Skip to main content

Twistlock

thumbnail icon

Twistlock is a cloud native cybersecurity platform for hosts, containers, and serverless setups that ensures the protection of all your workloads across any environment.

The Sumo Logic app for Twistlock provides a comprehensive monitoring and analysis solution for detecting vulnerabilities and potential threats within your Kubernetes and containerized environments.

If you're using Kubernetes, we recommend installing the Twistlock app.

If you're not using Kubernetes, we recommend installing the Twistlock Classic app.

Log types

The Twistlock Apps work on logs from:

  • Twistlock Console. Console logs typically include image scan, host scan, container scan, registry scan, scan summary, management audits, compliance violations, and vulnerability issues events.
  • Twistlock Defender. Defender logs typically include container/host runtime audits, process activity audits, and incident events

For more information on Twistlock events, refer to the Twistlock Documentation.

Collecting logs for the Twistlock app

This section provides instructions for configuring log collection for the Sumo Logic app for Twistlock. After completing the following tasks, you will have successfully configured log collection for Twistlock:

  • Configure a Sumo Logic syslog source
  • Send Twistlock logs to Sumo Logic

Step 1. Configure a Sumo Logic syslog source

In this step you configure an installed collector with a Syslog source that will act as Syslog server to receive logs and events from Twistlock.

  1. Configure an Installed Collector for each Twistlock Console instance.
  2. Add a Syslog Source to the Installed Collector, and specify the following:
    1. Name. (Required) A name is required.
    2. Description. Optional.
    3. Protocol. UDP or TCP. Choose the protocol you configured in Twistlock Console for Syslog forwarding.
    4. Port. Port number. Choose the port you configured in Twistlock Console for Syslog forwarding.
    5. Source Category. (Required) Provide a Source Category for this data type. For example: prod/twistlock. For more information, see Best Practices.
  3. For Kubernetes customers, we recommend adding a custom field to the Syslog Source so you can reference it in the Sumo Explorer view. Each field contains a key-value pair, where the field name is the key. To add a field click the +Add Field link in the Fields section. You could add a field named cluster where you set the name of the cluster to tag to the logs. For example, cluster = k8s.dev.sumo.sumologic.net.
  4. Click Save.

Step 2: Send Twistlock logs to Sumo Logic

This step shows you how to configure Twistlock to send logs to the Sumo Logic syslog source.

  1. Login to the Twistlock console.
  2. Go to Manage > System > Logging.
  3. Enable Syslog.
  4. Enable both options under verbose syslog output.
  5. Edit Send syslog messages over the network to with the syslog endpoint that you configured in the Sumo Syslog Source step.
    • Format to specify the endpoint: <protocol>://<server>:<port>
    • Example: tcp://192.168.125.200:514

Sample log messages

Console log sample
<142>2019-07-24T14:37:50Z twistlock-console-v5t10 Twistlock-Console[1]: time="2019-07-24T14:37:50.767565936Z"
type="host_scan" log_type="vulnerability" vulnerability_id="46" description="Image contains vulnerable OS
packages" cve="ALAS-2019-1222" severity="critical" package="kernel" package_version="4.14.104-95.84.amz
-111.109.amzn2" rule="Default - alert all components" host="ip-192-168-20-21.us-west-1.compute.internal"

<142>2019-07-24T14:37:50Z twistlock-console-v5t10 Twistlock-Console[1]: time="2019-07-24T14:37:50.767806646Z"
type="scan_summary" log_type="host" hostname="ip-192-168-20-21.us-west-1.compute.internal" vulnerabilities="29"
compliance="19"
Defender log sample
<142>2019-07-25T08:24:42Z ip-192-168-85-85.us-west-1.compute.internal Twistlock-Defender[18070]:
time="2019-07-25T08:24:42.947472447Z" type="process" pid="32593" path="/usr/bin/pgrep" interactive="false"
container_id="12345bd5416a975674fd507666b085e8724176453645b8b337529738dd012345"

<142>2019-07-24T14:38:13Z twistlock-console-v5t10 Twistlock-Console[1]: time="2019-07-24T14:38:13.772137479Z"
type="container_scan" log_type="container" container_id="123450cc8254018dde3fe860c017802b691495ae430797bd3c24d4b4e7b12345"
container_name="k8s_twistlock-defender-19-03-345_twistlock-defender-ds-9z824_twistlock_18fd4d74-77e8-11e9-b56a-06003de922ca_0"
image_name="registry-auth.twistlock.com/tw_blm0yiaqqwvgimnirx1x0iczg9xoslag/twistlock/defender:defender_19_03_345"
compliance="0"

Sample query

The following query sample is from the Vulnerability Scan Events by Severity panel in the Twistlock - Overview dashboard.

