Detecting Compromised Users
With identification-based behavior analytics, Logsign SIEM detects suspicious remote accesses, extraordinary log-in activities, and accesses to extraordinary data and systems at unusual hours.
With identification-based behavior analytics, Logsign SIEM detects suspicious remote accesses, extraordinary log-in activities, and accesses to extraordinary data and systems at unusual hours.
Logsign SIEM detects at what time and via which IP the user with permission accesses and sends alerts for suspicious behaviors. Logsign SIEM also identifies users who change or increase privileges for critical systems and detects the authorization increase of a current or new user at abnormal hours.
By enriching user behavior analytics data with the detection of DLP software, Logsign SIEM analyzes all suspicious activities. These include situations such as when confidential data is copied to USBs, when there are unauthorized cloud storage activities, and when data is transferred externally via e-mails. Logsign SIEM gives alerts for these and other abnormal activities.
Logsign SIEM detects when remote users access at different hours and from different locations, monitors users with VPN accounts from different regions, and gives alerts when it detects possible suspicious activities.
During an attack, the attacker may try to access systems with sensitive data from different machines and IPs. Even if the user has access permission, Logsign SIEM provides detection of access trials to data the user previously did not access or to systems the user has no permission to access.
