SumoLogic - Professional Services - Security Analytics PDF

Security Analytics
Sumo Logic Professional Services
Introduction 3
Implementation Process 4
Solution Design 4
Collection Deployment 4
Content Development 4
Testing 5
Hand Off & Training 5
Security Use Cases 6
Monitoring Security Logs 9

Operating Systems 9
Windows OS 9
Linux OS 14
Cloud Platforms 18
Amazon Web Services - Cloudtrail 18
Amazon Web Service - VPC 21
Google Cloud Platform - Audit 25
Google Cloud Platform - Firewall 30
Google Cloud Platform - VPC 34
Microsoft Azure - Audit 37
Microsoft Azure - Network Watcher 40
SaaS Productivity Tools 44
Firewalls 46
Proxy 51
Forward Proxy 51
Reverse Proxy 55
VPN 58
Endpoint Protection 61
Vulnerability Scanners 63
Inbound Emails 64
Identity & Access Management (IAM) 65
Endpoint DLP 68
Introduction
About this Document
This document outlines Security Analytics Professional Services Implementations in Sumo Logic.
We refer to these deliverables as content, which can be delivered in the form of queries, alerts and
dashboards/reports.
Described below is the content typically delivered, broken down by source type and event family,
followed by a detailed list of use cases. Not all data sources and use cases will apply to all customers
and will often need to be contextualized to each specific environment. Additional use cases and data
sources can be added as needed.
Note: The content described in this document is NOT considered out of the box content, but content
that Sumo Logic Professional Services or Sumo Logic customers themselves, can build.
Implementation Process
Our Implementation process typically contains the following phases. These not necessarily executed in
sequence, where it makes sense they can be running in parallel to gain efficiencies.
Solution Design
During the solution design phase we primarily cover topics around data ingestion, data tagging and other
foundational items necessary to fully configure Sumo Logic (indexing, parsing, RBAC, etc). The outcome
is both a design for these topics as well as a plan on how to implement them. This is a joint effort between
your team and the Sumo Logic Professional Services Engineer.
Collection Deployment
After determining how all in scope data is going to be collected, we proceed to deploy collectors and
sources as designed. While deploying collectors is primarily a task for customer resources, your engineer
will help with advice and troubleshooting every step of the way.
Content Development
Content development is the heart of the project. After jointly determining the scope of what needs to be
built (the below list of use cases is what we typically do and can be augmented with your own), your
engineer will do most of the heavy lifting in terms of building the content. Once something is ready to be
shared with your team we will walk you through the queries and their results, collect feedback and iterate
as necessary. This phase often starts as soon as a relevant amount of data is being ingested in the
platform.
Testing
Once content is ready to be tested we will put it in your hands for further review and testing. At this point
you are often already familiar with the use cases and queries due to the iterative nature of the content is
being developed.
Hand Off & Training
Once we jointly agree that all in scope content has been built and tested we will conduct formal hand off
and training to ensure that you are able to fully maintain and expand what was delivered on your own.
This phase contains both traditional hand off activities as well as general Sumo Logic training.
Security Use Cases
The earlier an attack is detected, the lesser is the impact. Detection techniques in Sumo Logic are
balanced and layered, which means including detection methods for both known and unknown
threats. Effective organizations can easily identify, prevent and dispatch of known threats using a
signature-based solution – and complement this technique with behavior-based solutions in order to
catch the unknown threats a signature-based solution may miss. The following use cases help detect
and alert on modern cyber attacks in real time, enabling a faster response to mitigate and remediate
the impact.
Account Compromise
In the early stages of an attack, it is important to detect any attempts to compromise user credentials
using methods such as Brute Force, Pass The Hash, Golden Ticket, etc. Sumo Logic uses its machine
learning capabilities to detect and alert on any spikes or anomalies based on the organization's historical
data and focuses on the past behavior of entities such as user accounts, IP addresses, hosts, etc. in the
event of a successful account compromise, it is important to identify the compromised entities which will
further aid in investigating the impact.
Privilege Escalation
Privilege escalation is the result of actions that allows an adversary to obtain a higher level of permissions
on a system or network. Adversaries can enter a system with unprivileged access and must take
advantage of a system weakness to obtain local Administrator or SYSTEM/root level privileges. Sumo
Logic uses a wide variety of techniques to detect anomalies in accounts escalating privileges including
self escalation, short lived accounts, lateral movement, etc.
Account Misuse/Sharing
Visibility is critical to avoid misuse of dormant, inactive and active accounts. Dormant and inactive
accounts are often an easy target for attackers since there is little visibility on these accounts. Any
violation of an organization's policy for account management should be immediately alerted. Sumo Logic
also uses geolocation/landspeed capabilities to alert on compromised credentials or employees sharing
credentials against the organization's policy.
(Distributed) Denial of Service:
One common type of cyber attack is Denial of Service (DoS) that as the name suggests it makes the
resources of the service unavailable to legitimate users. There are many types of DoS attacks, with some
directly targeting the underlying server infrastructure. Sumo Logic monitors network traffic logs to alert on
malicious traffic spikes or deviations from the normal traffic baseline.
Privileged Account Monitoring
Privileged users, such as system or database administrators, have escalated access rights and their
accounts can be rich targets for hackers. Sumo Logic uses special analytics for privileged and shared
accounts and can flag unusual behavior within both types.
Data Loss Prevention
Data loss prevention (DLP) is a strategy for making sure that end users do not send sensitive or critical
information outside the corporate infrastructure. It is critical to monitor all endpoint egress vectors and
alert on any anomalies based on the entities past behavior. Additional monitoring should be provided for
critical endpoints, watchlisted accounts, flight risk users and employees who have recently been
terminated or have an upcoming termination.
System Changes
Any critical events including unauthorized changes to configs or deletion of audit trails should be
immediately escalated.
Malware Detection
Great measures are taken to protect organizations. Yet threats, such as malware, keep getting in despite
the network monitoring tools and enterprise threat detection solutions you have in place. Sumo Logic
uses external threat intel feeds to alert on known malwares and uses its machine learning capabilities to
alert on zero day malwares. Additionally, Sumo uses pattern matching techniques to detect robotic
behavior from the organization's internal network.
Monitoring Security Logs
Operating Systems
Windows OS
Description
Authentication Monitor all authentication activity, successful and failed across the entire
organization. This includes monitoring special sets of users, account and
credentials (e.g. privileged, terminated, service, etc), specific destination
systems (e.g. high value systems) as well as behaviour based outliers (e.g.
unusual activity, spikes, etc).
Account Management Monitor all activity involving users and groups. This includes monitoring
special sets of users and groups (e.g. privileged, terminated, local, service,
etc).
System Changes Monitor all important and invasive system and configuration changes. This
includes relevant policy changes (e.g. Audit Policies on Microsoft Windows
Operating Systems), activity involving new and existing services, any other
relevant configuration or change activity and activity involving Windows
Updates.
Security Alerts Monitor for known threats and attack vectors as well as other potential
indicators of compromise including brute force attacks, unauthorized
privilege escalation, password reset anomalies, etc.
Log Requirements
Windows Security Events
Indicators
Event Family Event Use Case
Interactive Logons At Unusual Hours
Remote Logons At Unusual Hours
Interactive Logons by Service Accounts
Remote Logons by Service Accounts
Interactive Logons by Terminated Accounts
Remote Logons by Terminated Accounts
Successful Login Interactive Logons by Privileged Accounts
Remote Logons by Privileged Accounts
Interactive Logons by Local Accounts
Remote Logons by Local Accounts
Network Logons in Cleartext
High Value Systems
Non Expected Origin

