stop and as cloud adoption grows, attackers are using more and more complex techniques to get into cloud infrastructure and target your critical assets. Hence, real-time detection tools like Warden Threat Detection are necessary for protecting your crown jewels from any threat. 

Threat Detection supports multiple clouds including Amazon Web Service, Google Cloud Platform and Huawei Cloud.

What is Warden Threat Detection?

It monitors your cloud infrastructure logs 24/7 and sends out an alert immediately (near real-time) to inform you when there’s any suspicious activity happening in your environment. 

Warden Threat Detection is mapped with MITRE ATT&CK tactics. It can detect most of the seen attack patterns and also comes with predictive ability, making use of User Entity Behavior Analytics(UEBA) for anomaly detection which can analyze user behavior for detecting advanced unknown threats like Insider Threats.

For example:

  1. Critical changes in the environment that need immediate attention; 
    • Someone disabled your CloudTrail logs/Audit logs.
    • Your Root account credentials were used.
    • Security groups or firewall rules were changed in a suspicious manner.
  2. Anomalous behaviour or suspicious activities from users
    • Someone connecting from malicious IPs or user agents;
    • API calls of identity coming from new geolocation that have not been seen in the last 30 days.
    • A user suddenly connects to an abnormal Cloud service that has never been used before.
  3. Abnormal resource provisioning like Cryptocurrency mining;
    • A higher number of resources were created than usual.
    • Resources created in a new region that your organization rarely uses or has never been used before.
  4. Data exfiltration, Privilege Escalation, Persistence and more.

Monitoring Alerts in Threat Detection

Respond Faster with Speedy Investigation 

In addition to detection, Warden also provides detailed information for the alerts so that you can quickly understand what is happening in your cloud infrastructure, what would be the impact and how to respond faster.

For example, if unusual user activity is detected in new geolocation, you can find anomaly summary information, such as what is the unusual location and how many times access was triggered from there. Moreover, you can investigate activities in a single click to be accessible for all baseline activities, together with flagged anomalies by this user. 

If you need further investigation on IP or resources, it is available to pivot on whatever value you want to quickly identify the cause and impact of this incident. Click here to read more about the investigation.

Alert Details with description, affected resources and identities 

Investigation on alerts with Graphical view and all related events

Fine-tuned detection only for your organization

Unlike traditional detection tools or SIEM tools that require expertise to set up and monitor and flood you with tons of alerts, Warden is an intuitive and easy to setup tool that automatically adjusts its detection focus based on your business use case.   

Consider these scenarios, these are just some of the configurations that you can easily set up in Warden and customize your alerts as you need.

  • I want to closely look at my production environment rather than the dev environment
  • I want to be notified if resources are provisioned outside of the defined regions
  • Some of my resources matter more than others, I'd like to keep watch on them
  • I don’t need to monitor every single activity from trusted IPs
  • No need to flag out when CI/CD users are doing regular changes
  • ...

Fine-grained scope configuration in the Monitoring Group meets all your special needs. For example, you can even create your own notification setting for critical alerts when suspicious exfiltration activities are detected on the bucket containing PCI data. All you need to do is flag the critical resources in your cloud environment.

Click here to see more information on how to create a monitoring group. 

How to set up

It is a separate integration from your previous Cloud Posture scanning. Go to Warden > Integrations to start integrating your logs to Warden Threat Detection.


Amazon Web Service

Before you can set up Warden Threat Detection in your AWS environment, it requires the following Pre-requisites in your AWS infrastructure.

  • An AWS CloudTrail Trail.
  • An AWS S3 bucket that receives logs from the trail.
  • SSE-KMS encrypted SNS Topic configured to receive event notifications from the same S3 Bucket

Click here to read more information about the pre-requisites of AWS infrastructure.

Google Cloud Platform

Create a new project in your GCP organization and use it to host the integrations’ resources. You can create a new Service account and pub/sub Topics for log integration. Warden will sync logs from the dedicated log sink via GCP Pub/sub subscription you provided.  Read more

Huawei Cloud

Enable the Cloud Trace Service in Huawei Cloud and provide Access Key, OBS bucket, and SMN Topic for log integration. Read more

Alibaba Cloud

Enable the Action Trail in Alibaba Cloud and provide Access Key, OSS bucket, and MNS Topic for log integration. Read more

Continue to see How to set up Threat Detection Integration in Warden.

Click here to log in to Warden to start setting up Threat Detection Integration.