We will show you how SureLog SIEM can effectively identify and stop malware on the host.
Use case: Malware Dropped to a HOST
• URL link over an email received
• User clicked on it and provided the required information
• User received a LOG-IN notification from a system, he/she was authorized to access
• User reported that she did not log in
For this use case, we will use:
• Mail gateway or sandbox logs which has the URL part of the mail message,
• Proxy or UTM logs
• Authentication logs from servers, databases, network devices, etc..
With SureLog SIEM, security admins have two detection options.
1. Correlation
2. Log investigation.
Correlation
Use Case steps:
• Get URL link from mail gateway log. Ex Fortisandbox,
• Check if there is a request to this URL from proxy logs,
• Check if there is an authentication within 15 minutes with this user account.
Rule Description:
The first part of the rule [GeneralCorrelationObject [1]] collects log from mail gateway(sandbox). The IP of this log source is 10.10.100.211 and checks if the log contains any URL address.
The second part of the rule [GeneralCorrelationObject [2]] collects log from proxy or UTM. The IP of this log source is 10.10.100.1. This part of the rule checks if the logs contain any URL address which was detected on mail gateway logs before.
The third part of the rule [GeneralCorrelationObject [3]] collects log from all the log sources and checks if there is any authentication with the same user.
Log Investigation
Details of log investigation
https://medium.com/@eakbas/how-to-search-billions-of-logs-without-learning-new-script-language-with-surelog-siem-2e33aa38a4dd
