NxSIEM Use Cases

NxSIEM Use Cases

Comodo NxSIEM has many different capabilities to fulfill use cases of various requirements and log collecting methods. Even Collecting correlating and analysing only windows logs can provide a good level of security visibility. Comodo NxSIEM offers a free network monitoring sensor that instantly increases your network visibility and enables implementation of additional use cases that strengthen your security posture. Comodo NxSIEM's live lists feature is a very powerful tool to store information as lists and enable alerts based on the stored lists. This feature leads to many use cases like blacklisting, white listing and reducing number of alerts for repetitive correlatiions.

Comodo NxSIEM has feature rich customized query and reporting capabilities and predefined content that help signicficantly on external and internal compliance requirements.

Please see below for some specific use cases and their implementations on SIEM from Comodo that will get you on board quickly.

  • Detecting Brute Force Attack

    Brute force attacks are generally detected by their volume rather than content. Usually many failed login attempts from the same source ip is logged

    • Possible Data Sources: Windows event logs ,Linux System Logs,Comodo NxSIEM sensor logs, IDS alerts for Brute force
    • Technique: 1. Corrleation based number of failed login attempts from the same source IP. This correlation can be improved using IDS logs that contain Brute force signature for the target IP.

      2.Correlation based on windows account lockout number. Excessive account lockouts n the same target IP eads to an alert.
    • Remediation: Restrict acess of the source ip.
  • Detecting traffic to dark address space from compromised system

    Compromised systems often try to communicate a command and control server outside of your network to grant access or data exfiltration. Detecting this unusual traffic from any of your endpoints or servers in real time is crucial to block attacks before damage your network or steal precious data.

    • Possible Data Sources: Firewall logs,Comodo NxSIEM sensor, network monitoring tools logs, IDS alerts
    • Technique: Corrleation based on live lists of dark adress spaces. If a connection from any of the machines in the network to an IP or address in the blacklist detected, create alert.
    • Remediation: Restrict outside traffic, perform a malware scan on the source, detect communicating process and kill.
  • Detecting Attack from suspicious source

    Connections from blacklisted sources may be an indicator of attack so must be watched closely This rule creates an alert for all connections from suspicious sources. By using the live lists, alert on same source target pairs can be suspended for specified time periods.

    • Possible Data Sources: Firewall logs, Comodo NxSIEM sensor logs, IDS alerts
    • Technique: Correlating with blacklist information of IP and malware domains. 1 Connection made from blacklisted sources trigger alerts
    • Remediation: Restrict acess of the source ip.
  • Detecting Host Port Scan

    • Possible Data Sources: Firewall logs, NxSIEM Sensor logs, IDS alerts
    • Technique: Correlation of multiple access failure events on the same source and target pair but to different target ports each time, in a specified time interval.
    • Remediation: Restrict acess of the source ip to all ports.
  • Suspicious behavior of log source

    Attackers generally tend to stop logging features of the system they took in control. Alert on no log situation is a useful tool to detect these attackers timely.

    • Possible Data Sources: all log sources
    • Technique: Scheduled query result based alert definition. Alert on scheduled query result count is 0.
    • Remediation: Restrict acess of host machine. Check for unusal processes, perform a malware scan.
  • Detecting Suspicious communication from attacked target

    After an attack, attackers generally try to discover network topology and vulnerabilities of the network by making connections from the compromised machine. Comodo NxSIEM has the ability to add all correlation results as lists, using this feature attacked machines can be kept in a list for further analysis. A rule can be defined to detect connection attempts to different machines in the network from the machine in the compromised list. This prevents hackers access to other machines in the network called pivoting.

    • Possible Data Sources: Compromised List, NxSIEM Sensor logs, IDS alerts
    • Technique: Correlation with the attack correlation results and NxSIEM sensor logs or network monitoring logs from the same source to differnet target hosts.
    • Remediation: Restrict acess of host machine. Check for unusal processes, perform a malware scan.
  • Identifying malware traffic

    Fire an alert when an asset is communicating with a well-known malware server

    • Possible Data Sources: Firewall logs, Malware server live lists, Comodo NxSIEM Sensor
    • Technique: Correlation between live lists of malware servers and firewall or network monitor logs. Alert on malware domain or ip detected in source or target ip of the logs.
    • Remediation: Restrict acess of host machine, perform a malware scan.
  • Detecting DNS Tunneling

    A DNS tunnel can be used for "command and control", data exfiltration or tunneling of any internet protocol (IP) traffic. DNS tunnels can be detected using various SIEM methods in Comodo NxSIEM. One of them is traffic based detection. Because tunneled data is typically limited to 512 bytes per request, a large number of requests are required for communication.

