Support & Downloads

Quisque actraqum nunc no dolor sit ametaugue dolor. Lorem ipsum dolor sit amet, consyect etur adipiscing elit.

s f

Contact Info
198 West 21th Street, Suite 721
New York, NY 10010
youremail@yourdomain.com
+88 (0) 101 0000 000
Follow Us

Malware Fighting with SureLog SIEM

We will show you how SureLog SIEM can effectively identify and stop malware on the host.

 

Use case: Malware Dropped to a HOST

 

  • URL link over an email received
  • User clicked on it and provided the required information
  • User received a LOG-IN notification from a system, he/she was authorized to access
  • User reported that she did not log in

 

For this use case, we will use:

 

  • Mail gateway or sandbox logs which has the URL part of the mail message,
  • Proxy or UTM logs
  • Authentication logs from servers, databases, network devices, etc..

 

With SureLog SIEM, security admins have two detection options.

  1. Correlation
  2. Log investigation.

 

Correlation

 

Use Case steps:

 

  • Get URL link from mail gateway log. Ex Fortisandbox,
  • Check if there is a request to this URL from proxy logs,
  • Check if there is an authentication within 15 minutes with this user account.

 

Rule Description:

 

The first part of the rule [GeneralCorrelationObject [1]] collects log from mail gateway(sandbox). The IP of this log source is 10.10.100.211 and checks if the log contains any URL address.

 

The second part of the rule [GeneralCorrelationObject [2]] collects log from proxy or UTM. The IP of this log source is 10.10.100.1. This part of the rule checks if the logs contain any URL address which was detected on mail gateway logs before.

 

The third part of the rule [GeneralCorrelationObject [3]] collects log from all the log sources and checks if there is any authentication with the same user.

 

Log Investigation

Details of log investigation

https://medium.com/@eakbas/how-to-search-billions-of-logs-without-learning-new-script-language-with-surelog-siem-2e33aa38a4dd