Top 10 use cases til implementering

Med den voksende efterspørgsel efter SIEM løsninger vil virksomheder gerne have svarene lige ved hånden på et hvilket som helst antal sikkerheds- og forretningsudfordringer, der kan dukke op i den daglige drift.

Dette er de 10 mest populære SIEM use cases og typer af adfærd, som LogPoint kan opdage i din infrastruktur. Hvis du ønsker mere information om nogle af disse cases, må du endelig kontakte os. Vi vil elske at høre fra dig!

01 Godkendelsesaktiviteter

Godkendelsesaktiviteter med tilføjet kontekst såsom login i kritiske systemer og mislykket login
forsøg større end en given tærskel.

LogPoint SIEM Top 10 Successful Logins

Vellykkede login

norm_id=* label=User label=Login label=Successful -user=*$ host IN CRITICAL_SYSTEM | chart count() by host, user order by count() desc limit 10

LogPoint SIEM Top 10 Successful Logins
LogPoint SIEM Failed Logins Above Threshold

Mislykkede login over en tærskel

norm_id=* label=User label=Login label=Fail -user=*$ user=* | chart count() as "Count" by user order by "Count" desc limit 10 | search "Count">50

02 Kontostyring

Overvågning af oprettelse af brugerkonto, sletning og andre aktiviteter for at overvåge ressource- og systemadgangsrettigheder.

LogPoint SIEM User Account Creation

Oprettelse af brugerkonto

norm_id=WinServer* label=User label=Account label=Management label=Create -target_user=*$ -user=*$ | chart count() by log_ts, domain, user, action, target_user order by count() desc limit 10

LogPoint SIEM User Account Creation
LogPoint SIEM User Account Deletion

Sletning af brugerkonto

norm_id=WinServer* label=User label=Account label=Management (label=Delete OR label=Remove) -target_user=*$ -user=*$ | chart count() by log_ts, domain, user, action, target_user order by count() desc limit 10

LogPoint SIEM User Account Enabled

Aktivering af brugerkonto

norm_id=WinServer* label=User label=Account label=Management label=Enable -target_user=*$ -user=*$ | chart count() by log_ts, domain, user, action, target_user order by count() desc limit 10

LogPoint SIEM User Account Enabled

03 Forbindelsesaktiviteter

Overvågning af forbindelsesaktiviteter for at give et overblik over status på netværksforbindelser, oprindelse og retning. Dette vil definere, hvorvidt forbindelser er tilladt/nægtet, værtsnavnet, landets navn på kilden og destination og retning.

LogPoint SIEM Top 10 Allowed Inbound Connection by Location

Tilladte indgående forbindelser efter placering

label=Connection label=Allow -source_address IN HOMENET source_address=* destination_address IN HOMENET | process geoip(source_address) as country | chart count() by country order by count() desc limit 10

LogPoint SIEM Top 10 Allowed Outbound Connection by Location

Tilladte udgående forbindelser efter placering

label=Connection label=Allow source_address IN HOMENET destination_address=* -destination_address IN HOMENET | process geoip(destination_address) as country | chart count() by country order by count() desc limit 10

LogPoint SIEM Top 10 Allowed Outbound Connection by Location
LogPoint SIEM Top 10 Denied Inbound Connection by Location

Nægtede indgående forbindelser efter placering

label=Connection label=Deny -source_address IN HOMENET source_address=* destination_address IN HOMENET | process geoip(source_address) as country | chart count() by country order by count() desc limit 10

LogPoint SIEM Top 10 Denied Outbound Connection by Location

Nægtede udgående forbindelser efter placering

label=Connection label=Deny source_address IN HOMENET destination_address=* -destination_address IN HOMENET | process geoip(destination_address) as country | chart count() by country order by count() desc limit 10

LogPoint SIEM Top 10 Denied Outbound Connection by Location
LogPoint SIEM Top 10 Internal Denied Internal Connection by IP

Nægtede interne forbindelser af IP/værtsnavn

norm_id=* label=Connection label=Deny source_address=* destination_address=* source_address in HOMENET destination_address in HOMENET | chart count() by source_address, destination_address order by count() desc limit 10

04 Politikrelaterede aktiviteter

Overvågning og detektion af politiske ændringer såsom revision, godkendelse, autorisering, filtrering og mange flere.