Authentication
Interactive Logons by Privileged Accounts
Interactive Logons by Local Accounts
Remote Logons by Local Accounts
Failed Login Interactive Logons by Locked Accounts
Remote Logons by Locked Accounts
Default Administrator(s) Locked Out
Privileged Account Locked Out
High Value Systems
Spike Threshold Total by Origin
Spike Baseline Total by Origin
Spike Threshold Total by Target
Spike Baseline Total by Target

Spike Threshold Total by Account
Spike Baseline Total by Account
Spike Threshold Total Overall
Spike Baseline Total Overall
Spike Threshold Total by Logon Type
Spike Baseline Total by Logon Type
Account Created
Local Account Created
Account Enabled
Account Disabled
Account Deleted
Accounts
Account Changed
Account Unlocked
Privileged Account Disabled
Privileged Account Deleted
Terminated Account Enabled
Security Enabled Global Group Created
Security Enabled Local Group Created
Security Enabled Universal Group Created
Security Enabled Global Group Deleted

Account Management
Security Enabled Local Group Deleted
Security Enabled Universal Group Deleted
Security Enabled Global Group Changed
Security Enabled Local Group Changed
Security Enabled Universal Group Changed

Security Groups
Member Added to Security Enabled Global Group
Member Removed from Security Enabled Global Group
Member Added to Security Enabled Local Group
Member Removed from Security Enabled Local Group
Member Added to Security Enabled Universal Group
Member Removed from Security Enabled Universal Group
Security Disabled Global Group Created
Security Disabled Local Group Created

Security Disabled Universal Group Created
Security Disabled Global Group Deleted
Security Disabled Local Group Deleted
Security Disabled Universal Group Deleted
Security Disabled Global Group Changed
Security Disabled Local Group Changed
Security Disabled Universal Group Changed
Member Added to Security Disabled Global Group
Member Removed from Security Disabled Global Group
Member Added to Security Disabled Local Group
Member Removed from Security Disabled Local Group
Member Added to Security Disabled Universal Group
Member Removed from Security Disabled Universal Group
Members Added to Known Privileged Groups
Members Added to Admin Groups
Audit Log Cleared
Audit Policy Change
Authentication Policy Change
Authorization Policy Change

System Changes
Security Event Log Cleared
Domain Policy Change
System Audit Policy Change
System Time Change
Multiple Failed Logons Followed by Successful Logon
Spike by Threshold Overall
Top 10 Accounts With Failed Logons
Brute Force Windows Failed Logon Attempts
Top 10 Accounts With Failed Interactive Logons

Security Alerts Possible Brute Force Attack - Outlier Analysis
High Number of Failed Logons Per Second
Account Added & Removed from Security Enabled Groups
Privilege Escalation Special Privileges Assigned to Non Privileged Users
Privilege Self Escalation

Windows Possible Kerberoasting Attempt
Kerberoasting Spike in TGT Requests
Rare Usage of Run As Command
Users Accessing Multiple Hosts Using Explicit Credentials
Lateral Movement Users Accessing Multiple Hosts
Possible Pass The Hash
Possible Pass The Ticket
Rare Process Executed
Rare Process Created
Rare Process Executed from Unusual Directories
Rare Process Created in Unusual Directories

Malware Detection
Possible Malicious Process Execution
Process Name Spoofing
Scheduled Task Creation
Rare Scheduled Task Updates
Terminated Account Password Reset
Password Reset Privileged Account Password Reset

Anomaly Rare Password Resets
Successful Password Resets
Suspicious Accounts Short Lived Accounts

Linux OS
Description
organization. This includes monitoring special sets of users, account and
systems (e.g. high value systems) as well as behaviour related outliers (e.g.
Account Management Monitor all activity involving users and groups. This includes monitoring
special sets of users and groups (e.g. privileged, terminated, local, service,
etc).
System Changes Monitor all important and invasive system and configuration changes. This
includes relevant policy changes (e.g. Audit Policies on Microsoft Windows
Operating Systems), activity involving new and existing services as well as
any other relevant configuration or change activity.
Security Alerts Monitor for known threats and attack vectors as well as other potential
indicators of compromise including brute force attacks, unauthorized
privilege escalation, password reset anomalies, etc.
Log Requirements
Debian based Systems: /var/log/syslog, /var/log/auth.log
RedHat based Systems: /var/log/messages, /var/log/secure
Note: many of these use cases can also be built if auditd is available.
Indicators
Interactive Logons At Unusual Hours

