Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Introduction 3
Implementation Process 4
Solution Design 4
Collection Deployment 4
Content Development 4
Testing 5
Hand Off & Training 5
Firewalls 46
Proxy 51
Forward Proxy 51
Reverse Proxy 55
VPN 58
Endpoint Protection 61
Vulnerability Scanners 63
Inbound Emails 64
Identity & Access Management (IAM) 65
Endpoint DLP 68
Introduction
About this Document
This document outlines Security Analytics Professional Services Implementations in Sumo Logic.
We refer to these deliverables as content, which can be delivered in the form of queries, alerts and
dashboards/reports.
Described below is the content typically delivered, broken down by source type and event family,
followed by a detailed list of use cases. Not all data sources and use cases will apply to all customers
and will often need to be contextualized to each specific environment. Additional use cases and data
sources can be added as needed.
Note: The content described in this document is NOT considered out of the box content, but content
that Sumo Logic Professional Services or Sumo Logic customers themselves, can build.
Implementation Process
Our Implementation process typically contains the following phases. These not necessarily executed in
sequence, where it makes sense they can be running in parallel to gain efficiencies.
Solution Design
During the solution design phase we primarily cover topics around data ingestion, data tagging and other
foundational items necessary to fully configure Sumo Logic (indexing, parsing, RBAC, etc). The outcome
is both a design for these topics as well as a plan on how to implement them. This is a joint effort between
your team and the Sumo Logic Professional Services Engineer.
Collection Deployment
After determining how all in scope data is going to be collected, we proceed to deploy collectors and
sources as designed. While deploying collectors is primarily a task for customer resources, your engineer
will help with advice and troubleshooting every step of the way.
Content Development
Content development is the heart of the project. After jointly determining the scope of what needs to be
built (the below list of use cases is what we typically do and can be augmented with your own), your
engineer will do most of the heavy lifting in terms of building the content. Once something is ready to be
shared with your team we will walk you through the queries and their results, collect feedback and iterate
as necessary. This phase often starts as soon as a relevant amount of data is being ingested in the
platform.
Testing
Once content is ready to be tested we will put it in your hands for further review and testing. At this point
you are often already familiar with the use cases and queries due to the iterative nature of the content is
being developed.
Once we jointly agree that all in scope content has been built and tested we will conduct formal hand off
and training to ensure that you are able to fully maintain and expand what was delivered on your own.
This phase contains both traditional hand off activities as well as general Sumo Logic training.
Security Use Cases
The earlier an attack is detected, the lesser is the impact. Detection techniques in Sumo Logic are
balanced and layered, which means including detection methods for both known and unknown
threats. Effective organizations can easily identify, prevent and dispatch of known threats using a
signature-based solution – and complement this technique with behavior-based solutions in order to
catch the unknown threats a signature-based solution may miss. The following use cases help detect
and alert on modern cyber attacks in real time, enabling a faster response to mitigate and remediate
the impact.
Account Compromise
In the early stages of an attack, it is important to detect any attempts to compromise user credentials
using methods such as Brute Force, Pass The Hash, Golden Ticket, etc. Sumo Logic uses its machine
learning capabilities to detect and alert on any spikes or anomalies based on the organization's historical
data and focuses on the past behavior of entities such as user accounts, IP addresses, hosts, etc. in the
event of a successful account compromise, it is important to identify the compromised entities which will
further aid in investigating the impact.
Privilege Escalation
Privilege escalation is the result of actions that allows an adversary to obtain a higher level of permissions
on a system or network. Adversaries can enter a system with unprivileged access and must take
advantage of a system weakness to obtain local Administrator or SYSTEM/root level privileges. Sumo
Logic uses a wide variety of techniques to detect anomalies in accounts escalating privileges including
self escalation, short lived accounts, lateral movement, etc.
Account Misuse/Sharing
Visibility is critical to avoid misuse of dormant, inactive and active accounts. Dormant and inactive
accounts are often an easy target for attackers since there is little visibility on these accounts. Any
violation of an organization's policy for account management should be immediately alerted. Sumo Logic
also uses geolocation/landspeed capabilities to alert on compromised credentials or employees sharing
credentials against the organization's policy.
