Toppanvändningsfall för säkerhet operationer

Top Use Cases

I dagens globaliserade digitala ekonomi är det viktigt att övervaka och skydda ditt företags data mot avancerade cyberhot. Detta blir allt mer komplicerat på grund av för många verktyg, brist på säkerhetskunskaper och trötthet på larm. Dagens moderna SIEM-lösningar gör att ditt företag kan reagera snabbt och exakt i händelse av ett hot eller dataläcka.

En modern SIEM-lösning tillhandahåller hantering, integration, korrelation och analys på ett ställe, vilket gör det lättare att övervaka och felsöka din IT-infrastruktur i realtid från ett enda gränssnitt. För din användning har vi skapat ett brett utbud av användningsfall med tillhörande Logpoint-exempel för att hjälpa dig att bättre planera din försvarsstrategi.

Threat Hunting Demonstration

With the growing need for more and more intelligent Modern SIEM solutions, companies now demand actionable answers to any number of security and business challenges presented right at their fingertips. LogPoint’s Threat Hunting capabilities, including advanced analytics, enrichment, correlations, UEBA, and reporting, will empower you to strengthen your overall security posture with the use of a single interface.

LogPoint‘s incident response integrations provide automated workflows for business context enrichment, threat intelligence, and correlation of log data with network data. Based on your organization’s workflow, your security team will be empowered to efficiently gather evidence, build the case and remediate.

Setting the scene

Example: File infections detected

Query
label=Detect label=File label=Infection | chart count() by sender,sender_domain,hash, receiver

Drill down on the first row and identify the checksum.

Use the checksum to drill back to Virus Total.

Conclusion

Raise the flag and further investigation required to investigate the impacts of the infection.

Raise flag

Create an incident for follow up.

Investigation

Apply the identified hash as the filter.

Pick each user associated with the recipient emails.

User Rita shows failed login attempts to various servers.

Go to the search page to see the details.

Example: Failed login attempt for specific user

Query
label=Login label=Fail user="rita.mm" | chart count() by source_address,workstation,user,host order by count() desc

Pick one the source IPs used by user Rita to check if there are other failed attempts or not.

We observe that with source 192.168.2.101 there are 4 failed attempts from the same source.

Example: Failed login attempt for specific source

Drill down on this event.

We observe that a disabled account is trying to login to the Domain Controller, the substatus code 0xC0000072 actually relates to login failed on disabled account.

Now we go back to the search template to check for IOCs associated with source 192.168.2.101.

We drill down on category “Malware Command And Control” to check other source addresses associated with it.

Example: Threat indicators for malware command and control

Query
category="Malware Command And Control" | chart count() by source_address

Remediation/Reporting

During the process of threat investigation, we identify that user Rita is compromised and should be disabled. While user Rob should be deleted if not to be enabled in the future.

Carry further investigations on the incident to validate if there were any activities of the identified threat indicators in the past.

Threat indicators for malware command and control appended to list

Query
category="Malware Command And Control" | chart count() by destination_address | process toList(ACTIVE_IOCS,destination_address)

Search historical events for any activities associated with the IPs in the ACTIVE_IOCS list.

The infected systems should be cleaned and the firewall rule should be updated to block the connections to the “Command And Control Servers”.

Example: Entities observed in list of threat indicators

Query
source_address IN ACTIVE_IOCS OR destination_address IN ACTIVE_IOCS