Determining Indicators for Threat Detection with Logsign

Introduction

This article will provide information on understanding and detecting threat situations in the logs you analyze in Logsign.

Context

Logsign uses a list structure for detecting abnormal behaviors. An object that satisfies certain conditions is added to the list. The object added to the list is also configured with context information.

Let's explain this with an example.

In the list below;

If a source IP address makes more than 100 post requests within 6 minutes, it will be added to the list. The context information of the IP address added to the list is also marked as Suspicious in all other logs.

1.png

2.png

 

As seen in the logs below, we can see that the IP address in the Context.SourceIP and Context.DestinationIP columns has previously been added to a list.

3.png

4.png

Behavior

You can view columns such as Behavior.SourceIP or Behavior.SourceUserName in the logs, which are provided through log enrichment. The values in the SourceIP or other columns in Behavior indicate that they are present in this list.

In the log example below, we can say that the IP address 192.168.250.184 is in the list of sources accessing a malicious IP address by looking at the Behavior.SourceIP column.

5.png

Was this article helpful?
0 out of 0 found this helpful

Articles in this section

See more
Become a Certified Logsign User/Administrator
Sign-up for Logsign Academy and take the courses to learn about Logsign USO Platform in detail. Enjoy the courses, and get your badges and certificates. In these courses, you'll learn how to use Logsign in your work and add value to your career.
Visit Our Blog
Our Logsign USO Platform illustrate our expertise. So do the blog. Through our blog posts, deepen your knowledge on various SecOps topics or get updated about important news & modern approaches for cybersecurity. Get into the habit of reading valuable information provided by Logsign. Be a step ahead.