One common type of cyber attack is Denial of Service (DoS) that as the name suggests it makes the
resources of the service unavailable to legitimate users. There are many types of DoS attacks, with some
directly targeting the underlying server infrastructure. Sumo Logic monitors network traffic logs to alert on
malicious traffic spikes or deviations from the normal traffic baseline.
Privileged users, such as system or database administrators, have escalated access rights and their
accounts can be rich targets for hackers. Sumo Logic uses special analytics for privileged and shared
accounts and can flag unusual behavior within both types.
Data loss prevention (DLP) is a strategy for making sure that end users do not send sensitive or critical
information outside the corporate infrastructure. It is critical to monitor all endpoint egress vectors and
alert on any anomalies based on the entities past behavior. Additional monitoring should be provided for
critical endpoints, watchlisted accounts, flight risk users and employees who have recently been
terminated or have an upcoming termination.
System Changes
Any critical events including unauthorized changes to configs or deletion of audit trails should be
immediately escalated.
Malware Detection
Great measures are taken to protect organizations. Yet threats, such as malware, keep getting in despite
the network monitoring tools and enterprise threat detection solutions you have in place. Sumo Logic
uses external threat intel feeds to alert on known malwares and uses its machine learning capabilities to
alert on zero day malwares. Additionally, Sumo uses pattern matching techniques to detect robotic
behavior from the organization's internal network.
Monitoring Security Logs
Operating Systems
Windows OS
Description
Authentication Monitor all authentication activity, successful and failed across the entire
organization. This includes monitoring special sets of users, account and
credentials (e.g. privileged, terminated, service, etc), specific destination
systems (e.g. high value systems) as well as behaviour based outliers (e.g.
unusual activity, spikes, etc).
Account Management Monitor all activity involving users and groups. This includes monitoring
special sets of users and groups (e.g. privileged, terminated, local, service,
etc).
System Changes Monitor all important and invasive system and configuration changes. This
includes relevant policy changes (e.g. Audit Policies on Microsoft Windows
Operating Systems), activity involving new and existing services, any other
relevant configuration or change activity and activity involving Windows
Updates.
Security Alerts Monitor for known threats and attack vectors as well as other potential
indicators of compromise including brute force attacks, unauthorized
privilege escalation, password reset anomalies, etc.
Log Requirements
Windows Security Events
Indicators
Account Created
Account Enabled
Account Disabled
Account Deleted
Accounts
Account Changed
Account Unlocked
Description
Authentication Monitor all authentication activity, successful and failed across the entire
organization. This includes monitoring special sets of users, account and
credentials (e.g. privileged, terminated, service, etc), specific destination
systems (e.g. high value systems) as well as behaviour related outliers (e.g.
unusual activity, spikes, etc).
Account Management Monitor all activity involving users and groups. This includes monitoring
special sets of users and groups (e.g. privileged, terminated, local, service,
etc).
System Changes Monitor all important and invasive system and configuration changes. This
includes relevant policy changes (e.g. Audit Policies on Microsoft Windows
Operating Systems), activity involving new and existing services as well as
any other relevant configuration or change activity.
Security Alerts Monitor for known threats and attack vectors as well as other potential
indicators of compromise including brute force attacks, unauthorized
privilege escalation, password reset anomalies, etc.
Log Requirements
Debian based Systems: /var/log/syslog, /var/log/auth.log
RedHat based Systems: /var/log/messages, /var/log/secure
Note: many of these use cases can also be built if auditd is available.
Indicators
Description
Authentication Monitor all authentication activity, successful and failed across the entire
environment. This includes monitoring special sets of users, account and
credentials (e.g. privileged, terminated, service, etc), specific destination
systems (e.g. high value systems) as well as behaviour related outliers (e.g.
unusual activity, spikes, etc).
These use cases allow for a general overview of activity in the environment
as well as helping with compliance reporting needs.
Account Management Monitor all activity involving users. This includes monitoring special sets of
users (e.g. privileged, terminated, local, service, etc).
These use cases allow for a general overview of activity in the environment
as well as helping with compliance reporting needs.
Security Groups Monitor all activity involving groups. This includes monitoring special sets of
groups (e.g. privileged, admin etc).