LogPoint SIEM Password Ageing by User

Adgangskode-aldring efter bruger

Table AD_Users pwdLastSet=* -pwdLastSet=0 | process current_time(a) as time | chart max((time - (pwdLastSet/10000000 - 11644473600))/60/60/24) as number_of_days, max(pwdLastSet/10000000 - 11644473600) as pwdLastSet_ts by sAMAccountName | search number_of_days>30

LogPoint SIEM Password Ageing by User
LogPoint SIEM Users Authentication from Multiple Sources

Brugergodkendelse fra flere kilder

norm_id=* label=User (label=Login OR label=Authenctication) source_address=* -user=*$ user=* | chart distinct_count(source_address) as UniqueSource by user order by UniqueSource desc limit 10 | search UniqueSource>1

05 Trussel, malware og sårbarhedsregistrering

Aktiviteter relateret til trusler såsom indikatorer af kompromis, malware infektioner og identifikation af sårbare systemer.

LogPoint identificering af Threat Actor widget

Identifikation af trusselindikatorer

norm_id=* source_address=* -source_address in HOMENET | process ti(source_address) | rename et_category as category,cs_category as category, et_score as score,cs_score as score| chart count() by source_address, category, score order by score desc limit 10

LogPoint identificering af Threat Actor widget
LogPoint SIEM Identification of Vulnerable Sources

Identifikation af sårbare kilder

(col_type=qualys_fetcher OR col_type=tenablesecuritycenter_fetcher OR norm_id=VulnerabilityManagement) severity=4 or severity=5 source_address=* | rename title as vulnerability |chart count() by source_address, vulnerability order by count() desc

LogPoint SIEM Failed Malware Cleaning

Mislykket rengøring af malware

norm_id=* label=Malware label=Clean label=Fail malware=* | chart count() by host, malware order by count() desc limit 10

LogPoint SIEM Failed Malware Cleaning

06 Operationel indsigt

Aktiviteter relateret til overvågning af dag-til-dag operationelle aktiviteter såsom indgående og udgående databrug eller databrug af specifikke applikationer.

LogPoint SIEM Inbound Data Usage

Indgående databrug

norm_id=* source_address=* -source_address in HOMENET destination_address IN HOMENET received_datasize=* -source_address=176.161*| timechart sum((sent_datasize+received_datasize)/1000/1000) as TotalMB, sum(sent_datasize/1000/1000) as SentMB, sum(received_datasize/1000/1000) as ReceivedMB

LogPoint SIEM Outbound Data Usage

Udgående databrug

norm_id=* destination_address=* source_address in HOMENET -destination_address IN HOMENET received_datasize=* | timechart sum((sent_datasize+received_datasize)/1000/1000) as TotalMB, sum(sent_datasize/1000/1000) as SentMB, sum((received_datasize)/1000/1000) as ReceivedMB

LogPoint SIEM Outbound Data Usage
LogPoint SIEM Data Usage by Application

Databrug ved applikation

norm_id=* (label=Connection OR label=Traffic) application=* sent_datasize=* received_datasize=* | chart sum((sent_datasize+received_datasize)/1000/1000) as TotalMB, sum(sent_datasize/1000/1000) as SentMB, sum((received_datasize)/1000/1000) as ReceivedMB by application order by TotalMB desc

07 Afvigende adfærd

Enhedsbaserede profiler bruger ML-teknikker til at identificere ondsindet opførsel såsom datastaging, inficeret vært eller misbrug af konti

LogPoint SIEM Lateral Movement

Lateral movement og dataeksfiltrering

Med LogPoint UEBA kan lateral movement nemt opdages, og du kan på den måde nemt begrænse uautoriserede bevægelser i dit miljø. Modtag realtidsalarmer om uautoriseret dataoverførsler i dit netværk, uanset om overførslen er manuel eller automatiseret.