Remote Logons At Unusual Hours
Successful Login
High Value Systems
Non Expected Origin
Authentication Remote Logons by Terminated Accounts
High Value Systems
Failed Login Spike Baseline Total by Origin
Spike Threshold Total by Target
Spike Baseline Total by Target
Spike Threshold Total by Logon Type
Spike Baseline Total by Logon Type
Command Executions As Root
Privileged Activity Successful Escalation to Root
Root Interactive Logon
Switch User Activity
Command Executions As Root
Switch User to Root
Failed
Root Interactive Logon
Switch User Activity
Account Created
Account Deleted
Account Changed
Accounts Privileged Account Deleted
Privileged Account Changed
Account Added to Sudoers
Account Added to Privileged Group
Account Management
Group Created
Group Deleted
Group Changed
Groups Group Added to Sudoers
Privileged Group Created
Privileged Group Deleted
Privileged Group Changed
System Restarted
Service Shutdown
System Changes Service Started
Critical Service Interruption
System Time Change
Brute Force
High Number of Failed Logons Per Second
Privilege Escalation Privilege Self Escalation
Lateral Movement Users Accessing Multiple Hosts
Security Alerts
Terminated Account Password Reset
Password Reset Privileged Account Password Reset

Anomaly
Rare Password Resets
Successful Password Resets
Failed Password Changes
Session Monitoring Abnormal Session Durations
Data Exfiltration Use of Insecure File Transfer Methods
Changes to Password Files
Privileged Activity
Changes to Hosts Files
Anomaly
Changes to DNS Resolution Files
Cloud Platforms
Amazon Web Services - Cloudtrail
Description
environment. This includes monitoring special sets of users, account and
These use cases allow for a general overview of activity in the environment
as well as helping with compliance reporting needs.
Account Management Monitor all activity involving users. This includes monitoring special sets of
users (e.g. privileged, terminated, local, service, etc).
Security Groups Monitor all activity involving groups. This includes monitoring special sets of
groups (e.g. privileged, admin etc).
Security Alerts Monitor suspicious activity for inbound and outbound traffic by detecting
malicious IPs, domains, user agents and rare geolocation information.
Log Requirements
AWS Cloudtrail Logs
Indicators
Console Logins
Console Logins - MFA
Successful Console Logins - SAML
Assumed Role Events
Privileged Accounts
Console Logins
Console Logins - SAML
Authentication
Assumed Role Events
Privileged Accounts
Failed Spike Threshold Total by Origin
Role Created
Roles
Role Deleted
User Created
User
User Deleted
Group Created
Group
Group Deleted
Account Management Policy Created

(IAM) Policy
Policy Deleted
Access Key Created
Access Key
Access Key Deleted
Password Change Password Changed
User Added to Group
Group Management
User Removed from Group
User Attached to Policy
User Removed from Policy
Policy Management
Group Attached to Policy
Group Removed from Policy
Root Usage Activity with Root Account
Trail Stopped
Log Tampering
Trail Deleted
Security Group Risk Permit Any Security Groups
EC2 Instance Mass Creation of instances

Tampering Mass Deletion of instances
Security Alert
Activity by User from Threat Actor Geo
Activity by User from Outside the US
Activity by User from 2+ different IP's in short timeframe
Suspicious Logins Activity by User from 2+ different Geo's in short timeframe
Activity by User from Known Bad IP
Login without MFA
Login bypassing SAML
Amazon Web Service - VPC
Description
Traffic Monitoring Investigate network traffic patterns and identify threats and risks across
your VPC estate.
DLP Protect sensitive data by detecting and alerting on abnormalities in the

amount of data being sent out of the internal network.
These use cases focus on well know file transfer ports, rare geolocations
and malicious IPs to detect any deviation from the usual traffic behavior.
Denial of Service Monitor incoming traffic and discriminate network-based flooding attacks
from sudden spikes in legitimate activity using machine learning.
Robotic Behavior Detect beaconing activity from the internal network using robotic behavior
matching patterns and request frequency analysis.
Log Requirements
AWS VPC Flow Logs
Indicators
Family Event Use Case
Accepted Traffic
TCP Traffic
UDP Traffic
ICMP Traffic
Top 10 Accepted Accounts
Top 10 Blocked Accounts
Top 10 Accepted Source IPs
Top 10 Blocked Source IPs
Outbound
Top 10 Accepted Destination IPs
Top 10 Blocked Destination IPs
Traffic Geolocation Monitoring by Destination
Traffic Geolocation Monitoring by Destination - Blocked Traffic
Top 10 Geolocations by Destination
Top 10 Geolocations by Destination - Blocked Traffic
Traffic to Rare Geolocations
Traffic Monitoring
Traffic to Rare Geolocations - Blocked Traffic
Accepted Traffic
Dropped Traffic
Traffic From Malicious IPs
TCP Traffic
UDP Traffic
ICMP Traffic
Top 10 Accepted Accounts
Inbound
Top 10 Blocked Accounts
Traffic Geolocation Monitoring by Source
Traffic Geolocation Monitoring by Source - Blocked Traffic
Top 10 Geolocations by Source
Top 10 Geolocations by Source - Blocked Traffic
Traffic From Rare Geolocations
Traffic From Rare Geolocations - Blocked Traffic
High Number of Bytes Sent - Threshold by Source
High Number of Bytes Sent to Rare Geolocations
Abnormal Volume of Bytes Sent - Spike by Resource
Successful Abnormal Volume of Bytes Sent - Spike by Source
Abnormal Volume of Bytes Sent - Spike by Destination
DLP Top 10 Source IPs by Bytes Sent
Top 10 Destination IPs by Bytes Sent
Abnormal Volume of Bytes Sent - Spike by Source
Blocked
Data Egress Over Covert Channels
Abnormal Number of Requests From Same IP - Spike by
Source
Abnormal Number of Dropped Requests From Same IP - Spike
DOS Inbound by Source
Spike In Network Traffic - Spike by Resource
High Number of Requests Per Second - Spike by Source
Traffic From Rare Sources
Traffic From Blacklisted Geolocations
Inbound Insecure Traffic
Activity On High Ports
High Number of Rejected Events Followed by Accepted Event
Security Alerts
Traffic to Malicious IPs
Traffic to Rare Destinations
Outbound Traffic to Blacklisted Geolocations
Insecure Traffic
Beaconing Traffic to Malicious Domains
Outbound
Beaconing Traffic
Robotic Behavior
Beaconing Traffic From Malicious Domains
Inbound
Beaconing Traffic
Google Cloud Platform - Audit
Description
Administration Monitor administrative activity including geolocations, IP address, user