These use cases allow for a general overview of activity in the environment
as well as helping with compliance reporting needs.
Security Alerts Monitor suspicious activity for inbound and outbound traffic by detecting
malicious IPs, domains, user agents and rare geolocation information.
Log Requirements
AWS Cloudtrail Logs
Indicators
Console Logins
Console Logins - MFA
Successful Console Logins - SAML
Assumed Role Events
Privileged Accounts
Console Logins
Console Logins - MFA
Console Logins - SAML
Authentication
Assumed Role Events
Privileged Accounts
Failed Spike Threshold Total by Origin
Spike Baseline Total by Origin
Spike Threshold Total by Account
Spike Baseline Total by Account
Spike Threshold Total Overall
Spike Baseline Total Overall
Role Created
Roles
Role Deleted
User Created
User
User Deleted
Group Created
Group
Group Deleted
Description
Traffic Monitoring Investigate network traffic patterns and identify threats and risks across
your VPC estate.
These use cases focus on well know file transfer ports, rare geolocations
and malicious IPs to detect any deviation from the usual traffic behavior.
Denial of Service Monitor incoming traffic and discriminate network-based flooding attacks
from sudden spikes in legitimate activity using machine learning.
Robotic Behavior Detect beaconing activity from the internal network using robotic behavior
matching patterns and request frequency analysis.
Security Alerts Monitor suspicious activity for inbound and outbound traffic by detecting
malicious IPs, domains, user agents and rare geolocation information.
Log Requirements
AWS VPC Flow Logs
Indicators
Accepted Traffic
TCP Traffic
UDP Traffic
ICMP Traffic
Top 10 Accepted Accounts
Top 10 Blocked Accounts
Top 10 Accepted Source IPs
Top 10 Blocked Source IPs
Outbound
Top 10 Accepted Destination IPs
Top 10 Blocked Destination IPs
Traffic Geolocation Monitoring by Destination
Traffic Geolocation Monitoring by Destination - Blocked Traffic
Top 10 Geolocations by Destination
Top 10 Geolocations by Destination - Blocked Traffic
Traffic to Rare Geolocations
Traffic Monitoring
Traffic to Rare Geolocations - Blocked Traffic
Accepted Traffic
Dropped Traffic
Traffic From Malicious IPs
TCP Traffic
UDP Traffic
ICMP Traffic
Top 10 Accepted Accounts
Inbound
Top 10 Blocked Accounts
Top 10 Accepted Source IPs
Top 10 Blocked Source IPs
Top 10 Accepted Destination IPs
Top 10 Blocked Destination IPs
Traffic Geolocation Monitoring by Source
Traffic Geolocation Monitoring by Source - Blocked Traffic
Top 10 Geolocations by Source
Top 10 Geolocations by Source - Blocked Traffic
Traffic From Rare Geolocations
Traffic From Rare Geolocations - Blocked Traffic
High Number of Bytes Sent - Threshold by Source
High Number of Bytes Sent to Rare Geolocations
Abnormal Volume of Bytes Sent - Spike by Resource
Successful Abnormal Volume of Bytes Sent - Spike by Source
Abnormal Volume of Bytes Sent - Spike by Destination
DLP Top 10 Source IPs by Bytes Sent
Top 10 Destination IPs by Bytes Sent
Abnormal Volume of Bytes Sent - Spike by Resource
Abnormal Volume of Bytes Sent - Spike by Source
Blocked
Abnormal Volume of Bytes Sent - Spike by Destination
Data Egress Over Covert Channels
Abnormal Number of Requests From Same IP - Spike by
Source
Abnormal Number of Dropped Requests From Same IP - Spike
DOS Inbound by Source
Spike In Network Traffic - Spike by Resource
High Number of Requests Per Second - Spike by Source
Traffic From Rare Sources
Traffic From Blacklisted Geolocations
Inbound Insecure Traffic
Activity On High Ports
High Number of Rejected Events Followed by Accepted Event
Security Alerts
Traffic to Malicious IPs
Traffic to Rare Destinations
Outbound Traffic to Blacklisted Geolocations
Insecure Traffic
Activity On High Ports
Beaconing Traffic to Malicious Domains
Outbound
Beaconing Traffic
Robotic Behavior
Beaconing Traffic From Malicious Domains
Inbound
Beaconing Traffic
Google Cloud Platform - Audit
Description
Data Access Monitor all attempts to access the cloud SQL database and attempts to
extract data using bigquery resources.
