Skip to content

Threat detection

Threat detection is a core feature of LogSentinel SIEM. We support the following elements of threat detection:

Correlation rules for threat detection

You can define rules that can specify a sequence of events that trigger an alert. The criteria can span logs from multiple data sources in order to flexibly detect threats. Authentication failures, unusual commands, firewall (syslog) events above certain log level are typically used as indicators of an ongoing attacks.

Statistical rules for detecting anomalous behavior

You can define rules that detect deviations in the normal flow of data - e.g. more than 2 standard deviation above the normal activity for the past 8 hours, split into 10-minute intervals. These rules can be based on the whole data, or on aggregations - e.g. activities performed by a certain user. Using this feature we automatically monitor for missing logs over a period of time that would indicate connection problems or collector problems.

Machine learning (unsupervised) for anomaly detection

We utilized the isolation forest algorithm to detect anomalies in time-series data. As data sources is very diverse, machine learning models are trained on a per-data source basis. The algorithm is specifically designed to avoid many false positives, but you still have the option to define a threshold for alerting.

Threat intelligence

We collect threat ingelligence from multiple feeds and match the incoming logs to the threat data. Malicious IP addresses and URLs are the most straightforward threat intel data that can be correlated with firewall or router logs to produce an alert. We use at least the following feeds: Emerging Threats, URLHaus, Blocklist.de, Dan.me.uk, CINSScore, AlienVault OTX, Feodo, Cisco Talos, OISD.nl, spamhaus.

We also support the STIX and TAXII specifications for threat intelligence exchange.

Phishing detection

LogSentinel SIEM provides phishing detection by scanning all emails (preferably sent automatically by a shared inbox and deleted after being scanned) for indicators of phishing. We use a set of heuristics to detect phishing, spearphishing and whaling attacks, including link inspection, content inspection and similarity of brands and images to popular ones. Even if another phushing protection solution is in place, it can always miss something, so a 2nd layer of protection is a great asset.

Website formjacking detection

Recently attackers are increasingly targeting website that collect cardholder data by injecting malicious scripts into otherwise trusted javascript dependencies. LogSentinel SIEM has a dedicated module for detecting such threats, allowing for a quick response (by cleaning up the injected script).