Activity agents for successful and failed events related user and role management,
service accounts, firewall policy changes, instance group management.
Data Access Monitor all attempts to access the cloud SQL database and attempts to
extract data using bigquery resources.
System Events Monitor critical system events including system shutdowns, restarts,
failures, etc.
Log Requirements
Google Cloud Audit Logs
Indicators
Family Event Use Case
Admin Activity Events

Geolocation Monitoring
Rare Geolocations
Top 10 Accounts
Top 10 Projects
Overview - Success
Top 10 Permissions
Top 10 Operations
Top 10 Source IPs
Top 10 User Agents
Rare Operations
Failed Admin Activity Events
Rare Geolocations
Top 10 Accounts
Top 10 Projects
Admin Activity Top 10 Permissions
Overview - Failed Top 10 Operations
Top 10 Source IPs
Top 10 User Agents
Rare Operations
Spike In Failed Events - by Source IP
Spike In Failed Events - by Account
Spike In Failed Events - by Resource
Role Creation
Role Deletion
Role Undeletion
Rare Accounts Modifying Roles
IAM
Top 10 Projects
Top 10 Accounts
Short Lived Roles
Failed Iam Role Tampering Attempts
Excessive Failed Iam Role Tampering Attempts
Group Manager Updates
Group Manager Creation
Instance Group Group Manager Deletion

Manager Rare Accounts Modifying Instance Groups
Top 10 Projects
Top 10 Accounts
Service Account Creation
Service Account Deletion
Service Account Failed Service Account Creation/deletion
Short Lived Accounts
Rare Accounts Creating/deleting Service Accounts
Firewall Policy Updates
Firewall Policy Creation
Firewall Policy Deletion
Rare Accounts Modifying Policies
Firewall Rare Firewall Policy
Complete Ingress Access Granted
Complete Egress Access Granted
Top 10 Projects
Top 10 Accounts
Rare Geolocations
Top 10 Operations
Overview - Successful
Top 10 Source IPs
Top 10 User Agents
Rare Operations
Data Access
Rare Geolocations
Top 10 Operations
Overview - Failed
Top 10 Source IPs
Top 10 User Agents
Rare Operations
Spike In Failed Events - by Source IP
Spike In Failed Events - by Account
Spike In Failed Events - by Resource
Data Access
Top 10 Accounts
Cloud SQL - Top 10 Source IPs

Successful Top 10 Permissions
Top 10 Instances
Top 10 Projects
Data Access
Top 10 Accounts
Top 10 Source IPs
Top 10 Permissions
Cloud SQL - Failed
Top 10 Instances
Top 10 Projects
Excessive Failed Operations
Multiple Failed Attempts Followed by Successful Attempt
Data Access
Top 10 Accounts
Big Query - Top 10 Source IPs

Successful Top 10 Permissions
Top 10 Instances
Top 10 Projects
Data Access
Top 10 Accounts
Top 10 Source IPs
Top 10 Permissions
Big Query - Failed
Top 10 Instances
Top 10 Projects
Excessive Failed Operations
Multiple Failed Attempts Followed by Successful Attempt
Successful System Events
System Events
Failed System Events
Rare System Events
Traffic From Blacklisted Countries
Traffic to Blacklisted Countries
Security Alerts
Traffic From Malicious User Agents
Spike In Failed Authentication Attempts - by Account
Spike In Failed Authentication Attempts - by Instance
Spike In Failed Authentication Attempts - by Resource
Google Cloud Platform - Firewall
Description
Traffic Monitoring Monitor all outbound and inbound, allowed and denied traffic using top N
charts and geolocation information.
These use cases enable end users with a holistic view of the incoming and
outgoing traffic.
Firewall Rules Monitor events accepted and blocked by firewall rules and correlate firewall
events with firewall policy changes from audit logs.
Log Requirements
GCP Firewall Logs
Indicators
TCP Traffic
UDP Traffic
Top 10 Project IDs
Top 10 Instances
Top 10 VPCs
Top 10 Subnetworks
Top 10 Protocols
Top 10 Destination IPs
Top 10 Source IPs
Ingress - Allowed Traffic From Rare Geolocations
TCP Traffic
UDP Traffic
Top 10 Project IDs
Top 10 Instances
Top 10 VPCs
Top 10 Subnetworks
Top 10 Protocols
Top 10 Source IPs
Egress - Allowed Traffic From Rare Geolocations
TCP Traffic
UDP Traffic
Top 10 Project IDs
Top 10 Instances
Top 10 VPCs
Traffic Monitoring Ingress - Denied Top 10 Subnetworks

Top 10 Protocols
Top 10 Source IPs
TCP Traffic
UDP Traffic
Top 10 Project IDs
Top 10 Instances
Top 10 VPCs
Top 10 Subnetworks
Top 10 Protocols
Top 10 Source IPs
Egress - Denied Traffic From Rare Geolocations
Rare protocol on instance
Rare Protocol On VPC
Insecure Traffic
Possible Covert Channel
Unusual Ports Used On Instance
Unusual Ports Used On VPC
Unusual Ports Used On Project ID
Traffic to Instance From Rare Geolocation
Traffic to VPC From Rare Geolocation
Traffic to Zone From Rare Geolocation
Security Alerts Activity On High Ports
Top 10 Rules by Instance
Top 10 Rules by Network
Rare Allowed Rule On Instance
Possible Firewall Rule Circumvention
Allowed Traffic Trend by Firewall Rule Priority
Top 10 Rules by Instance
Top 10 Rules by Network
Rare Denied Rule On Instance
Spike In Denied Events - by VPC
Spike In Denied Events - by Instance
Spike In Priority 10 Events - by Instance
Traffic Trend by Firewall Rule Priority
Rare Denied IP Protocol
Firewall Rules Denied Rare Denied Port Range
Google Cloud Platform - VPC
Description
outgoing traffic.