System Events Monitor critical system events including system shutdowns, restarts,
failures, etc.
Security Alerts Monitor suspicious activity for inbound and outbound traffic by detecting
malicious IPs, domains, user agents and rare geolocation information.
Log Requirements
Google Cloud Audit Logs
Indicators
Description
Traffic Monitoring Monitor all outbound and inbound, allowed and denied traffic using top N
charts and geolocation information.
These use cases enable end users with a holistic view of the incoming and
outgoing traffic.
Security Alerts Monitor suspicious activity for inbound and outbound traffic by detecting
malicious IPs, domains, user agents and rare geolocation information.
Firewall Rules Monitor events accepted and blocked by firewall rules and correlate firewall
events with firewall policy changes from audit logs.
Log Requirements
GCP Firewall Logs
Indicators
TCP Traffic
UDP Traffic
Top 10 Project IDs
Top 10 Instances
Top 10 VPCs
Top 10 Subnetworks
Top 10 Protocols
Top 10 Destination IPs
Top 10 Source IPs
Traffic Geolocation Monitoring by Source
Top 10 Geolocations by Source
Ingress - Allowed Traffic From Rare Geolocations
TCP Traffic
UDP Traffic
Top 10 Project IDs
Top 10 Instances
Top 10 VPCs
Top 10 Subnetworks
Top 10 Protocols
Top 10 Destination IPs
Top 10 Source IPs
Traffic Geolocation Monitoring by Destination
Top 10 Geolocations by Destination
Egress - Allowed Traffic From Rare Geolocations
TCP Traffic
UDP Traffic
Top 10 Instances
Top 10 VPCs
Description
Traffic Monitoring Monitor all outbound and inbound, allowed and denied traffic using top N
charts and geolocation information.
These use cases enable end users with a holistic view of the incoming and
outgoing traffic.
These use cases focus on well know file transfer ports, rare geolocations
and malicious IPs to detect any deviation from the usual traffic behavior.
Security Alerts Monitor suspicious activity for inbound and outbound traffic by detecting
malicious IPs, domains, user agents and rare geolocation information.
Robotic Behavior Detect beaconing activity from the internal network using robotic behavior
matching patterns and request frequency analysis.
Log Requirements
GCP VPC Logs
Indicators
TCP Traffic
UDP Traffic
Top 10 Project IDs
Top 10 Instances
Top 10 VPCs
Top 10 Subnetworks
Top 10 Protocols
Top 10 Destination IPs
Top 10 Source IPs
Traffic Geolocation Monitoring by Source
Top 10 Geolocations by Source
Ingress Traffic From Rare Geolocations
Traffic Monitoring
TCP Traffic
UDP Traffic
Top 10 Project IDs
Top 10 Instances
Top 10 VPCs
Top 10 Subnetworks
Top 10 Protocols
Top 10 Destination IPs
Top 10 Source IPs
Traffic Geolocation Monitoring by Destination
Top 10 Geolocations by Destination
Egress Traffic From Rare Geolocations
Rare Protocol On Instance
Rare Protocol On VPC
Rare Protocol On Network
Security Alerts Traffic From Rare Sources
Traffic From Blacklisted Geolocations
Insecure Traffic
Possible Covert Channel
Unusual Ports Used On Instance
Unusual Ports Used On VPC
Unusual Ports Used On Project ID
Traffic to Instance From Rare Geolocation
Traffic to VPC From Rare Geolocation
Traffic to Zone From Rare Geolocation
Traffic to Malicious IPs
Traffic From Malicious IPs
Traffic From Anonymous Proxy
Traffic to Tor Exit Nodes
Activity On High Ports
Spike In Network Traffic - by Resource
Spike In Network Traffic - by Network
Spike In Network Traffic - by VPC
Denial of Service Ingress
Spike In Network Traffic - by Instance
High Number of Requests Per Second
Multiple IPs With Requests to Same VPC
Top 10 VPCs - by Bytes Sent
Top 10 Networks - by Bytes Sent
Top 10 Projects - by Bytes Sent
Top 10 Destination IPs - by Bytes Sent
DLP Egress Top 10 Regions - by Bytes Sent
Spike In Bytes Sent - by Instance
Spike In Bytes Sent - by VPC
Spike In Bytes Sent - by Project
Spike In Bytes Sent - by Network
Beaconing Traffic to Malicious Domains
Egress
Beaconing Traffic From Instance
Robotic Behavior
Beaconing Traffic From Malicious Domains
Ingress
Beaconing Traffic to Instance
Microsoft Azure - Audit
Description
Authentication Monitor all authentication activity, successful and failed across the entire
environment. This includes monitoring special sets of users, account and
credentials (e.g. privileged, terminated, service, etc), specific destination
systems (e.g. high value systems) as well as behaviour related outliers (e.g.
