Twistlock creates and stores audit event records (audits) for all major subsystems. Audits can be reviewed in Monitor > Events, or they can be retrieved from the Twistlock API. If you have a centralized syslog collector, you can integrate Twistlock with your existing infrastructure by configuring Twistlock to send all audit events to syslog in RFC5424-compliant format.
When you’re reviewing audits in a dialog, the list of audits isn’t updated in real-time. To retrieve all the latest data, close the dialog. If the Refresh button is decorated with a red indicator, click it to refresh the view with the latest data, then reopen the dialog. |
Access to any container resource protected by Defender is logged and aggregated in Console. You can also configure Twistlock to record audits for sudo, SSH, and other events that are executed on hosts protected Defender. This audit trail links access to system components to individual users. Access events can be viewed in Console under Monitor > Events.
Twistlock records an audit every time a runtime sensor (process, network, file system, and system call) detects activity that deviates from the sum of the predictive model plus any runtime rules you’ve defined. For example, a file system audit event is emitted when Twistlock detects malware in a container. Runtime events for containers can be viewed in Console under Monitor > Events. Runtime events for hosts can be viewed in Console under Monitor > Events.
Cloud Native Network Firewall (CNNF) utilizes Twistlock runtime models to identify anomalous traffic flows between containers. Anomalous traffic flows generate an audit, and could indicate that an attacker is moving laterally through your environment. Cloud Native Application Firewall (CNAF) is a layer 7 filtering engine that ensures only safe, clean traffic ever reaches your web app. Audits are generated when CNNF detects an attack, such as SQL injection or cross-site scripting. Firewall audits can be viewed under Monitor > Events.
All Twistlock administrative activity can viewed under Manage > View Logs.
Twistlock limits viewing of audit trails to those with a job-related need. In order to view audit events, you must log into Console. Only users with Administrator, Operator, Defender Manager, or Auditor roles can view audit data in Console. Similarly, only users with the above-mentioned roles can retrieve audit data from the Twistlock API.