Log Requirements
GCP VPC Logs
Indicators
TCP Traffic
UDP Traffic
Top 10 Project IDs
Top 10 Instances
Top 10 VPCs
Top 10 Subnetworks
Top 10 Protocols
Top 10 Source IPs
Ingress Traffic From Rare Geolocations
Traffic Monitoring
TCP Traffic
UDP Traffic
Top 10 Project IDs
Top 10 Instances
Top 10 VPCs
Top 10 Subnetworks
Top 10 Protocols
Top 10 Source IPs
Egress Traffic From Rare Geolocations
Rare Protocol On Instance
Rare Protocol On VPC
Rare Protocol On Network
Security Alerts Traffic From Rare Sources
Insecure Traffic
Unusual Ports Used On Instance
Unusual Ports Used On VPC
Unusual Ports Used On Project ID
Traffic to Instance From Rare Geolocation
Traffic to VPC From Rare Geolocation
Traffic to Zone From Rare Geolocation
Traffic From Anonymous Proxy
Traffic to Tor Exit Nodes
Spike In Network Traffic - by Resource
Spike In Network Traffic - by Network
Spike In Network Traffic - by VPC
Denial of Service Ingress
Spike In Network Traffic - by Instance
High Number of Requests Per Second
Multiple IPs With Requests to Same VPC
Top 10 VPCs - by Bytes Sent
Top 10 Networks - by Bytes Sent
Top 10 Projects - by Bytes Sent
Top 10 Destination IPs - by Bytes Sent
DLP Egress Top 10 Regions - by Bytes Sent
Spike In Bytes Sent - by Instance
Spike In Bytes Sent - by VPC
Spike In Bytes Sent - by Project
Spike In Bytes Sent - by Network
Egress
Beaconing Traffic From Instance
Robotic Behavior
Ingress
Beaconing Traffic to Instance
Microsoft Azure - Audit
Description
Log Requirements
Azure Audit Logs
Indicators

Console Logins

Successful Console Logins - SAML
Assumed Role Events
Privileged Accounts
Console Logins
Console Logins - SAML
Authentication
Assumed Role Events
Privileged Accounts
Failed Spike Threshold Total by Origin
Role Created
Roles
Role Deleted
User Created
User
User Deleted
Group Created
Group
Group Deleted
Account Management Policy Created

(IAM) Policy
Policy Deleted
Access Key Created
Access Key
Access Key Deleted
Password Change Password Changed
User Added to Group
Group Management
User Removed From Group
User Attached to Policy
User Removed From Policy
Policy Management
Group Attached to Policy
Group Removed From Policy
Security Group Created
Security Group Deleted

Authorize Egress Rule (for Vnet)
Security Groups SG Management
Authorize Ingress Rule (for Vnet)
Revoke Egress Rule (for Vnet)
Revoke Ingress Rule (for Vnet)
VNet Created
VNet VNet Management Vnet Deleted

Vnet Changed
Root Usage Activity with Root Account
Trail Stopped
Log Tampering
Trail Deleted
Security Group Risk Permit Any Security Groups
Suspicious
Accounts Short Lived Accounts
Mass Creation
Instance Tampering
Mass Deletion
Security Alert
Instance Outside of Vnet
Activity by User From Threat Actor Geo
Activity by User From Outside The Us
Activity by User From 2+ Different IP's In Short Timeframe
Suspicious Logins Activity by User From 2+ Different Geo's In Short Timeframe
Activity by User From Known Bad IP
Login Without MFA
Login Bypassing SAML
Microsoft Azure - Network Watcher
Description
outgoing traffic.
Log Requirements
Azure Network Watcher
Indicators
Accepted Traffic
TCP Traffic
UDP Traffic
Top 10 Accepted Macs
Top 10 Blocked Macs
Outbound Top 10 Accepted Destination IPs
Traffic Monitoring
Accepted Traffic
Dropped Traffic
TCP Traffic
UDP Traffic
Top 10 Accepted Macs
Top 10 Blocked Macs
Inbound Top 10 Accepted Source IPs
Traffic From Rare Geolocations - Blocked Traffic
Abnormal Number of Requests From Same IP - Spike by
Source
Abnormal Number of Dropped Requests From Same IP - Spike
Dos Inbound by Source
Spike In Network Traffic - Spike by Resource
Inbound Insecure Traffic
High Number of Rejected Events Followed by Accepted Event
Security Alerts
Traffic to Blacklisted Geolocations
Insecure Traffic
Outbound
Beaconing Traffic
Robotic Behavior
Inbound
Beaconing Traffic
SaaS Productivity Tools
Description
Log Requirements
G Suite
O365
Indicators
Console Logins
Successful
Privileged Accounts
Terminated Accounts
Console Logins
Privileged Accounts
Authentication
Terminated Accounts
Failed
User Created
User
User Deleted
Group Created
Account Management Group
Group Deleted
User Added to Group
Group Management
User Removed from Group
Suspicious Logins (suspicious_login Eventtype)
Activity by User from Threat Actor Geo
Activity by User from Outside The Us
Suspicious Logins
Activity by User from 2+ Different IP's in Short Timeframe
Activity by User from 2+ Different Geo's in Short Timeframe
Security Alert
Activity by User from Known Bad IP
Data Shared Outside of Organization
Mass Copy of Data to Single Destination
DLP
Mass Deletion of Data
Mass Permission Changes
Firewalls
Description
Traffic Monitoring
Monitor all outbound and inbound, allowed and denied traffic using top N
outgoing traffic.

