SIEM Use Cases

Identifying and Detecting Zero-Day Attacks

A zero-day exploit is an attack that benefits from the security gaps of a program or an application. There is a natural problem in all threat detection models that depend on statistics and signatures. Although these methods are appropriate for the recognized security threats, they have been known to perform inadequately when it comes to zero-day attacks. As the traditional methods depend on the databases of the recognized threats, it was proven that they needed more abilities when it comes to the struggle against the changes within the attack methodologies. With zero-day attacks, the attackers can detect the weakness of the source code of the program or application software and develop malicious codes for a cyber attack by benefiting from the security gap.

How to detect and prevent zero-day attacks

Detecting the zero-day attacks is difficult and complicated. Logsign USO Platform Detects Malicious Software Indicators and Attack Vectors by Applying Predefined Correlation Rules and Analyzing Data with the Cyber Threat Intelligence (TI) Service, then Shares the Obtained Information with IT Managers in the Form of Dashboards, Alarms, Reports, and Incident Management/Response.

Cyber Threat Intelligence (TI), Next-Generation Firewall (NGFW), Active Directory Authentication, DNS Server, Intrusion Prevention Systems (IPS), Process Tracking, Network Access Control (NAC), Endpoint Protection Platform (EPP), and Endpoint Protection Response (EDR) source logs are used to initiate the attack detection process through multiple correlation techniques in Logsign USO Platform.


By means of correlation processes and Behavior Analysis, the user is tagged as Attacker, Victim, and Suspicious.


Following the first activity started by the attacker on the side of the user, the logs are enriched by means of a behavior analysis conducted with the logs coming from the sources. The log activities formed during the activities of the attacker, which are both from the insider to the external and vice versa, are shown on the relevant dashboard panels by being subjected to correlation.


Security systems collect and analyze security events from various sources, such as intrusion detection systems and endpoints. They use advanced analytics and correlation techniques to identify potential security threats and generate real-time alerts. Security analysts can then investigate these threats and respond promptly to reduce the risks of data breaches and unauthorized access.


It can be used for proactive threat-hunting activities. Security analysts can leverage advanced analytical capabilities to search for indicators of compromise (IoCs) and conduct detailed investigations into suspicious events or entities. Organizations that proactively hunt for threats can identify and mitigate potential security risks before they cause significant harm.


By centralizing and correlating security event data, it streamlines efficient incident response workflows. Integrated with ticketing systems and other incident response tools, it enables security teams to automate the incident response process. Logsign can trigger automated actions, such as quarantining a compromised host or blocking malicious IP, Username, URL, Domain, and Hash information, to reduce response times and minimize the impact of security incidents.

Other SIEM Use Cases