Operational and Policy related insightsMorten Dalgaard2022-05-10T09:49:15+02:00
Top use cases for security operations
In today’s globalized, digital economy, it’s essential to monitor and guard your company’s data against advanced cyber threats. This is getting increasingly complicated due to too many tools, security skill shortage, and alert fatigue. Today’s Modern SIEM solutions enable your company to react quickly and precisely in the event of a threat or data leak.
A Modern SIEM solution provides management, integration, correlation, and analysis in one place, making it easier to monitor and troubleshoot your IT infrastructure in real time from one single interface. For your use, we have created a wide range of use-cases with associated Logpoint examples to help you better plan your defense strategy.
Operational and Policy related insights
Any lag in your IT security operations can have a significant impact on your performance and reputation, giving your competition the opening it needs to acquire your market share. Monitoring application performance and asset integrity and providing rapid troubleshooting are all essential to keeping your operational health in optimal condition. Information analytics and automation technologies have been shown to improve productivity and reduce costs by helping employees do more with less.
This can be applied for both inbound and outbound data usage. Data usage monitoring is one of the fundamental approaches to get an insight into how the network is performing and responding to the external data communication. Any strange behavior displayed by the usage monitoring can hint towards possible congestion, failure, or suspicious activity. The following chart displays the total data, outbound data, and inbound data usage in MB.
Example: Overall outbound data usage
Log sources: Firewall
norm_id=* destination_address=* source_address in HOMENET -destination_address IN HOMENET received_datasize=* |
timechart sum((sent_datasize+received_datasize)/1000/1000) as TotalMB, sum(sent_datasize/1000/1000) as SentMB,
sum((received_datasize)/1000/1000) as ReceivedMB
Usage of printer
Usage of printer services can be regulated by the use of LogPoint to monitor the printing activities. The following chart shows the timeline of how much printing is done every hour along with the number of attempts. Additionally, this also explains the ratio of documents printed per attempt.
Example: Usage of printer service
Log sources: Windows Printer
label=Successful label=Document label=Print | timechart count() as Attempts, sum(print_count) as Prints every 1 hour
Password aging users
Organizations enforce password policies that require the resetting of one’s password after every X number of days. This time range can vary depending on the need and security requirements of the organization. However, in many cases, organizations seem to fail to enforce the policies for many different reasons.
Consequently, it is important to monitor if there are any aging passwords in an organization. To achieve this, LogPoint consumes LDAP entries from your directory servers or Domain Controllers. LogPoint queries with powerful mathematical functions can be used to analyze the password’s last set attribute to identify the exact number of days when the password was last reset.
To give an example, the following query uses an LDAP table to check for passwords which are older than 365 days.
Example: Password ageing users
Log sources: LDAP
Table AD_Users pwdLastSet=* -pwdLastSet=0 | process current_time(a) as time | chart max((time - (pwdLastSet/10000000 - 11644473600))/60/60/24) as number_of_days, max(pwdLastSet/10000000 - 11644473600) as pwdLastSet_ts by sAMAccountName | search number_of_days>365
Users connecting from multiple sources
Example: Potential shared user accounts
Log sources: Windows Server, Other authentication sources
label=User label=Login label=Successful | chart distinct_count(source_address) as UniqueSources by user order by UniqueSources asc limit 10 | search UniqueSources>1