Reviewing Alerts and Investigates

Introduction

This article provides a general overview of the causes and analyses of alarm triggers.

Alarm Triggering

With the Logsign Unified SecOps Platform, your logs are collected, and when a situation matches your alarm rule, your alarms are triggered.

Alarm rules are triggered by column matching within a single log line.

You can control the correlation scenarios of a data within a log line using lists within the alarm.

Let's explain this with an example.

We examine triggered alarms using the following query:

Query: DataType:alert

1.png

 

Let's examine the following alarm.

2.png

3.png

4.png

When the alarm log is opened, the first columns we examine are the "action" and "alert".

The object within Action.Object is the object that triggers the alarm.

To look at the triggering reason of the alarm, we examine the Alert.Reason column.

Alert.Reason provides the columns entered in the alarm rule. The alarm was triggered as the log with the values of 20.190.160.12 IP address, EventMap.Type:Attack, and EventMap.SubType:Detect, coming from SonicWall FW, matches the alarm rule.

When we examine the Alert.Category column, it shows the category information of the triggered alarm library.

When we examine the Alert.Info column, it shows the name information of the triggered alarm.

5.png

 

Let's check the findings by examining the case related to the alarm.

6.png

When we examine the findings in the case;

- The alarm was triggered 13 times before,

- No action was taken after the alarm was triggered,

- The risk score is low,

- The first triggering time of the alarm was 2023-04-24 23:12:36,

- We did not observe that the alarm was triggered last on 2023-04-26 14:39:40.

7.png

 

We observed that the 20.190.160.12 address did not create any event activity in the Activities panel.

8.png

 

We observed that the 20.190.160.12 address did not create any network activity in the Activities panel.

9.png

 

We observed that the 20.190.160.12 address did not create any process activity in the Activities panel.

10.png

 

We observed that the 20.190.160.12 address did not create any file activity in the Activities panel.

11.png

 

We observed that the 20.190.160.12 address did not create any DNS activity in the Activities panel.

12.png

 

We observed that the 20.190.160.12 address did not create any user activity in the Activities panel.

13.png

 

We observed that there is no log record on the network and system, and finally, we can also check the IP reputation control.

Let's check the risk score with Abuseipdb and Virustotal.

14.png

15.png

 

We observed that the source IP address does not have any risk score.

16.png

 

Let's check if the target source reached by the source IP address is in a p2p connection status.

17.png

18.png

19.png

20.png

 

No log record was found.

21.png

 

In the analysis conducted, it was determined that the alarm risk situation is low, and the case can be closed. 

22.png

23.png

Was this article helpful?
1 out of 2 found this helpful

Articles in this section

See more
Become a Certified Logsign User/Administrator
Sign-up for Logsign Academy and take the courses to learn about Logsign USO Platform in detail. Enjoy the courses, and get your badges and certificates. In these courses, you'll learn how to use Logsign in your work and add value to your career.
Visit Our Blog
Our Logsign USO Platform illustrate our expertise. So do the blog. Through our blog posts, deepen your knowledge on various SecOps topics or get updated about important news & modern approaches for cybersecurity. Get into the habit of reading valuable information provided by Logsign. Be a step ahead.