https://gbhackers.com/security-information-and-event-management-siem-a-detailed-explanation/
1. Authentication Activities
Abnormal authentication attempts, off hour authentication attempts etc, using data from Windows, Unix and any other authentication application.
2. Shared Accounts
Multiple sources(internal/external) making session requests for a particular user account during a given time frame, using login data from sources like Windows, Unix etc.
3. Session Activities
Session duration, inactive sessions etc, using login session related data specifically from Windows server.
4. Connections Details
Connections can be genuine or bogus. Suspicious behavior may include connection attempts on closed ports, blocked internal connections, connection made to bad destinations etc, using data from firewalls, network devices or flow data. External sources can further be enriched to discover the domain name, country and geographical details.
5. Abnormal Administrative Behavior
Monitoring inactive accounts, accounts with unchanged passwords, abnormal account management activities etc, using data from AD account management related activities.
6. Information Theft
Data exfiltration attempts, information leakage through emails etc, using data from mail servers, file sharing applications etc.
7. Vulnerability Scanning and Correlation
Identification and correlation of security vulnerabilities detected by applications like Qualys against other suspicious events.
8. Statistical Analysis
Statistical analysis can be done to study the nature of data. Functions like average, median, quantile, quartile etc can be used for the purpose. Numerical data from all kind of sources can be used to monitor relations like ratio of inbound to outbound bandwidth usage, data usage per application, response time comparison etc.
9. Intrusion Detection and Infections
This can be done by using data from IDS/IPS, antivirus, anti-malware applications etc.
10. System Change Activities
This can be done by using data for changes in configurations, audit configuration changes, policy changes, policy violations etc.
No comments:
Post a Comment