A SIEM’s power is in its correlation. SureLog has advanced threat detection capabilities.
SureLog combines alerts, advanced correlations, profiles, user behavior rules to detect threats. Also SIEM can help to be compliant with the GDPR by providing visibility into log data, raising breach notification, monitoring essential changes to credentials, identifying events related to the personal data, auditing changes to personal data, and generating reports.
Below list is sample use cases from SureLog correlation library:
1. If a user is in the administrator group and trying to authenticate to a server within a very critical servers list and failed, then monitor the same user for successful authentication to the same critical server within next thirty minutes. If there is no successful authentication, notify.
2. Users and Allowed IPs are updating periodically according to Acces Control Policies. And if a user is not coming from this user’s allowed IPs and successfully authenticated to a DB with PII data, then notify
3. A user logged via LAN and simultaneously connected to VPN from a different geolocation
4. Warn if 5 failed logon attempts are tried with different usernames from the same IP to the same machine in 15 minutes and after that, if a successful login occurs from the same IP to any machine.
5. Warn if a host scan is made by an IP and then if a successful connection is established by the same IP and then backward connection is established from connected IP to connecting IP.
6. Warn if more than 100 connections are established from the different external IPs to the same destination IP in one minute.
7. Warn if 100 connections are established from the same external IP through different ports to the same destination IP in one minute.
8. Warn if the same user tries more than three failed logon attempts to the same machine in an hour.
9. Warn if a user can’t log into any server and caused failed authentication and in two hours if that user can’t log into the same server.
10. Warn one if more than 100 packets are blocked by UTM/FireWall from the same source IP and don’t warn within an hour. (Millions of packets are blocked in case of DDOS attack. If email is sent for each, you are exposed yo yourself DDOS attack.)
11. Report the source IP which causes UnusualUDPTraffic.
12. Warn if a traffic is occurred to a source or from a source in IPReputation list.
13. Warn if network traffic occurs from the source or to a source in malicious link list published by TRCERT — Turkey — Computer Emergency Response Team
14. If someone sets up DHCP server in your network or if a different gateway broadcasts, to find out this: Warn if a traffic occurs from inside to outside or from outside to inside whose protocol is UDP, destination port is 67, and destination IP is not in registered IP list.
15. Warn if an IP scan occurs.
16. Warn if SQL attack occurs via web server.
17. Warn if the servers are accessed out of hours.
18. Warn if the same user tries more than three failed logon attempts to different machines in an minute.
19. Warn If an attack followed by account change
20. Warn If scan followed by an attack
21. Detects An Unusual Condition Where A Source Has Authentication Failures At A Host But That Is Not Followed By A Successful Authentication At The Same Host Within 2 Hours
22. Look for a new account being created followed by immediate authentication activity from that same account would detect the backdoor account creation followed by the account being used to telnet back into the system
23. Monitor same source having excessive logon failures at distinct hosts,
24. Check whether the source of an attack was previously the destination of an attack (within 15 minutes)
25. Check whether there are 5 events from host firewalls with severity 4 or greater in 10 minutes between the same source and destination IP
26. Look for a new account being created, followed shortly by access/authentication failure activity from the same account
27. Monitor system access outside of business hours
