Security Monitoring

How to configure security monitoring

Security Monitoring is an add-on feature that allows for continuous monitoring of cloud resources for malicious activity. Potential security concerns are published to the Webscale Event Log where they can be reviewed and monitored in the Event Log Viewer.

Configuring Security Monitoring

In order to configure security monitoring, your account must be granted access to the Security Monitoring plan. Please contact Webscale Support if you need this feature enabled for your account.

Once you have been granted access, click the three bars on the upper left and select the Providers tab. Select your AWS Provider or create one and check the box labeled “Use for Security Monitoring”.

Note: At this time, AWS is the only supported Cloud Provider for Security Monitoring. If you are using a different provider, and would like to see this feature extended to that provider, please contact Webscale Support.

Once you click save, Security Monitoring has been enabled for this Provider. If you do not have access to the Security Monitoring feature, you will receive an error message at this time.

What is Security Monitoring?

If you have configured security monitoring for your AWS Provider, you have enabled Amazon GuardDuty’s Intelligent Threat Detection. You can read more about this here. All resources created with that AWS Provider will be monitored by the GuardDuty service for compromised accounts, anomalous behavior, and malware.

When a security finding is reported, it will be published to the Event Log with a type of “security-monitor-finding” along with details about the finding. You can use Webscale Monitors to configure notifications as well as automatic replacement of potentially compromised servers.

Configuring a Webscale Monitor to alert on findings

Webscale Monitors can be used to send emails or VictorOp notifications when a security finding occurs. To set up a monitor for this purpose, create a new Monitor using the Monitors tab in the Site Menu.

  • The monitor type should be “logs”.
  • No labels are necessary.
  • Log type should be “Event logs”.
  • Measurement interval should be no less than 900 (15 minutes) as this is the frequency in which the underlying monitoring service runs.
  • Condition should be “count>0” in order to be notified on any finding that is detected.
  • Filter should be “type='security-monitor-finding’”.
  • Enter the email address you would like to be notified.
  • Optionally: enter a custom message that will be included in the notification using the provided template.

Click “Save” and your Webscale Monitor will be active.

Further reading

Have questions not answered here? Please Contact Support to get more help.

Last modified October 26, 2022