SureLog SIEM User Behavior Monitoring Rules

Monitoring user behaviors with SureLog SIEM is easy and manageable.

Example of those kind of rules:

• Monitor multiple VPN Accounts Logged In From Single IP,
• Monitor if a VPN Accounts Logged in a machine and if there is a request from this machine to a DB which holds PI data,
• Monitor logins against terminated employee .
• Alert when a user is still logged on but someone else logs on with a different IP using the same username to any machine

As a development sample:

We want to get alert” when a user is still logged on but someone else logs on with a different IP using the same username to any machine “

We will implement this rule with SureLog SIEM. The order of rules (steps) important and managed by “Rule Priority” parameter by SureLog

Step 1: Create a rule to alert when user is still logged on but someone else logs on with a different IP using same username.

Thereare special operators related to list management in SureLog like “ Key in List With Different Data “

Step 2: Add USER:DSTIP:SRCIP (key1, key2,value) to the list if both USER:DSTIP:SRCIP is not in the list .

Step 3: Remove the user from the list when user logs off.