Security Analysis Overview

The security analysis function works as a cloud native security information and event management (SIEM) solution in SecMaster. It can collect, aggregate, and analyze security logs and alarms from multiple products and sources based on predefined and user-defined threat detection rules. It helps quickly detect and respond to security incidents and protect cloud workloads, applications, and data.

Cloud services and logs that can be interconnected with SecMaster

SecMaster can integrate logs of multiple Huawei Cloud services, such as Web Application Firewall (WAF), Host Security Server (HSS), and Object Storage Service (OBS). You can search for and analyze all collected logs in SecMaster. By default, the logs are stored for 7 days.

For details, see Cloud Service Log Access Supported by SecMaster.

Limitations and Constraints

A maximum of 500 results can be returned for a single analysis query.
A maximum of 50 shortcut queries can be created in a pipeline. That is, a maximum of 50 query analysis criteria can be saved as shortcut queries.
If there are over 50,000 results for a single query, the accuracy may decrease. In this case, you can select a short time range or apply more filter criteria to reduce the number of query results.
In aggregation queries (for example, GROUP BY statement) based on several fields, the default number of buckets for the second field is 10. If more than 10 buckets are generated, part of qualified data will be lost. In this case, the query results are not accurate.

Use process

**Table 1** Use process
Step	Description
Adding a Workspace	Add a workspace for resource isolation and control.
Integrating Data	Configure the sources of security data you need to collect. SecMaster can integrate log data of multiple Huawei Cloud products, such as services in storage, management and governance, and security domains. You can search and analyze all collected logs in SecMaster.
(Optional) Adding a Data Space	Create a data space for storing collected log data. For data accessed through the console, the system creates a default data space. You do not need to create a data space.
(Optional) Creating a Pipeline	Create pipelines for collecting, storing, and querying log data. For data accessed through the console, the system creates a default data pipeline. You do not need to create a pipeline.
Configuring Indexes	Configure indexes to narrow down the query scope. By default, indexes have been configured for some reserved fields in the accessed cloud service logs. For details, see Log Fields.
Querying and Analyzing Collected Data	Query and analyze the accessed data.
Downloading Logs	Download raw logs or queried and analyzed logs.
Viewing Result Charts	If you run query and analysis statements, SecMaster displays query and analysis results in charts and tables. Currently, results can be displayed in tables, line charts, bar charts, and pie charts.