LogPoint SIEM Lateral Movement

08 Alarmering og hændelsesrespons

Eventuelle mistænkelige situationer udløser alarmer og igangsætter derefter hændelsesstyringsprocessen.

LogPoint SIEM Facilitate Incident Response Mechanism

Gør det lettere at reagere på hændelser

LogPoints integrationer til hændelsesrespons giver et automatiseret workflow til berigelse af forretningskontekst, Threat Intelligence og korrelation af logdata med netværksdata for at indsamle beviser, afhjælpe og reagere effektivt på hændelser.

09 Compliance, regulering og audit

Regulativ compliance og audit krav såsom ISO27001, GDPR, PCI DSS,HIPAA og mange flere.

LogPoint SIEM FIM File Integrity Monitoring for PCI DSS

File Integrity Monitoring

norm_id=IntegrityScanner label=Change (label=File or label=Registry) | rename registry as object, file as object | chart count() by log_ts, host, action, object, prev_hash, hash order by count() desc limit 10

LogPoint SIEM FIM File Integrity Monitoring for PCI DSS

10 Avanceret korrelation og berigelse

Deltag i og efterfulgt af forespørgsler, udvidet med matematiske operationer og aggregeringer til korrelationsbaseret avanceret analyse.

LogPoint SIEM Correlation Between Multiple Data Sources

Korrelation mellem flere datakilder

[norm_id=PaloAltoNetworkFirewall label=Threat source_address IN HOMENET -destination_address IN HOMENET destination_address=* | process ti(destination_address)] as s1 join [(col_type=qualys_fetcher OR col_type=tenablesecuritycenter_fetcher OR norm_id=VulnerabilityManagement) source_address=* severity>4] as s2 on s1.source_address=s2.source_address | rename s1.et_ip_address as DestinationAddress, s1.cs_ip_address as DestinationAddress, s2.source_address as SourceAddress, s1.et_category as ThreatCategory, s1.cs_category as ThreatCategory, s1.et_score as ThreatScore, s1.cs_score as ThreatScore, s2.title as VulnerabilityPresent | chart max(ThreatScore) as ThreatScore by SourceAddress, VulnerabilityPresent, DestinationAddress, ThreatCategory order by ThreatScore desc limit 10

LogPoint SIEM Potential Brute Force Attempt

Potentielt brute force angreb

10 label=Login label=Fail having same user] as s1 followed by [label=Login label=Successful] as s2 on s1.user=s2.user | chart count() by user order by count() desc

LogPoint SIEM Potential Brute Force Attempt
LogPoint SIEM Incomplete Sessions

Ufuldstændige sessioner

[ label=Login label=Successful] as s1 left join [label=Logoff] as s2 on s1.logon_id=s2.logon_id | search -s2.logon_id=* | rename s1.user as user, s1.log_ts as log_ts | fields log_ts, user

LogPoint SIEM Average Session Duration of Completed Sessions

Gennemsnitlig sessionvarighed af afsluttede sessioner

[ label=Login label=Successful] as s1 join [label=Logoff] as s2 on s1.logon_id=s2.logon_id | rename s1.user as user | chart avg(s2.log_ts-s1.log_ts) as duration by user order by duration desc

LogPoint SIEM Average Session Duration of Completed Sessions
LogPoint SIEM Incomplete Session Duration

Ufuldstændig sessionsvarighed

[ label=Login label=Successful] as s1 left join [label=Logoff] as s2 on s1.logon_id=s2.logon_id | search -s2.logon_id=* | rename s1.user as user, s1.log_ts as log_ts | process current_time(a) as time | process diff(time,log_ts) as duration | chart sum(duration)as duration by log_ts, user order by duration desc