_sourceCategory=*Twistlock* type log_type *scan* vulnerability severity
| parse regex "\s+(?<component>Twistlock-Console|Twistlock-Defender?)\s*.*\s*time=\"" nodrop
| parse "type=\"*\"" as type nodrop | parse "log_type=\"*\"" as log_type nodrop | parse "severity=\"*\""
as severity nodrop | parse "description=\"*\"" as description nodrop | parse "rule=\"*\"" as rule nodrop
| parse "host=\"*\"" as host nodrop | parse "image_id=\"*\"" as image_id nodrop | parse "image_name=\"*\""
as image_name nodrop | parse "container_id=\"*\"" as container_id nodrop | parse "container_name=\"*\""
as container_name nodrop | parse "cve=\"*\"" as cve nodrop | parse "vendor_status=\"*\"" as vendor_status nodrop | parse "vulnerability_id=\"*\"" as vulnerability_id nodrop
| where type matches "*scan*" and log_type="vulnerability"
| timeslice 1d
| count by _timeslice, severity
| transpose row _timeslice column severity

Installing the Twistlock qpp

This section provides instructions on how to install the Twistlock App, as well as examples of each of the dashboards. The App pre-configured searches and dashboards provide easy-to-access visual insights into your data.

To install the app, do the following:

  1. Select App Catalog.
  2. In the Search Apps field, search for and then select your app.
    Optionally, you can scroll down to preview the dashboards included with the app.
  3. To install the app, click Install App.
  4. Click Next in the Setup Data section.
  5. In the Configure section of the respective app, complete the following fields.
    1. Key. Select either of these options for the data source.
      • Choose Source Category, and select a source category from the list for Default Value.
      • Choose Custom, and enter a custom metadata field. Insert its value in Default Value.
  6. Click Next. You will be redirected to the Preview & Done section.

Your app will be installed in the Installed Apps folder and dashboard panels will start to fill automatically.

Each panel slowly fills with data matching the time range query and received since the panel was created. Results will not immediately be available, updating with full graphs and charts over time.

Upgrading the Twistlock app (Optional)

To update the app, do the following:

  1. From the Sumo Logic navigation, select App Catalog.
  2. In the Search Apps field, search for and then select your app.
    Optionally, you can identify apps that can be upgraded in the Upgrade available section.
  3. To upgrade the app, click Upgrade.
    1. You will be redirected to the Preview & Done section if the upgrade did not have any configuration or property change.
    2. You will be redirected to Setup Data page if the upgrade has any configuration or property change.
      1. In the Configure section of the respective app, complete the following fields.
        • Key. Select either of these options for the data source.
          • Choose Source Category, and select a source category from the list for Default Value.
          • Choose Custom, and enter a custom metadata field. Insert its value in Default Value.
      2. Click Next. You will be redirected to the Preview & Done section.

Your upgraded app will be installed in the Installed Apps folder and dashboard panels will start to fill automatically.

note

Go to the Release Notes tab to see the change log for new updates in the app.

Uninstalling the Twistlock app (Optional)

To uninstall the app, do the following:

  1. From the Sumo Logic navigation, select App Catalog.
  2. In the Search Apps field, search for and then select your app.
  3. Click Uninstall.

Viewing Twistlock dashboards

All dashboards have a set of filters that you can apply to the entire dashboard. Use these filters to drill down and examine the data to a granular level.

  • You can change the time range for a dashboard or panel by selecting a predefined interval from a drop-down list, choosing a recently used time range, or specifying custom dates and times. Learn more.
  • You can use template variables to drill down and examine the data on a granular level. For more information, see Filter with template variables.
  • Most Next-Gen apps allow you to provide the scope at the installation time and are comprised of a key (_sourceCategory by default) and a default value for this key. Based on your input, the app dashboards will be parameterized with a dashboard variable, allowing you to change the dataset queried by all panels. This eliminates the need to create multiple copies of the same dashboard with different queries.

