Anatomy of a Intrusion Detection Using SureLog SIEM

The primary benefit of a SIEM system to any organization, is the fact it immensely increases the effectiveness of incident response teams. The early detection of occurrences is a key factor for incident containment and eradication, which means a reduced overall impact.

Since SIEMs can correlate events from different data nodesand devices, this allows for detecting incidents that would otherwise be completely missed. For example, a network intrusion prevention system can usually only see a part of an attack, while the affected host (e.g., a notebook or a server) can see the other part. A SIEM sees the bigger picture by combining logs from both devices, thus making it possible to have a complete picture of the incident.

“A SIEM’s power is in its correlation”

Microsoft Windows® Active Directory’s best practices consider different signs to identify and evaluate a compromised computer system by correlation, through a proper configuration of Windows auditing settings. These signs can help to detect a malicious activity in a computer system early and timely. The following security events can be considered as part of the correlation to detect possible signs of computer system intrusion within Windows® operating system.

1- Two attempts to login as the User were executed.

2) User session started successfully.

3) Special privileges were assigned to User’s account.

4) A new user account was created, named “Jame”.

5) A global group with security-disabled settings was created.

6) An explorer process has been created.

7) An attempt to unregister a security event source was executed.
8) Jame’s account was enabled.

9) The auditing settings on access-control object were changed.

10) Peter´s account session was closed