Investigating Anomalies by Understanding Behavior

Beginning

In this article, various methods will be used to analyze an incident that occurred in the Incident Management department and to detect anomalies.

Behavior Analysis and Anomaly Detection

An analysis will be made regarding the event where an IP address detected by the cyber intelligence module successfully connected to an IP address in the internal network below.

1.png

 

Firstly, by clicking on the Magic Button located at the bottom right, which is called the action that can be taken and the tools that can be used for investigation, attached to Logsign, the tools that can be used for analysis of what actions the IP address has performed can be viewed.

2.png

 

When Logsign is selected from the relevant action window, predefined analysis queries can be used from the newly opened window or a customized query can be created by selecting the customized query at the bottom.

3.png

 

By selecting a custom query, the necessary columns were selected to obtain information about when it was done for the examination of the movements it made in order, which IP address and port it moved towards, and what type of movement it was for the selected IP address as the source IP address in the table. After all the operations were completed, the analysis was done by clicking the submit button and transferred to the incident section in a short time.

4.png

 

As seen in the screenshot below, the analysis result shows that the relevant IP address successfully accessed the 10.10.200.10 IP address via port 443 four times.

5.png

 

By using the Magic Button on the investigation tools attached to Logsign, IP reputation research was conducted on AbuseIPDB, Virustotal, and IBM X-force in order.

6.png

 

As seen in the results, the risk scores of the relevant IP address were high in all three IP reputation tools, and it was decided to block the reported IP address with the security device, assuming that the connected server is important.

7.png

Was this article helpful?
0 out of 0 found this helpful

Articles in this section

Become a Certified Logsign User/Administrator
Sign-up for Logsign Academy and take the courses to learn about Logsign USO Platform in detail. Enjoy the courses, and get your badges and certificates. In these courses, you'll learn how to use Logsign in your work and add value to your career.
Visit Our Blog
Our Logsign USO Platform illustrate our expertise. So do the blog. Through our blog posts, deepen your knowledge on various SecOps topics or get updated about important news & modern approaches for cybersecurity. Get into the habit of reading valuable information provided by Logsign. Be a step ahead.