Threat detection is a core feature of LogSentinel SIEM. The full user manual on setting up alerts can be found here. We support the following elements of threat detection:
Correlation rules for threat detection¶
You can define rules that can specify a sequence of events that trigger an alert. The criteria can span logs from multiple data sources in order to flexibly detect threats. Authentication failures, unusual commands, firewall (syslog) events above certain log level are typically used as indicators of an ongoing attacks.
Statistical rules for detecting anomalous behavior¶
You can define rules that detect deviations in the normal flow of data - e.g. more than 2 standard deviation above the normal activity for the past 8 hours, split into 10-minute intervals. These rules can be based on the whole data, or on aggregations - e.g. activities performed by a certain user. Using this feature, we automatically monitor for missing logs over a period of time that would indicate connection problems or collector problems.
Machine learning (unsupervised) for anomaly detection¶
We utilized the isolation forest algorithm to detect anomalies in time-series data. As data sources are quite diverse, machine learning models are trained on a per-data source basis. The algorithm is specifically designed to avoid many false positives, but you still have the option to define a threshold for alerting.
We collect threat intelligence from multiple feeds and match the incoming logs to the threat data.
Malicious IP addresses and URLs are the most straightforward threat intel data that can be correlated with firewall or router logs to produce an alert. We also collect malicious domains, URLs, emails and file hashes.
We use at least the following feeds: Anomali Limo, SANS, Emerging Threats, URLHaus, Blocklist.de, Dan.me.uk, CINSScore, AlienVault OTX, Feodo, and many more. They contain indicators of compromise, botnets and data about APTs.
We also support the STIX and TAXII specifications for threat intelligence exchange. You can add custom feeds in the Management -> TAXII feeds page. Feeds can be imported from plain-text formats as well.
Whenever an indicator of compromise obtained from a threat feed is matched to one or more events, an alert is created. Customers can configure which threat feeds are matched for each data source.
Publishing threat intelligence¶
We also allow you to publish threat intelligence for each confirmed alert in two ways:
- A TAXII feed available for clients through the API
- Pushing indicators to a TAXII server
LogSentinel SIEM provides phishing detection by scanning all emails (preferably sent automatically by a shared inbox and deleted after being scanned) for indicators of phishing. We use a set of heuristics to detect phishing, spear phishing and whaling attacks, including link inspection, content inspection and similarity of brands and images to popular ones. Even if you already have a phishing protection solution, chances are it will miss a phishing attempt, so a 2nd layer of protection may save the day.
Website integrity monitoring (formjacking detection)¶
Leaked credentials notification¶
Get alerted whenever the credentials of any employee get leacked online, regardless of which service was used, as long as there’s an email match. Configure which Exchange groups should be monitored in our Collector and we'll automatically notify you in case of credential breaches.