Log Requirements
Checkpoint
Netflow
Palo Alto Networks
Cisco ASA
Fireeye
Indicators
Accepted Traffic
TCP Traffic
UDP Traffic
Telnet Traffic
SMB Traffic
FTP Traffic
Netbios Traffic
DNS Traffic
LDAP Traffic
Top 10 Accepted Protocols
Outbound Top 10 Blocked Protocols
Traffic Monitoring
Accepted Traffic
Dropped Traffic
Traffic from Malicious IPs
TCP Traffic
Inbound UDP Traffic
Telnet Traffic
SMB Traffic
FTP Traffic
Netbios Traffic
DNS Traffic
LDAP Traffic
Top 10 Accepted Protocols
Top 10 Blocked Protocols
Traffic from Rare Geolocations
Traffic from Rare Geolocations - Blocked Traffic
High Number of Bytes Sent - Threshold by Source
High Number of Bytes Sent to Rare Geolocations
Abnormal Volume of Bytes Sent Over FTP Ports - Spike by
Resource
Source
DLP Successful Abnormal Volume of Bytes Sent Over FTP Ports - Spike by
Destination
Abnormal Volume of Bytes Sent Over SMB Ports - Spike by
Resource
Source
Destination
Abnormal Volume of Bytes Sent Over DNS Ports - Spike by
Resource
Source
Destination
Top 10 Source IPs by Bytes Sent
Top 10 Destination IPs by Bytes Sent
Resource
Source
Destination
Resource
Blocked
Source
Destination
Resource
Source
Destination
Abnormal Number of Requests from Same IP - Spike by Source
Abnormal Number of Dropped Requests from Same IP - Spike

DOS Inbound by Source
Spike in Network Traffic - Spike by Resource
Rare Protocol Used
Security Events Inbound
Traffic from Rare Sources
Traffic from Blacklisted Geolocations
Insecure Traffic
Unapproved Ports
Activity on High Ports
High Number of Dropped Events Followed by Accepted Event
Rare Protocol Used
Traffic to Blacklisted Geolocations
Outbound
Insecure Traffic
Unapproved Ports
Activity on High Ports
Outbound
Beaconing Traffic
Robotic Behavior
Beaconing Traffic from Malicious Domains
Inbound
Beaconing Traffic
Proxy
Forward Proxy
Description

These use cases focus on data exfiltration to well know file share, archival,
storage websites in addition to detecting anomalies in network uploads.
Malicious Traffic Monitor outbound traffic to malicious websites, proxy anonymizers, DGA
domains, etc
This use case helps you identify malicious activity and infected hosts on the
internal network.
Security Events Identify flight risk users and exiting behavior based on their browsing
activity.
Monitor and alert on activity from inactive users.
Traffic Monitoring Monitor all outbound, allowed and denied browsing activity using top N
These use cases enable end users with a holistic view of users’ browsing
activity.
Log Requirements
Bluecoat Proxy
Websense Proxy
Forcepoint Proxy
Indicators
Data Egress to Storage Sites

Data Egress to News/media Sites
Data Egress to Personal Websites
Data Egress to Archival Domains
High Volume of Data Egress to Storage Sites
Successful High Volume of Data Egress to News/media Sites
High Volume of Data Egress to Archival Domains
Abnormal Volume of Data Uploads - Resource Level Spike
Abnormal Volume of Data Uploads - Account Level Spike
Uploads Greater Than 1MB to External Sites

Data Exfiltration
Abnormal Number of Failed Upload Attempts - Resource Level
Spike
Abnormal Number of Failed Upload Attempts - Account Level
Spike
Possible Proxy Circumvention
High Volume of Failed Upload Attempts Followed by Successful
Blocked Upload
Data Egress to Storage Sites
Data Egress to News/media Sites
Data Egress to Personal Websites
Data Egress to Archival Domains
Uploads Greater Than 1MB to External Sites
Traffic to Malware Domains
Beaconing Traffic
Beaconing Traffic to Malware Domains
Beaconing Traffic to Rare Domains
Malicious Traffic Successful
Traffic to Proxy Anonymizing Websites
Traffic to Randomly Generated Domains
Traffic to Malicious Domains
Traffic to Malicious IP Addresses
Rare Domain Visited by User
Rare User Agent Detected
Traffic to Malware Domains
Beaconing Traffic
Beaconing Traffic to Malware Domains
Beaconing Traffic to Rare Domains
Traffic to Proxy Anonymizing Websites
Traffic to Randomly Generated Domains
Blocked Traffic to Malicious Domains
Traffic to Malicious IP Addresses
Rare Domain Visited by User
Rare User Agent Detected
Web Traffic to Rare Blocked Domains
Proxy Circumvention
Exiting Behavior
Successful Flight Risk Behavior
Other Security Events
Web Browsing Activity by Terminated Accounts
Blocked Web Browsing Activity by Terminated Accounts
Top 10 Domains Visited
2xx Response Traffic
Successful Post Requests
Put Requests
Get Requests
Traffic Monitoring
Connect Requests
Top 10 Blocked Domains
Blocked 5xx Response Traffic
Post Requests
Put Requests
Get Requests
Connect Requests
Reverse Proxy
Description
Malicious Traffic Monitor inbound traffic from malicious sources, proxy anonymizers, C2C
domains, etc
This use case helps you identify malicious activity from external sources.
Robotic Behavior Detect beaconing activity from the external network using robotic behavior
Traffic Monitoring Monitor all inbound, allowed and denied web access requests using top N
These use cases enable end users with a holistic view of incoming web
traffic.
Spidering Detect malicious attempts to exploit the robots exclusion protocol.
Log Requirements
Nginx
Apache Access Logs
Indicators
Successful Authentication
Authentication Geolocation Monitoring
Success
Authentication from Rare Geolocations
Authentication from Blacklisted Countries
Failed Authentication

Authentication
Top 10 IPs With Failed Authentication Requests

Failed
Spike in Failed Requests
Spike in Failed Requests - Behavior Based Outlier Analysis
Possible Brute Force Attack - Attempts Per Second

2xx Response Requests
Success
Traffic from Blacklisted Countries
Top 20 IPs With Requests
Traffic Monitoring
Failed
Top 20 IPs With Blocked Requests
Success Traffic from Proxy Anonymizers
Anonymous Traffic
Failed Traffic from Proxy Anonymizers
Possible Spidering - High Number of Attempts Per Second
Success Access to Robots.txt
Spidering
Possible Spidering - High Number of Attempts Per Second
Failed Failed Attempts to Access Robots.txt
Beaconing Activity from Known Malicious IPs

Success
Robotic Behavior Beaconing Activity - Accepted Requests
Failed Beaconing Activity from Known Malicious IPs