Overview

The Twistlock - Overview dashboard provides an at-a-glance overview of the state of your Kubernetes and container environments, including the number of hosts, containers, audit events, rules triggered, and defender incidents. The panels also display information on a variety of critical vulnerabilities by type, severity, and affected containers.

Use this dashboard to:

  • Verify the number of host containers being monitored by Twistlock.
  • Quickly understand and remediate vulnerabilities on hosts and images.
  • Understand which CVEs have fixes available and use that information to triage and remediate vulnerabilities.
  • Monitor trends for vulnerabilities and compliance issues detected.
Twistlock Dashboard

Scans

The Twistlock - Scans dashboard provides insights into scan events. Panels show scan summaries, vulnerability information and container compliance violations.

Twistlock Dashboard

Use this dashboard to:

  • Monitor scan events and their results.
  • Identify and remediate the most vulnerable hosts, images, and compliance violations.
Twistlock Dashboard

Detected Vulnerabilities

The Twistlock - Detected Vulnerabilities dashboard provides detailed information on detected vulnerabilities in the registry, image, and host.

Twistlock Dashboard

Use this dashboard to:

  • Prioritize, identify and remediate vulnerabilities on the registry, images, and hosts.
  • Identify top rules triggered by Twistlock to understand how to optimize or add new rules going forward.
  • Use "Twistlock - CVE Status" dashboard to work on a specific host, image, and registry, based on Twistlock's recommendation.
Twistlock Dashboard

CVE Status

The Twistlock - CVE Status dashboard combines high-level views of common vulnerabilities and exposures (CVE) along with detailed information. Panels display at-a-glance views for host, image, and registry scans, and available fixes.

Use this dashboard to:

  • Quickly identify, prioritize, and remediate CVE’s in your environment, for which documented fixes are available.
  • Monitor trends of vulnerabilities detected within the last 2 days.
Twistlock Dashboard

Compliance Violations

The Twistlock - Compliance Violations dashboard provides detailed information on system-wide compliance violations, organized according to the severity of violation, description of violation, and rules triggered by the violation.

Use this dashboard to:

  • Prioritize, identify, and remediate compliance violations.
  • Identify Twistlock rules that trigger violations and optimize them as needed.
  • Monitor compliance finding. These finding messages are generated as a byproduct of container scans, image scans, host scans, and registry scans.
Twistlock Dashboard

Defender Incidents

The Twistlock - Defender Incidents dashboard combines high-level and detailed information for defender incidents, which are logical groupings of events related by context that reveal known attack patterns, defender incidents, and process activity.

Twistlock Dashboard

Use this dashboard to monitor:

  • Known attack patterns. Incidents are logical groupings of events, related by context, that reveal known attack patterns.
  • Processes activity in a container. Look into whether the process was spawned from a shell session.

Runtime

The Twistlock - Runtime dashboard provides detailed information on system and runtime threats, alerts and management activity.

Twistlock Dashboard

Use this dashboard to:

  • Identify and remediate runtime threats in container environments across file systems, processes, system calls, or the network.
  • Monitor audit events for console administrative activities and defender audit events.

Installing the Twistlock Classic app

To install the app, do the following:

  1. Select App Catalog.
  2. In the Search Apps field, search for and then select your app.
    Optionally, you can scroll down to preview the dashboards included with the app.
  3. To install the app, click Install App.
  4. Click Next in the Setup Data section.
  5. In the Configure section of the respective app, complete the following fields.
    1. Key. Select either of these options for the data source.
      • Choose Source Category, and select a source category from the list for Default Value.
      • Choose Custom, and enter a custom metadata field. Insert its value in Default Value.
  6. Click Next. You will be redirected to the Preview & Done section.

Your app will be installed in the Installed Apps folder and dashboard panels will start to fill automatically.

Each panel slowly fills with data matching the time range query and received since the panel was created. Results will not immediately be available, updating with full graphs and charts over time.

Upgrading the Twistlock Classic app (Optional)

To update the app, do the following:

  1. From the Sumo Logic navigation, select App Catalog.
  2. In the Search Apps field, search for and then select your app.
    Optionally, you can identify apps that can be upgraded in the Upgrade available section.
  3. To upgrade the app, click Upgrade.
    1. You will be redirected to the Preview & Done section if the upgrade did not have any configuration or property change.
    2. You will be redirected to Setup Data page if the upgrade has any configuration or property change.
      1. In the Configure section of the respective app, complete the following fields.
        • Key. Select either of these options for the data source.
          • Choose Source Category, and select a source category from the list for Default Value.
          • Choose Custom, and enter a custom metadata field. Insert its value in Default Value.
      2. Click Next. You will be redirected to the Preview & Done section.

