A SIEM’s power is in its correlation. LOGTITAN has advanced threat detection capabilities.
LOGTITAN combines alerts, advanced correlations, profiles, user behavior rules to detect threats.
Below list is sample use cases from LOGTITAN correlation library:
- If a user is in the administrator group and trying to authenticate to a server within a very critical servers list and failed, then monitor the same user for successful authentication to the same critical server within the next thirty minutes. If there is no successful authentication, notify.
- Users and Allowed IPs are updating periodically according to Access Control Policies. And if a user is not coming from this user’s allowed IPs and successfully authenticated to a DB with PII data, then notify.
- A user logged via LAN and simultaneously connected to VPN from a different geolocation.
- Warn if 5 failed login attempts are tried with different usernames from the same IP to the same machine in 15 minutes and after that, if a successful login occurs from the same IP to any machine.
- Warn if a host scan is made by an IP and then if a successful connection is established by the same IP and then backward connection is established from connected IP to connecting IP.
- Warn if more than 100 connections are established from the different external IPs to the same destination IP in one minute.
- Warn if 100 connections are established from the same external IP through different ports to the same destination IP in one minute.
- Warn if the same user tries more than three failed login attempts to the same machine in an hour.
- Warn if a user can’t log into any server and caused failed authentication and in two hours if that user can’t log into the same server.
- Warn if more than 100 packets are blocked by UTM/FireWall from the same source IP and don’t warn within an hour. (Millions of packets are blocked in case of DDOS attack. If email is sent for each, you are exposed to DDOS attack.)
- Report the source IP which causes unusual UDP traffic.
- Warn if a traffic is occurred to a destination or from a source in IP-Reputation list.
- Warn if network traffic occurs from the source or to a source in malicious link list.
- If someone sets up DHCP server in your network or if a different gateway broadcasts, to find out this: Warn if a traffic occurs from inside to outside or from outside to inside whose protocol is UDP, destination port is 67, and destination IP is not in registered in IP list.
- Warn if an IP scan occurs.
- Warn if SQL attack occurs via web server.
- Warn if the servers are accessed out of hours.
- Warn if the same user tries more than three failed login attempts to different machines in a minute.
- Warn If an attack followed by account change
- Warn If scan followed by an attack
- Detects An unusual condition where a source has authentication failures at a host but that is not followed by a successful authentication at the same host within 2 hours
- Look for a new account being created followed by immediate authentication activity from that same account would detect the backdoor account creation followed by the account being used to telnet back into the system
- Monitor same source having excessive login failures at distinct hosts.
- Check whether the source of an attack was previously the destination of an attack (within 15 minutes)
- Check whether there are 5 events from host firewalls with severity 4 or greater in 10 minutes between the same source and destination IP
- Look for a new account being created, followed shortly by access/authentication failure activity from the same account
- Monitor system access outside of business hours