In this article, various methods will be used to analyze an incident that occurred in the Incident Management department and to detect anomalies.
Behavior Analysis and Anomaly Detection
An analysis will be made regarding the event where an IP address detected by the cyber intelligence module successfully connected to an IP address in the internal network below.
Firstly, by clicking on the Magic Button located at the bottom right, which is called the action that can be taken and the tools that can be used for investigation, attached to Logsign, the tools that can be used for analysis of what actions the IP address has performed can be viewed.
When Logsign is selected from the relevant action window, predefined analysis queries can be used from the newly opened window or a customized query can be created by selecting the customized query at the bottom.
By selecting a custom query, the necessary columns were selected to obtain information about when it was done for the examination of the movements it made in order, which IP address and port it moved towards, and what type of movement it was for the selected IP address as the source IP address in the table. After all the operations were completed, the analysis was done by clicking the submit button and transferred to the incident section in a short time.
As seen in the screenshot below, the analysis result shows that the relevant IP address successfully accessed the 10.10.200.10 IP address via port 443 four times.
By using the Magic Button on the investigation tools attached to Logsign, IP reputation research was conducted on AbuseIPDB, Virustotal, and IBM X-force in order.
As seen in the results, the risk scores of the relevant IP address were high in all three IP reputation tools, and it was decided to block the reported IP address with the security device, assuming that the connected server is important.