overview
HummerRisk is an open-source cloud-native security platform that non-intrusively addresses security and governance issues in cloud-native environments. Core capabilities include hybrid cloud security governance and container cloud security detection.
This article will introduce some functions of operation audit in HummerRisk, including how to synchronize cloud events, cloud event analysis, cloud event aggregation query, source IP analysis, etc.
work process
Cloud Event Synchronization
To use HummerRisk for operation auditing, first we need to synchronize the operation events in the multi-cloud to the HummerRisk system. To synchronize the operation events on the cloud, we need to create a synchronization task.
Create sync task
Click "Hybrid Cloud Security" -> "Operation Audit" to enter the cloud event synchronization page, click "Create synchronization task" to open the new synchronization task page, then select the cloud account, region and synchronization time period and click OK to synchronize cloud events .
Note: The longest time span for a single sync task is 2 weeks.
Cloud event synchronization list
In the cloud event synchronization list, you can view the cloud event synchronization log, and click the operation button behind each record to delete the synchronization log. The cloud event synchronization list can be filtered. You can quickly filter by cloud account name and region, or you can open the advanced filtering page for more complex filtering. The filtering conditions include:
- cloud account
- area
- creation time
Click the synchronization status to view the detailed synchronization log, and click the number to view the cloud events of this synchronization
Cloud Event Analysis
After the cloud event synchronization task is completed, we come to the cloud event analysis part.
In the cloud event analysis, all synchronized events are summarized and displayed. The cloud event list can be filtered and filtered. You can quickly filter by cloud account name, region, user name source address, event name, resource type, resource name, or open the advanced filter page. for more complex screening.
Click the arrow in front of a single record to expand and view more detailed event information.
Each event defines a risk level, including "high risk", "medium risk" and "low risk", which is convenient for users to quickly find risky events.
Cloud Event Aggregation
After the cloud event is synchronized, the cloud event can be aggregated and queried. You can view the number of times a certain source IP calls a certain event on the same date. Cloud event aggregation can be filtered by cloud account name, region, user name, source Quickly filter by address, event name, resource type, and resource name, and you can also open the advanced filtering page for more complex filtering.
Click the arrow in front of a single record to expand and view more detailed event information.
Source IP Analysis
Next, introduce the source IP analysis function. This function mainly counts the call volume of the source IP address for various events within a certain period of time. The source IP analysis list can be filtered by region, The source address and event name can be quickly filtered, and the advanced filter page can also be opened to perform more complex filters. The filter conditions include:
- cloud account
- area
- event time
- username
- event name
- Resource Type
- resource name
- risk level
Click the source IP address to view the IP analysis details, you can see the IP call volume curve and the details of IP call events within seven days. At the same time, at the bottom of the page, you can view the information of each call, as well as the detailed time text.