unusual activity, spikes, etc).
These use cases allow for a general overview of activity in the environment
as well as helping with compliance reporting needs.
Account Management Monitor all activity involving users. This includes monitoring special sets of
users (e.g. privileged, terminated, local, service, etc).
These use cases allow for a general overview of activity in the environment
as well as helping with compliance reporting needs.
Security Groups Monitor all activity involving groups. This includes monitoring special sets of
groups (e.g. privileged, admin etc).
These use cases allow for a general overview of activity in the environment
as well as helping with compliance reporting needs.
Security Alerts Monitor suspicious activity for inbound and outbound traffic by detecting
malicious IPs, domains, user agents and rare geolocation information.
Log Requirements
Azure Audit Logs
Indicators
Trail Stopped
Log Tampering
Trail Deleted
Security Group Risk Permit Any Security Groups
Suspicious
Accounts Short Lived Accounts
Mass Creation
Instance Tampering
Mass Deletion
Security Alert
Instance Outside of Vnet
Activity by User From Threat Actor Geo
Activity by User From Outside The Us
Activity by User From 2+ Different IP's In Short Timeframe
Suspicious Logins Activity by User From 2+ Different Geo's In Short Timeframe
Activity by User From Known Bad IP
Login Without MFA
Login Bypassing SAML
Microsoft Azure - Network Watcher
Description
Traffic Monitoring Monitor all outbound and inbound, allowed and denied traffic using top N
charts and geolocation information.
These use cases enable end users with a holistic view of the incoming and
outgoing traffic.
Security Alerts Monitor suspicious activity for inbound and outbound traffic by detecting
malicious IPs, domains, user agents and rare geolocation information.
Denial of Service Monitor incoming traffic and discriminate network-based flooding attacks
from sudden spikes in legitimate activity using machine learning.
Robotic Behavior Detect beaconing activity from the internal network using robotic behavior
matching patterns and request frequency analysis.
Log Requirements
Azure Network Watcher
Indicators
Accepted Traffic
TCP Traffic
UDP Traffic
Top 10 Accepted Macs
Top 10 Blocked Macs
Top 10 Accepted Source IPs
Top 10 Blocked Source IPs
Outbound Top 10 Accepted Destination IPs
Top 10 Blocked Destination IPs
Traffic Geolocation Monitoring by Destination
Traffic Geolocation Monitoring by Destination - Blocked Traffic
Top 10 Geolocations by Destination
Top 10 Geolocations by Destination - Blocked Traffic
Traffic to Rare Geolocations
Traffic to Rare Geolocations - Blocked Traffic
Traffic Monitoring
Accepted Traffic
Dropped Traffic
Traffic From Malicious IPs
TCP Traffic
UDP Traffic
Top 10 Accepted Macs
Top 10 Blocked Macs
Inbound Top 10 Accepted Source IPs
Top 10 Blocked Source IPs
Top 10 Accepted Destination IPs
Top 10 Blocked Destination IPs
Traffic Geolocation Monitoring by Source
Traffic Geolocation Monitoring by Source - Blocked Traffic
Top 10 Geolocations by Source
Top 10 Geolocations by Source - Blocked Traffic
Traffic From Rare Geolocations
Traffic From Rare Geolocations - Blocked Traffic
Abnormal Number of Requests From Same IP - Spike by
Source
Abnormal Number of Dropped Requests From Same IP - Spike
Dos Inbound by Source
Spike In Network Traffic - Spike by Resource
High Number of Requests Per Second - Spike by Source
Traffic From Rare Sources
Traffic From Blacklisted Geolocations
Inbound Insecure Traffic
Activity On High Ports
High Number of Rejected Events Followed by Accepted Event
Security Alerts
Traffic to Malicious IPs
Traffic to Rare Destinations
Traffic to Blacklisted Geolocations
Insecure Traffic
Activity On High Ports
Beaconing Traffic to Malicious Domains
Outbound
Beaconing Traffic
Robotic Behavior
Beaconing Traffic From Malicious Domains
Inbound
Beaconing Traffic
SaaS Productivity Tools
Description
Authentication Monitor all authentication activity, successful and failed across the entire
environment. This includes monitoring special sets of users, account and
credentials (e.g. privileged, terminated, service, etc), specific destination
systems (e.g. high value systems) as well as behaviour related outliers (e.g.