    • Possible Data Sources: DNS logs, Comodo NxSIEM Sensor, IDS alerts, Network Monitoring Tools' logs
    • Technique: Generate alert over high DNS request count from the same source IP.
    • Remediation: Restrict acess of host machine, perform a malware scan.
  • Detecting FTP hacking

    If you run an ftp server, this is another target for attackers. Generally FTP servers are not maintained as safe as other servers. This makes them more vulnerable. Detecting requests and creating alarms on suspicious behaviours prevents FTP attacks significantly.

    • Possible Data Sources: FTP Logs, Firewall logs, Comodo NxSIEM Sensor, IDS alerts, Network Monitoring Tools' logs
    • Technique: Generate alert on specified number of failed login attempts followed by a successful login. Events can be correlated by other source to decrease false positives.
    • Remediation: Restrict acess of source to the FTP server.
  • Detecting SYN flood

    SYN flood is a sub type of DoS attack that is composed by high number of SYN events with non existent IP address. Server responds to this connection request with SYN ACK but never gets reply because the source IP is not existing.

    • Possible Data Sources: Server connection logs, firewall logs, network monitoring tools' logs, Comodo NxSIEM Sensor logs
    • Technique: This is a chain of events correlation first by detecting many SYN requests to the same source. The event is correlated with the ACK events of the same source IP
    • Remediation: Restrict acess of source to the target server.
  • Excess suspicious activity alerts

    Some correlation events may be less significant and may not require an alert. But these correlation events happening excessively in a time period (the same event or different less significnt events) generally points to a problem. Comodo NxSIEM enables recursive correlations to handle this situation.

    • Possible Data Sources: Correlated events
    • Technique: Generate alert for excessive correlated events in a time period.
    • Remediation: Analyze event sources for excessive events.
  • Detecting initial compromise

    Attackers generally tend to place a process that runs automatically on a compromised system to persist after reboot or for command and control. Detecting suspicious processes on systems contributes to protecting from an advanced attack by taking proper actions.

    • Possible Data Sources: Linux audit logs, windows security event logs, live list of safe processes
    • Technique: Generate correlated alert for suspicious processes started in a single system that are not in safe processes list.
    • Remediation: Perform malware scan, analyze the process, terminate and delete process.
  • Track user login/logout for Compliance

    Tracking user login and log out for sensitive systems is not only an important compliance mandate but also a fundamental security requirement.

    • Possible Data Sources: User login and log out information from all sources, Active directory
    • Technique: Generate scheduled report that runs daily for all login and logout events.
    • Remediation: Download and save the report for audit.
  • Reducing False Positives IDS

    Intrusion detection systems are important elements of secure network topology. Due to their signature based system they generate many false positives that prevent realistic analysis and distinction between what is secure and what is not. Comodo NxSIEM correlating IDS alerts with other log sources radically decreases false positves of intrusion detection systems.

    • Possible Data Sources: IDS alerts, logs from other sources
    • Technique: Correlate IDS events with other events from related log sources.
    • Remediation: Generate alert using correlated events.
  • Single pane of glass reporting for security best practices and compliance

    Daily log review is an important requirement in PCI DSS compliance. Automated daily log review over scheduled reports is encouraged by the same authority. Comodo NxSIEM offers scheduled reports and custom report generation and scheduling in order to get reports needed for daily log review and other requirements.

    • Possible Data Sources: IDS alerts, logs from other sources
    • Technique: Use predefined reports of Comodo NxSIEM for best practice and compliance. Below is the example of best prctice reports for windows only environments:
      1. Windows User Account Created
      2. Windows User Account Modified
      3. Windows User Account Deleted
      4. Windows User Group Created
      5. Windows User Group Modified
      6. Windows User Group Deleted
      7. Remote Desktop Sessions (connect/disconnect)
      8. Active directory global catalog change report
      9. Active directory global catalog demotion report
      10. USB device connect/disconnect tracking
      11. Object permission changes
      12. Tracking Privilege use on systems(success/failure)
      13. Tracking special logons (Special Groups is a Windows feature that enables the administrator to find out when a member of a certain group has logged on
  • Ad-hoc reporting for compliance audits

    It is not uncommon that the auditor wants information that requires custom query or report generation during a compliance audit. Comodo NxSIEM offers powerful ad-hoc query and reporting features that simplifies this process.

    • Possible Data Sources: All Log sources
    • Technique: Create custom queries and reports save and and run using Comodo NxSIEM.