Beaconing Activity - Blocked Requests
Success Top 20 IPs With Requests - 24hr Analysis

Denial of Service Top 20 IPs With Requests - 24hr Analysis

Failed
Top 20 IPs With Requests - 24hr Analysis
Spike in 503 Errors
Traffic from Malicious User Agents
Rare User Agents With Server Errors
Rare User Agents With Client Errors
Success
Traffic from Malicious IPs - High Severity
Traffic from Malicious IPs - Low Severity

Traffic from Malicious IPs - Unverified
Security Alerts
Traffic from Malicious User Agents
Rare User Agents With Server Errors
Rare User Agents With Client Errors
Failed
Traffic from Malicious IPs - High Severity
Traffic from Malicious IPs - Low Severity

Traffic from Malicious IPs - Unverified
VPN
Description
Traffic Monitoring Monitor all vpn connection requests using top N charts and geolocation
information.
These use cases enable end users with a holistic view of vpn traffic.
Security Events Detect high severity security alerts including traffic from malicious
sources and abnormal session durations.
Log Requirements
Cisco ASA
Netscaler
Indicators
Traffic Geolocation
Traffic from Rare Geolocation
Traffic Monitoring
Top 10 Geolocations
VPN Activity by Terminated Accounts
All Authentication Events
VPN Activity by Dormant Accounts
Landspeed Violation
VPN Authentication Using Rare OS
Successful Direct Login As Root

Authentication from Rare Geolocation
VPN Certificate Sharing
Authentication
VPN Activity by Terminated Accounts
VPN Activity by Dormant Accounts
Direct Login As Root
Authentication from Rare Geolocation
Failed Authentication Geolocation Monitoring

Possible Brute Force Attack
Top 10 Source IPs
Top 10 Users
Authentication by Multiple Accounts from The Same IP

Traffic from Known Malicious IPs
Security Events Traffic from Proxy Anonymizers
Top 10 Bytes Sent

Top 10 Session Durations
Endpoint Protection
Description
Incident Management Monitor endpoint related incidents to identify, analyze and correct hazards
to prevent a future recurrence.
Security Monitoring Monitor and detect malicious processes on endpoints by analyzing endpoint
incidents, rare operating systems, known and unknown malicious hash
values.
This use case helps identify and remediate infected machines on the
internal network and mobile devices.
Virus Detection Identify and analyze viruses with the corporate infrastructure. Using
machine learning, detect a spike in endpoint alerts for viruses.
Configuration Detect unauthorized changes of endpoint monitoring configurations and

Changes whitelists.
Log Requirements
Symantec Endpoint
McAfee Endpoint
Carbon Black
Norton Endpoint
Sophos
Checkpoint
Indicators
Closed Incidents All Closed Incidents
Incident Management Opened Incidents All Opened Incidents
Reopened incidents All Reopened Incidents
Abnormal Number of Endpoint Violations - Spike by Account
Endpoint Violations by New Accounts
Abnormal Number of Endpoint Violations - Spike by Source IP
Abnormal Number of Endpoint Violations - Spike by Source Host

Mobile
Top 10 Messages
Rare Messages
Non Compliant Endpoint Devices
Incident Count by OS
Rare OS Used
Abnormal Number of Endpoint Violations - Spike by Account
Endpoint Violations by New Accounts

Security Monitoring
Abnormal Number of Endpoint Violations - Spike by Source IP
Abnormal Number of Endpoint Violations - Spike by Source Host
Rare File Hash Detected on The Network
Rare Process And Path Detected on The Network

On-prem
Rare Parent Process Spawning a Child Process on The Network
Rare dll Used by a Process on The Network
Rare Function Used by a dll on The Network
Rare dll Process And Path on The Network
Use of Credential Dumpers
Known Malicious Hash Values
Processes With Multiple Hash Values
Checksum Error
Virus On-prem Virus Found
Antivirus Shutdown
High Number of Viruses Detected
Configuration Configuration Changes

On-prem
Changes Whitelist Modification
Vulnerability Scanners
Description
Vulnerabilities Assess computers, networks or applications and discover known

weaknesses.
This use case helps you identify the most severe vulnerabilities.
Log Requirements
Qualys
Tenable
Rapid7
Beyond Trust
Indicators
Vulnerabilities Older Than 30 Days

Vulnerabilities Older Than 90 Days
Hosts With High Severity Vulnerabilities
Hosts With Many Vulnerabilities
Vulnerabilities Vulnerabilities found Vulnerabilities Trend - Overall
Vulnerabilities Trend - by Severity
Vulnerabilities Trend - by Age
New Vulnerabilities by Host
Vulnerability on High Value Systems
Inbound Emails
Description
Phishing Detect and prevent phishing attempts based on incoming email behavior
anomaly, TLD analysis and suspicious activity from the internal network.
Log Requirements
MTA
Proofpoint
Area1
Indicators
Persistent Phishing Attempts
Freemail Domain Phishing Attempts
Resemblance Based Phishing Attempts - TLD Analysis
Abnormal Number of Emails from Single Recipient

Emails Inbound
Abnormal Number of Blocked Emails
Phishing Emails Followed by Suspicious Web Traffic
Phishing Email Followed by Suspicious Downloads
Detection of Known Malicious Email Attachments

Identity & Access Management (IAM)
Description
Security Alerts Detect high severity security alerts including brute force attempts,
unauthorized privilege escalation, password reset anomalies and traffic
from malicious source and rare user agents.
Log Requirements
Okta
One Login
Cyberark
Indicators

Login At Unusual Hours
Application Access
Rare Application Access
Application Access At Unusual Hours
Successful Login Top 10 User Accounts
Top 10 Applications Accessed
Top 10 Source IPs
Authentication
Top 10 Geolocations
All Failed Authentications
Failed Login Attempts At Unusual Hours
Top 10 User Accounts
Top 10 Source IPs
Failed Login Account Lockouts
Top 10 Account Lockouts
Top 10 Geolocations
User Creation
User Deletion
Accounts
Short Lived Accounts
Account Management
Account Unlocks
Members Added to Groups
Membership
Members Removed from Groups
Spike in Failed Logins - Spike by Resource
Authentication Spike in Failed Logins - Spike by Account

