Skip to content

Security Monitoring

Guance integrates the core capabilities of CSPM and SIEM to build a comprehensive security monitoring system for you, covering "Assets ➛ Configuration ➛ Behavior".

  • SIEM: Focuses on the "active behavior" security in the runtime environment.

Core problem to solve: Are malicious or abnormal activities occurring in the environment?

Real-time collection and analysis of various log data (such as operating system logs, network traffic, cloud platform operation audit logs), using rules and threat detection models, aims to detect and respond to "dynamic" security threats that have occurred or are ongoing. Its core value lies in threat discovery and incident response, suitable for security monitoring, intrusion detection, incident investigation, and other scenarios.

  • CSPM: Focuses on the "configuration state" security of cloud infrastructure.

Core problem to solve: Are cloud resources configured correctly from the start?

Through automated policies, continuously scan the configuration of the cloud platform itself and its services (such as the public nature of storage buckets, security group rules, IAM policies), aims to prevent and discover "static" security vulnerabilities and compliance deviations caused by misconfigurations. Its core value lies in risk prevention and governance, suitable for security hardening, compliance audits, and other scenarios.

Use Cases

  • Cloud storage bucket leakage monitoring

  • Internal data violation access

  • Malicious file upload detection

  • Infrastructure misconfiguration

  • Unauthorized access

  • Insecure interfaces/APIs

  • Compliance and regulatory issues

  • ......

Getting Started

Create security detection rules in the console Create Detection Rules, customize detection frequency, detection interval, generated event titles and descriptions, and associate alert strategies.

Once the rules are created successfully, the system will execute detection based on the set rules. When the detection results meet the rule logic, the system generates corresponding events. Then, the system will determine whether the event meets the trigger conditions of the associated alert strategy. If the conditions are met, an alert notification will be sent externally; if not, only the event will be recorded.

Based on these raw indicators or events generated from various data sources that may indicate potential security threats, you can also perform unified visualization and analysis through signals. In the signal explorer, use quick filters, search, and other small but powerful component functions to efficiently process these massive signals, transforming them from "cluttered information requiring manual screening" into "clear alarms available for priority processing".

Feedback

Is this page helpful? ×