unusual activity, spikes, etc).
These use cases allow for a general overview of activity in the environment
as well as helping with compliance reporting needs.
Account Management Monitor all activity involving users. This includes monitoring special sets of
users (e.g. privileged, terminated, local, service, etc).
These use cases allow for a general overview of activity in the environment
as well as helping with compliance reporting needs.
Security Groups Monitor all activity involving groups. This includes monitoring special sets of
groups (e.g. privileged, admin etc).
These use cases allow for a general overview of activity in the environment
as well as helping with compliance reporting needs.
Security Alerts Monitor suspicious activity for inbound and outbound traffic by detecting
malicious IPs, domains, user agents and rare geolocation information.
Log Requirements
G Suite
O365
Indicators
Console Logins
Console Logins - MFA
Successful
Privileged Accounts
Terminated Accounts
Console Logins
Console Logins - MFA
Privileged Accounts
Authentication
Terminated Accounts
Spike Threshold Total by Origin
Failed
Spike Baseline Total by Origin
Spike Threshold Total by Account
Spike Baseline Total by Account
Spike Threshold Total Overall
Spike Baseline Total Overall
User Created
User
User Deleted
Group Created
Account Management Group
Group Deleted
User Added to Group
Group Management
User Removed from Group
Suspicious Logins (suspicious_login Eventtype)
Activity by User from Threat Actor Geo
Activity by User from Outside The Us
Suspicious Logins
Activity by User from 2+ Different IP's in Short Timeframe
Activity by User from 2+ Different Geo's in Short Timeframe
Security Alert
Activity by User from Known Bad IP
Data Shared Outside of Organization
Mass Copy of Data to Single Destination
DLP
Mass Deletion of Data
Mass Permission Changes
Firewalls
Description
Traffic Monitoring
Monitor all outbound and inbound, allowed and denied traffic using top N
charts and geolocation information.
These use cases enable end users with a holistic view of the incoming and
outgoing traffic.
These use cases focus on well know file transfer ports, rare geolocations
and malicious IPs to detect any deviation from the usual traffic behavior.
Denial of Service Monitor incoming traffic and discriminate network-based flooding attacks
from sudden spikes in legitimate activity using machine learning.
Robotic Behavior Detect beaconing activity from the internal network using robotic behavior
matching patterns and request frequency analysis.
Security Alerts Monitor suspicious activity for inbound and outbound traffic by detecting
malicious IPs, domains, user agents and rare geolocation information.