Security Alerts
Anomaly
High Number of Failed Login Attempts Per Second
Top 10 Source IPs
Top 10 User Accounts
Members Added & Removed from Groups in a Short Duration
Privilege Escalation
Privilege Self Escalation
Password Reset Abnormal Number of Password Reset Attempts

Anomaly Password Resets
Activity from Terminated Accounts
Suspicious Accounts
Activity from Dormant Accounts
Rare OS
Rare User Agent
Suspicious Activity
Traffic from Malicious Source IPs
Endpoint DLP
Description

These use cases cover all possible egress vectors and detect exfiltration of
sensitive files using machine learning to flag anomalies.
Log Requirements
McAfee
Symantec
Forcepoint
Varonis
Proofpoint
Indicators
Endpoint DLP Violations by Terminated Users

Cross Channel Data Egress
Exfiltration of Sensitive Files
Abnormal Number of Endpoint DLP Violations - Spike Baseline
Total by Match Count
Successful
Abnormal Number of Endpoint DLP Violations - Outlier Analysis
Top 10 Accounts by Match Count

Top 10 Accounts by File Size
Endpoint DLP Misuse of Service Accounts
Endpoint DLP Violations by Terminated Users
Cross Channel Data Egress
Exfiltration of Sensitive Files
Abnormal Number of Blocked Attempts - Spike Baseline Total
Blocked by Account
Abnormal Number of Blocked Attempts - Outlier Analysis
Top 10 Accounts by Blocked Attempts

Misuse of Service Accounts
Emails to Competitor Domains
Emails Sent With Source Code
Emails Sent With Compressed Files
Emails Sent to Non-business Domains
Abnormal Number of Emails to Competitor Domains - Spike
Baseline Total by Account
Abnormal Number of Emails With Source Code - Spike
Email Successful Baseline Total by Account
Abnormal Number of Emails to Non Business Domains - Spike
Abnormal Amount of Data Emailed to Competitor Domains -
Abnormal Amount of Data Emailed With Source Code - Spike
Abnormal Amount of Data Emailed With Compressed Files -
Abnormal Amount of Data Emailed to Non Business Domains -
Emails to Competitor Domains
Emails Sent With Source Code
Emails Sent With Compressed Files
Emails Sent to Non-business Domains
Abnormal Number of Emails With Source Code - Spike
Blocked Baseline Total by Account
Abnormal Number of Emails to Non Business Domains - Spike
Abnormal Amount of Data Emailed to Competitor Domains -
Abnormal Amount of Data Emailed With Source Code - Spike
Abnormal Amount of Data Emailed With Compressed Files -
Abnormal Amount of Data Emailed to Non Business Domains -
High Volume of Data Uploaded - Spike Threshold by Account
Abnormal Amount of Data Uploaded - Spike Baseline by

Account
Successful Abnormal Match Count For Network Uploads - Spike Baseline
by Account
Network Uploads
Top 10 Accounts by File Size

Blocked
Account
Abnormal Match Count For Network Uploads - Spike Baseline
by Account

Account
Successful Abnormal Match Count For Removable Media - Spike Baseline
by Account
Removable Media Top 10 Accounts by File Size

Blocked Account
Abnormal Match Count For Removable Media - Spike Baseline
by Account
Abnormal Number of Pages Printed - Spike Baseline by
Account
Abnormal Amount of Data Printed - Spike Baseline by Account

Successful
Abnormal Match Count For Print - Spike Baseline by Account

Print Top 10 Accounts by File Size
Abnormal Number of Pages Printed - Spike Baseline by
Account
Abnormal Amount of Data Printed - Spike Baseline by Account

Blocked
Abnormal Match Count For Print - Spike Baseline by Account

SumoLogic - Professional Services - Security Analytics PDF

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

SumoLogic - Professional Services - Security Analytics PDF

Caricato da

Copyright:

Formati disponibili

Security Analytics

Sumo Logic Professional Services

Security Use Cases 6

Monitoring Security Logs 9

Hand Off & Training

(Distributed) Denial of Service:

Privileged Account Monitoring

Data Loss Prevention

Event Family Event Use Case

Interactive Logons At Unusual Hours

Remote Logons At Unusual Hours

Interactive Logons by Service Accounts

Remote Logons by Service Accounts

Interactive Logons by Terminated Accounts

Remote Logons by Terminated Accounts

Successful Login Interactive Logons by Privileged Accounts

Remote Logons by Privileged Accounts

Interactive Logons by Local Accounts

Remote Logons by Local Accounts

Network Logons in Cleartext

High Value Systems

Non Expected Origin

Interactive Logons by Service Accounts

Remote Logons by Service Accounts

Remote Logons by Terminated Accounts

Interactive Logons by Privileged Accounts

Remote Logons by Privileged Accounts

Interactive Logons by Local Accounts

Remote Logons by Local Accounts

Failed Login Interactive Logons by Locked Accounts

Remote Logons by Locked Accounts

Default Administrator(s) Locked Out

Privileged Account Locked Out

High Value Systems

Spike Threshold Total by Origin

Spike Baseline Total by Origin

Spike Threshold Total by Target

Spike Baseline Total by Target

Spike Baseline Total by Account

Spike Threshold Total Overall

Spike Baseline Total Overall

Spike Threshold Total by Logon Type

Spike Baseline Total by Logon Type

Local Account Created

Privileged Account Disabled

Privileged Account Deleted

Terminated Account Enabled

Security Enabled Global Group Created

Security Enabled Local Group Created

Security Enabled Universal Group Created

Security Enabled Global Group Deleted

Security Enabled Universal Group Deleted

Security Enabled Global Group Changed

Security Enabled Local Group Changed

Security Enabled Universal Group Changed

Member Removed from Security Enabled Global Group

Member Added to Security Enabled Local Group

Member Removed from Security Enabled Local Group

Member Added to Security Enabled Universal Group

Member Removed from Security Enabled Universal Group

Security Disabled Global Group Created

Security Disabled Local Group Created

Security Disabled Global Group Deleted