Your upgraded app will be installed in the Installed Apps folder and dashboard panels will start to fill automatically.

note

Go to the Release Notes tab to see the change log for new updates in the app.

Uninstalling the Twistlock Classic app (Optional)

To uninstall the app, do the following:

  1. From the Sumo Logic navigation, select App Catalog.
  2. In the Search Apps field, search for and then select your app.
  3. Click Uninstall.

Viewing Twistlock Classic dashboards​

All dashboards have a set of filters that you can apply to the entire dashboard. Use these filters to drill down and examine the data to a granular level.

  • You can change the time range for a dashboard or panel by selecting a predefined interval from a drop-down list, choosing a recently used time range, or specifying custom dates and times. Learn more.
  • If required, configure the refresh interval rate for a dashboard or panel by clicking the drop-down arrow next to the refresh icon.
  • Click the funnel icon in the dashboard top menu bar to filter dashboard with Template Variables.
    filter-dashboards

Overview

The Twistlock - Overview dashboard provides an at-a-glance overview of the state of your Kubernetes and container environments, including the number of hosts, containers, audit events, rules triggered, and defender incidents. The panels also display information on a variety of critical vulnerabilities by type, severity, and affected containers.

Twistlock Dashboard

Use this dashboard to:

  • Verify the number of host containers being monitored by Twistlock.
  • Quickly understand and remediate vulnerabilities on hosts and images.
  • Understand which CVEs have fixes available and use that information to triage and remediate vulnerabilities.
  • Monitor trends for vulnerabilities and compliance issues detected.

Scans

The Twistlock - Scans dashboard provides insights into scan events. Panels show scan summaries, vulnerability information and container compliance violations.

Twistlock Dashboard

Use this dashboard to:

  • Monitor scan events and their results.
  • Identify and remediate the most vulnerable hosts, images, and compliance violations.

Detected Vulnerabilities

The Twistlock - Detected Vulnerabilities dashboard provides detailed information on detected vulnerabilities in the registry, image, and host.

Twistlock Dashboard

Use this dashboard to:

  • Prioritize, identify and remediate vulnerabilities on the registry, images, and hosts.
  • Identify top rules triggered by Twistlock to understand how to optimize or add new rules going forward.
  • Use "Twistlock - CVE Status" dashboard to work on a specific host, image, and registry, based on Twistlock's recommendation.

CVE Status

The Twistlock - CVE Status dashboard combines high-level views of common vulnerabilities and exposures (CVE) along with detailed information. Panels display at-a-glance views for host, image, and registry scans, and available fixes.

Twistlock Dashboard

Use this dashboard to:

  • Quickly identify, prioritize, and remediate CVE’s in your environment, for which documented fixes are available.
  • Monitor trends of vulnerabilities detected within the last 2 days.

Compliance Violations

The Twistlock - Compliance Violations dashboard provides detailed information on system-wide compliance violations, organized according to the severity of violation, description of violation, and rules triggered by the violation.

Twistlock Dashboard

Use this dashboard to:

  • Prioritize, identify, and remediate compliance violations.
  • Identify Twistlock rules that trigger violations and optimize them as needed.
  • Monitor compliance finding. These finding messages are generated as a byproduct of container scans, image scans, host scans, and registry scans.

Defender Incidents

The Twistlock - Defender Incidents dashboard combines high-level and detailed information for defender incidents, which are logical groupings of events related by context that reveal known attack patterns, defender incidents, and process activity.

Twistlock Dashboard

Use this dashboard to monitor:

  • Known attack patterns. Incidents are logical groupings of events, related by context, that reveal known attack patterns.
  • Processes activity in a container. Look into whether the process was spawned from a shell session.
Twistlock Dashboard

Runtime

The Twistlock - Runtime dashboard provides detailed information on system and runtime threats, alerts and management activity.

Use this dashboard to:

  • Identify and remediate runtime threats in container environments across file systems, processes, system calls, or the network.
  • Monitor audit events for console administrative activities and defender audit events.
Twistlock Dashboard
Status
Legal
Privacy Statement
Terms of Use

Copyright © 2024 by Sumo Logic, Inc.