SIEM Use Cases

Detecting Lateral Movements

Network attacks are getting more complicated in today’s security environment. To obtain basic access information, attackers use various methods such as Phishing attack or Malware infection. After they enter the relevant IT system, they disguise as the user with wide access authorization while trying to increase their privileges. Many institutions do not have the staff, tools or bandwidth that will detect any extraordinary activities. After the attacker leaks into the network, it may take them days or weeks to discover the weaknesses in the systems. It is necessary for the lateral movements in this time period to be detected. Lateral movement refers to the gradual movements of cyber attackers, and the techniques they use to search for important targeted data and assets. It is necessary for the lateral movements in this time period to be detected. Lateral movement refers to the gradual movements of cyber attackers, and the techniques they use to search for important targeted data and assets.

How to Detect Lateral Movements

Lateral movement activities can be analyzed and detected by Logsign SIEM via pre-defined correlations and Cyber Threat Intelligence (TI) service. Audit logs, process formation logs, Firewall, IDS/IPS, and EDR logs are used during the detection process.

Lateral movements that can be detected as pre-defined by Logsign SIEM:

  • Unsuccessful log-in attempts on disabled accounts,
  • Extraordinary activities based on the time of day or day of week, Extraordinary accesses to servers, file shares, applications, or other sources, Too much extraordinary access to some sources,
  • Abnormal application use and abnormal access to data storage.
01

Detecting Compromised User

Logsign SIEM identifies abnormal behavior of users by means of correlation. For instance, Logsign SIEM creates alerts to warn relevant IT managers in case of access to extraordinary data or systems at extraordinary hours.

02

Detecting Suspicious Privileged Authorization Increase

Main target is to detect privileged user account accesses. Logsign SIEM immediately identifies users that increase authorization for critical systems.

03

Command and Control (C&C) Communication

Logsign SIEM may associate the network traffic with Cyber Intelligence Module to discover malware that communicates with external attackers. This refers to a compromised user account.

04

Detecting Data Leakage

You can use Logsign Correlation and Cyber Threat Intelligence (TI) service to analyse incidents that may seem irrelevant – such as USB disc driver adding and process information, personal e-mail services, cloud storage services or creating high data traffic through local network.

05

Rapid Ciphering

It can detect the ciphering of the data on user systems. These abnormal movements on user data may be a ransomware attack.

06

Detecting Lateral Movements

Lateral Movements can be detected via alert rules created based on the Mitre Attack framework.

Other SIEM Use Cases

How to Detect Unauthorized Access to the Shared Folders

Windows file server acts as a file and folder storage that can be accessed by many users. Even though a working environment based on cooperation has many benefits, it may be difficult to prevent unauthorized access by monitoring the authorizations to shared folders.

Learn more
Detecting and Preventing Malicious PowerShell Attacks

As a strong Windows command file language, PowerShell is used by both IT specialists and attackers. PowerShell is an on-board command line tool.

Learn more
How to Detect Superman VPN User

Employees of corporate firms work in offices and on the field in geographically different places. It is very difficult for these locations and staff to connect to the headquarters from point to point due to costs and infrastructure problems.

Learn more