Log Requirements
Checkpoint
Netflow
Palo Alto Networks
Cisco ASA
Fireeye
Indicators
Accepted Traffic
TCP Traffic
UDP Traffic
Telnet Traffic
SMB Traffic
FTP Traffic
Netbios Traffic
DNS Traffic
LDAP Traffic
Top 10 Accepted Protocols
Outbound Top 10 Blocked Protocols
Top 10 Accepted Source IPs
Top 10 Blocked Source IPs
Top 10 Accepted Destination IPs
Top 10 Blocked Destination IPs
Traffic Monitoring
Traffic Geolocation Monitoring by Destination
Traffic Geolocation Monitoring by Destination - Blocked Traffic
Top 10 Geolocations by Destination
Top 10 Geolocations by Destination - Blocked Traffic
Traffic to Rare Geolocations
Traffic to Rare Geolocations - Blocked Traffic
Accepted Traffic
Dropped Traffic
Traffic from Malicious IPs
TCP Traffic
Inbound UDP Traffic
Telnet Traffic
SMB Traffic
FTP Traffic
Netbios Traffic
DNS Traffic
LDAP Traffic
Top 10 Accepted Protocols
Top 10 Blocked Protocols
Top 10 Accepted Source IPs
Top 10 Blocked Source IPs
Top 10 Accepted Destination IPs
Top 10 Blocked Destination IPs
Traffic Geolocation Monitoring by Source
Traffic Geolocation Monitoring by Source - Blocked Traffic
Top 10 Geolocations by Source
Top 10 Geolocations by Source - Blocked Traffic
Traffic from Rare Geolocations
Traffic from Rare Geolocations - Blocked Traffic
High Number of Bytes Sent - Threshold by Source
High Number of Bytes Sent to Rare Geolocations
Abnormal Volume of Bytes Sent - Spike by Resource
Abnormal Volume of Bytes Sent - Spike by Source
Abnormal Volume of Bytes Sent - Spike by Destination
Abnormal Volume of Bytes Sent Over FTP Ports - Spike by
Resource
Abnormal Volume of Bytes Sent Over FTP Ports - Spike by
Source
DLP Successful Abnormal Volume of Bytes Sent Over FTP Ports - Spike by
Destination
Abnormal Volume of Bytes Sent Over SMB Ports - Spike by
Resource
Abnormal Volume of Bytes Sent Over SMB Ports - Spike by
Source
Abnormal Volume of Bytes Sent Over SMB Ports - Spike by
Destination
Abnormal Volume of Bytes Sent Over DNS Ports - Spike by
Resource
Abnormal Volume of Bytes Sent Over DNS Ports - Spike by
Source
Abnormal Volume of Bytes Sent Over DNS Ports - Spike by
Destination
Data Egress Over Covert Channels
Top 10 Source IPs by Bytes Sent
Top 10 Destination IPs by Bytes Sent
Abnormal Volume of Bytes Sent - Spike by Resource
Abnormal Volume of Bytes Sent - Spike by Source
Abnormal Volume of Bytes Sent - Spike by Destination
Abnormal Volume of Bytes Sent Over FTP Ports - Spike by
Resource
Abnormal Volume of Bytes Sent Over FTP Ports - Spike by
Source
Abnormal Volume of Bytes Sent Over FTP Ports - Spike by
Destination
Abnormal Volume of Bytes Sent Over SMB Ports - Spike by
Resource
Blocked
Abnormal Volume of Bytes Sent Over SMB Ports - Spike by
Source
Abnormal Volume of Bytes Sent Over SMB Ports - Spike by
Destination
Abnormal Volume of Bytes Sent Over DNS Ports - Spike by
Resource
Abnormal Volume of Bytes Sent Over DNS Ports - Spike by
Source
Abnormal Volume of Bytes Sent Over DNS Ports - Spike by
Destination
Data Egress Over Covert Channels
Description
These use cases focus on data exfiltration to well know file share, archival,
storage websites in addition to detecting anomalies in network uploads.
Malicious Traffic Monitor outbound traffic to malicious websites, proxy anonymizers, DGA
domains, etc
This use case helps you identify malicious activity and infected hosts on the
internal network.
Security Events Identify flight risk users and exiting behavior based on their browsing
activity.
Robotic Behavior Detect beaconing activity from the internal network using robotic behavior
matching patterns and request frequency analysis.
Traffic Monitoring Monitor all outbound, allowed and denied browsing activity using top N
charts and geolocation information.
These use cases enable end users with a holistic view of users’ browsing
activity.
Log Requirements
Bluecoat Proxy
Websense Proxy
Forcepoint Proxy
Indicators
Description
Authentication Monitor all authentication activity, successful and failed across the entire
environment. This includes monitoring special sets of users, account and
credentials (e.g. privileged, terminated, service, etc), specific destination
systems (e.g. high value systems) as well as behaviour related outliers (e.g.
unusual activity, spikes, etc).
