///Operational and Policy related insights

Operational and Policy related insights

Any lag in your IT security operations can have a significant impact on your performance and reputation, giving your competition the opening it needs to acquire your market share. Monitoring application performance and asset integrity and providing rapid troubleshooting are all essential to keeping your operational health in optimal condition. Information analytics and automation technologies have been shown to improve productivity and reduce costs by helping employees do more with less.

Data usage

This can be applied for both inbound and outbound data usage. Data usage monitoring is one of the fundamental approaches to get an insight into how the network is performing and responding to the external data communication. Any strange behavior displayed by the usage monitoring can hint towards possible congestion, failure, or suspicious activity. The following chart displays the total data, outbound data, and inbound data usage in MB.

Example

Overall outbound data usage

LogPoint SIEM use cases: Overall outbound data usage

Log sources: Firewall

Query

norm_id=* destination_address=* source_address in HOMENET -destination_address IN HOMENET received_datasize=* | timechart sum((sent_datasize+received_datasize)/1000/1000) as TotalMB, sum(sent_datasize/1000/1000) as SentMB, sum((received_datasize)/1000/1000) as ReceivedMB

Usage of printer

Usage of printer services can be regulated by the use of LogPoint to monitor the printing activities. The following chart shows the timeline of how much printing is done every hour along with the number of attempts. Additionally, this also explains the ratio of documents printed per attempt.

Example

Usage of printer service

LogPoint SIEM use cases: Usage of printer

Log sources: Windows Printer

Query

label=Successful label=Document label=Print | timechart count() as Attempts, sum(print_count) as Prints every 1 hour

Password aging users

Organizations enforce password policies that require the resetting of one’s password after every X number of days. This time range can vary depending on the need and security requirements of the organization. However, in many cases, organizations seem to fail to enforce the policies for many different reasons.

Consequently, it is important to monitor if there are any aging passwords in an organization. To achieve this, LogPoint consumes LDAP entries from your directory servers or Domain Controllers. LogPoint queries with powerful mathematical functions can be used to analyze the password’s last set attribute to identify the exact number of days when the password was last reset.

To give an example, the following query uses an LDAP table to check for passwords which are older than 365 days.

Example

Password ageing users

LogPoint SIEM use cases: Password ageing users

Log sources: LDAP

Query

Table AD_Users pwdLastSet=* -pwdLastSet=0 | process current_time(a) as time | chart max((time - (pwdLastSet/10000000 - 11644473600))/60/60/24) as number_of_days, max(pwdLastSet/10000000 - 11644473600) as pwdLastSet_ts by sAMAccountName | search number_of_days>365

Users connecting from multiple sources

Example

Potential shared user accounts

LogPoint SIEM use cases: Potential shared user accounts

Log sources: Windows Server, Other authentication sources

Query

label=User label=Login label=Successful | chart distinct_count(source_address) as UniqueSources by user order by UniqueSources asc limit 10 | search UniqueSources>1