Manage Custom Rules to Detect Unusual Activity in Network

Introduction

This article will provide information to help you identify a record of an unusual event when analyzing logs.

Behavior

You can view columns such as Behavior.SourceIP or Behavior.SourceUserName in the logs, which are provided through log enrichment. The values in the SourceIP or other columns in Behavior indicate that they are present in this list.

In the log example below, we can say that the IP address 192.168.250.184 is in the list of sources accessing a malicious IP address by looking at the Behavior.SourceIP column.

1.png

 

In the example log below, we can say that the user with Source.UserName:adminlgs is also in the Administrators list.

2.png

 

When we examine the Administrators list, we can say that it is a static list that includes users with admin privileges.

3.png

4.png

Was this article helpful?
0 out of 2 found this helpful

Articles in this section

See more
Become a Certified Logsign User/Administrator
Sign-up for Logsign Academy and take the courses to learn about Logsign USO Platform in detail. Enjoy the courses, and get your badges and certificates. In these courses, you'll learn how to use Logsign in your work and add value to your career.
Visit Our Blog
Our Logsign USO Platform illustrate our expertise. So do the blog. Through our blog posts, deepen your knowledge on various SecOps topics or get updated about important news & modern approaches for cybersecurity. Get into the habit of reading valuable information provided by Logsign. Be a step ahead.