Skip to content

Threat detection

Threat detection is a core feature of LogSentinel SIEM. The full user manual on setting up alerts can be found here. We support the following elements of threat detection:

Correlation rules for threat detection

You can define rules that can specify a sequence of events that trigger an alert. The criteria can span logs from multiple data sources in order to flexibly detect threats. Authentication failures, unusual commands, firewall (syslog) events above certain log level are typically used as indicators of an ongoing attacks.

Statistical rules for detecting anomalous behavior

You can define rules that detect deviations in the normal flow of data - e.g. more than 2 standard deviation above the normal activity for the past 8 hours, split into 10-minute intervals. These rules can be based on the whole data, or on aggregations - e.g. activities performed by a certain user. Using this feature we automatically monitor for missing logs over a period of time that would indicate connection problems or collector problems.

Machine learning (unsupervised) for anomaly detection

We utilized the isolation forest algorithm to detect anomalies in time-series data. As data sources are quite diverse, machine learning models are trained on a per-data source basis. The algorithm is specifically designed to avoid many false positives, but you still have the option to define a threshold for alerting.

Threat intelligence

We collect threat intelligence from multiple feeds and match the incoming logs to the threat data.

Malicious IP addresses and URLs are the most straightforward threat intel data that can be correlated with firewall or router logs to produce an alert. We also collect malicious domains, URLs, emails and file hashes.

We use at least the following feeds: Anomali Limo, SANS, Emerging Threats, URLHaus, Blocklist.de, Dan.me.uk, CINSScore, AlienVault OTX, Feodo, and many more. They contain indicators of compromise, botnets and data about APTs.

We also support the STIX and TAXII specifications for threat intelligence exchange. You can add custom feeds in the Management -> TAXII feeds page. Feeds can be imported from plain-text formats as well.

Whenever an indicator of compromise obtained from a threat feed is matched to one or more events, an alert is created. Customers can configure which threat feeds are matched for each data source.

Publishing threat intelligence

We also allow you to publish threat intelligence for each confirmed alert in two ways:

  • A TAXII feed available for clients through the API
  • Pushing indicators to a TAXII server

Phishing detection

LogSentinel SIEM provides phishing detection by scanning all emails (preferably sent automatically by a shared inbox and deleted after being scanned) for indicators of phishing. We use a set of heuristics to detect phishing, spearphishing and whaling attacks, including link inspection, content inspection and similarity of brands and images to popular ones. Even if you already have a phishing protection solution, chances are it will miss a phishing attempt, so a 2nd layer of protection may save the day.

Website integrity monitoring (formjacking detection)

Recently attackers are increasingly targeting website that collect cardholder data by injecting malicious scripts into otherwise trusted javascript dependencies. LogSentinel SIEM has a dedicated module for detecting such threats, allowing for a quick response (by cleaning up the injected script). For more detals, check the "Website integrity monitoring" section

Leaked credentials notification

Get alerted whenever the credentials of any employee get leacked online, regardless of which service was used, as long as there’s an email match. Configure which Exchange groups should be monitored in our Collector and we'll automatically notify you in case of credential breaches.