Problem
With more than three thousand users, the organization prioritized the monitoring of user file sharing / accessing activities. Access activities, especially to critical documents, were demanded to be reported and be made analyzable.
A second demand was regarding the instant detection and prevention of possible threats.
With respect to the possibility of a traffic from a malicious IP or URL that is defined on the cyber security intelligence services, the organization had issues regarding cyber threat monitoring and analysis, as well as the interruption of this traffic.
With more than three thousand users, the organization demanded the following:
Monitoring of user file sharing / accessing activities,
Reporting of critical file access activities, and their becoming analyzable,
Ensuring automatic action on firewall in case of a traffic from a malicious IP or URL that is defined on the cyber security intelligence services.
Solution
Sources creating the organization’s file sharing / accessing logs were added on Logsign SIEM. All client logs were received via the WEF (Windows Event Forwarding) infrastructure.
Client file access logs were sent to Logsign SIEM. Dashboards were created for the correct monitoring of User-File analyses. Compliance reports were deployed to Logsign SIEM. Reports containing the data between the desired dates were scheduled to be sent to the organization officials.
Alerts that are required in case of an access to files critical for the organization were identified, and SMS / E-mail notifications were sent.
All IP and URL information, which was either accessed or demanded access, was investigated by the Logsign Threat Intelligence service, and logs were enriched. Various investigations were conducted by the TI service for Phishing, Botnet, Malware, Brute Force, etc. categories, dashboards and reports were created.
Automatic action module was activated on Logsign SIEM against possible cyber threats. Thus, access to malicious IP and URL was automatically blocked on the organization’s firewall.
Result
With Logsign SIEM, all data became processable. IT managers and teams were enabled to rapidly analyze data. High data access performance was ensured with an active-active infrastructure with a 3-node cluster.
With Logsign TI, a real-time investigation process was conducted, and threats were automatically prevented.
By benefiting from more than 30 TI sources that are accepted by the industry, Logsign enables threats to be understood and seen. More productive and efficient time management was ensured as real-time investigations were conducted automatically, while they would manually take an hour.