These use cases allow for a general overview of activity in the environment
as well as helping with compliance reporting needs.
Malicious Traffic Monitor inbound traffic from malicious sources, proxy anonymizers, C2C
domains, etc
This use case helps you identify malicious activity from external sources.
Denial of Service Monitor incoming traffic and discriminate network-based flooding attacks
from sudden spikes in legitimate activity using machine learning.
Robotic Behavior Detect beaconing activity from the external network using robotic behavior
matching patterns and request frequency analysis.
Traffic Monitoring Monitor all inbound, allowed and denied web access requests using top N
charts and geolocation information.
These use cases enable end users with a holistic view of incoming web
traffic.
Log Requirements
Nginx
Apache Access Logs
Indicators
Successful Authentication
Authentication Geolocation Monitoring
Success
Authentication from Rare Geolocations
Failed Authentication
Authentication Geolocation Monitoring
Description
Authentication Monitor all authentication activity, successful and failed across the entire
environment. This includes monitoring special sets of users, account and
credentials (e.g. privileged, terminated, service, etc), specific destination
systems (e.g. high value systems) as well as behaviour related outliers (e.g.
unusual activity, spikes, etc).
These use cases allow for a general overview of activity in the environment
as well as helping with compliance reporting needs.
Traffic Monitoring Monitor all vpn connection requests using top N charts and geolocation
information.
These use cases enable end users with a holistic view of vpn traffic.
Security Events Detect high severity security alerts including traffic from malicious
sources and abnormal session durations.
Log Requirements
Cisco ASA
Netscaler
Indicators
Traffic Geolocation
Traffic from Rare Geolocation
Traffic Monitoring
Traffic from Blacklisted Countries
Top 10 Geolocations
VPN Activity by Terminated Accounts
All Authentication Events
VPN Activity by Dormant Accounts
Landspeed Violation
VPN Authentication Using Rare OS
Description
Incident Management Monitor endpoint related incidents to identify, analyze and correct hazards
to prevent a future recurrence.
Security Monitoring Monitor and detect malicious processes on endpoints by analyzing endpoint
incidents, rare operating systems, known and unknown malicious hash
values.
This use case helps identify and remediate infected machines on the
internal network and mobile devices.
Virus Detection Identify and analyze viruses with the corporate infrastructure. Using
machine learning, detect a spike in endpoint alerts for viruses.
Log Requirements
Symantec Endpoint
McAfee Endpoint
Carbon Black
Norton Endpoint
Sophos
Checkpoint
Indicators
Rare Messages
Incident Count by OS
Rare OS Used
Checksum Error
Virus On-prem Virus Found
Antivirus Shutdown
Description
This use case helps you identify the most severe vulnerabilities.
Log Requirements
Qualys
Tenable
Rapid7
Beyond Trust
Indicators
Description
Phishing Detect and prevent phishing attempts based on incoming email behavior
anomaly, TLD analysis and suspicious activity from the internal network.
Log Requirements
MTA
Proofpoint
Area1
Indicators
Description
Authentication Monitor all authentication activity, successful and failed across the entire
environment. This includes monitoring special sets of users, account and
credentials (e.g. privileged, terminated, service, etc), specific destination
systems (e.g. high value systems) as well as behaviour related outliers (e.g.
unusual activity, spikes, etc).
These use cases allow for a general overview of activity in the environment
as well as helping with compliance reporting needs.
Account Management Monitor all activity involving users. This includes monitoring special sets of
users (e.g. privileged, terminated, local, service, etc).
These use cases allow for a general overview of activity in the environment
as well as helping with compliance reporting needs.
Security Groups Monitor all activity involving groups. This includes monitoring special sets of
groups (e.g. privileged, admin etc).
These use cases allow for a general overview of activity in the environment
as well as helping with compliance reporting needs.
Security Alerts Detect high severity security alerts including brute force attempts,
unauthorized privilege escalation, password reset anomalies and traffic
from malicious source and rare user agents.
Log Requirements
Okta
One Login
Cyberark
Indicators
Description
These use cases cover all possible egress vectors and detect exfiltration of
sensitive files using machine learning to flag anomalies.
Log Requirements
McAfee
Symantec
Forcepoint
Varonis
Proofpoint
Indicators