Critical activity logs are essential for monitoring, auditing, and securing cloud environments. These logs help organizations track actions, events, detect anomalies, and ensure compliance with security and governance policies.
Saner CIEM captures key security-related actions and events that could indicate a potential threat, policy violation, or operational issue. Every column provides vital piece of context about the logged event, enabling enhanced visibility, quick analysis, incident response, and compliance.
For additional information on the critical activity logs, access the relevant cloud service portal.
What are the Recommended Critical Events to Monitor?
Click here for a detailed list of critical events with description and security implication.
What are the High-Privilege Actions in AWS?
Click here to read more about which actions are considered high-privilege in Critical Activity Logs in AWS and more.
Step 1: Launch Cloud Entitlements
After you login, select Cloud Security from the landing page. Next, click the App Launcher(on top of the page) and choose CIEM(Cloud Infrastructure Entitlement Management).
Step 2: Access the Logs
From the CIEM dashboard, access the Critical Activity Logs block.
A quick look at what the columns represent:
| Column | What it conveys? |
|---|---|
| Event Name | Specific action or operation performed(for example, createuser/deleteinstance/updatepolicy). The details provide security teams with a clear understanding of what occured during the logged in event and enables focus on critical operations. |
| Event Category | Categorized the type of event(for example, authentication/access control/data access/configuration) that helps identify and prioritize events based on security relevance. For example, access control change might call for immediate review. |
| Region | Geographical location where the activity took place. Helps identify anomalies, such as actions originating from unauthorized or unexpected regions. |
| Resources | Specific cloud resources affected by the action such as EC2/S3/Database/Virtual Machines. Provides insight into the assets targeted/accessed/modified. Critical for tracking the potential impact of the event in cloud environment |
| ARN | Unique identifier for resources in cloud platform like AWS. Enables precise identification of affected resources involved in an incident. |
| Account | Cloud account or subscription ID. Helps segregate logs and monitor activities across different cloud accounts |
| Performed By | Identity(user/role/service) responsible for initiating the event. Identifies who/what triggered the action |
| Event Time | Time stamp of when the event occured. Critical to analyze sequence of events during incidents. |
Step 3: What do you see in the logs?
Click the icon after Event Time column in the Critical Activity Logs block to view the log information.
Step 4: See the Total Count of Activity Logs
The total count of activity logs displays as a pie chart in the block next to Critical Activity Logs.
Step 5: Filter with Specific Search Criteria for Analysis
Users have an additional capability to filter critical activity logs with specific search criteria. From the search box within the Critical Activity Logs block, key in your search criteria to retrieve the relevant information. Analyze the log for troubleshooting or subsequent action.
See Also
