SureLog Advanced Correlation Engine

A correlation engine is a software application that programmatically understands relationships. Correlation engines are used in systems ‘security tools to aggregate, normalize, and analyze event log data using predictive analytics and “fuzzy” logic to alert the system administrator when there is a problem or risk.

Sample Correlation Rules

The following are sample correlation rules supported by SureLog”

User Authentication

  • Alert on 5 or more failed logins in 1 minute on a single user ID

Attacks on the Network

  • Alert on 15 or more Firewall Drop/Reject/Deny Events from a single IP Address in one minute
  • Alert on 3 or more IPS Alerts from a single IP Address in five minutes

Virus Detection/Removal

  • Alert when a single host sees an identifiable piece of malware
  • Alert when a single host fails to clean malware within 1 hour of detection
  • Alert when a single host connects to 50 or more unique targets in 1 minute
  • Alert when 5 or more hosts on the same subnet trigger the same Malware Signature (AV or IPS) within a 1 hour interval

Web Server

  • Files with executable extensions (cgi, asp, aspx, jar, php, exe, com, cmd, sh, bat) are posted to a web server from an external source

Black-listed applications

  • Alert when an unauthorized application (e.g. TeamViewer, LogmeIn, Nmap, Nessus, etc.) is run on any host

Monitored Log Sources

  • Alert when a monitored log source has not sent an event in 1 Hour

User Activity Reports

  • All Active User Accounts (any successful login grouped by account name in the past XX days)
  • Active User List by Authentication type
    1. VPN Users
    2. Active Directory Users
    3. Infrastructure Device Access (Firewalls, Routers, Switches, IPS)
  • User Creation, Deletion, and Modification (A list of all user accounts created, deleted, or modified)
  • Access by any Default Account – (Guest, Root, Administrator, or other default account usage)
  • Password resets by admin accounts in the past 7 days.

Access Reports

  • Access to any protected/monitored device by an untrusted network
    1. VPN Access to Server Zone
    2. Access by a Foreign Network to Server Zone

Malware

  • A list of host addresses for any identified malware or attack - grouped by malware name
  • A count of any given malware (grouped by Anti-Virus Signature) over the past XX days

Email activity

  • Top 10 email subjects
  • Top 10 addresses to send email
  • Top 10 addresses to receive email
  • Top 10 addresses to send email with the largest total size (MB)
  • Top 10 addresses to receive email with the largest total size (MB)

Web Content

  • Top 10 destinations by domain name
  • Top 10 blocked destinations by domain name
  • Top 10 blocked sources by IP address
  • Top 10 blocked categories
  • Total sent and received bytes grouped by IP addresses

User Account activity

  • Top 10 failed logins

results matching ""

    No results matching ""