SIEM Korelasyon X Sürede Y Adet Olay Olursa veya A Olayı Olursa Demek Değildir.

  • Fortigate Policy Change
  • Worm Activity Detected
  • Too Many Fail Logon Activity
  • Suspicious Logon Activity
  • Brute Force Detected
  • Paylaşılan Klasörlere Yetkisiz Erişimi Tespiti
  • PowerShell Atakları Tespiti
  • Email Accounts which sent Email to Multiple Different Domain
  • Http flood atak tespiti
  • Sahte DHCP sunucusu tespiti
  • 2 dakika içerisinde 5 kere başarısız oturum açma isteği tespiti (Multiple Logon Failure)
  • Port scan tespiti
  • Botnet aktivitesi olursa tespit et
  • Brute Force Oracle DB Attack Detected
  • Brute Force RDP Attack Detected
  • Brute Force VPN Attack Detected
  • Firewall Admin Login Failure
  • Firewall Policy Authentication Failure
  • Firewall Portal Login Failure
  • Excessive Web Server Errors Detected
  • DDoS Attack Event Detected
  • DNS DDoS Attack Detected
  • External TCP Flood Attack Detected
  • Suspicious TCP Traffic Detected from Many Hosts to a Single Target
  • SQLServer Password Reset
  • Powershell Process Created by Chrome
  • Multiple Unauthorized File Change Attempts Detected
  • External Host Login Successful from Foreign Country
  • Multiple Login Failures User Detected on MsSQL
  • Off-hours Logon Attempt on Datacenter Network
  • Scanner Host Logon Attempt Detected
  • User Added to VPN Group
  • Spam Hosts Detected by Threat Intelligence Source
  • Virus Host Detected by Threat Intelligence Source
  • Windows Policy Changed
  • Suricata/Snort Abnormal Telnet Activity Detected
  • Large Data Transfer Detected from DMZ Server
  • XSS Attack Patterns Detected on Apache Web Server
  • SQL Injection Detected After Scanning
  • Excessive Successfull Web Connections Detected
  • 2 aydan daha uzun süredir login olmayan kullanıcı varsa uyar
  • 30 günden daha uzun süredir şifre değiştirmeyen kullanıcı olursa uyar
  • 4 saatten uzun RDP i açık kalan olursa uyar
  • 4 saatten uzun VPN i açık kalan olursa uyar
  • 5 dakikada 1000 MB veya daha fazla download eden veya 10 dakikada aynı hedef IP/Domain den 500 MB download eden olursa uyar
  • 72 saatten uzun süredir IP değiştirmeyen cihaz (MAC) olursa uyar
  • Abnormail mail to/from acbfgtysss.xy for the organization
  • Abnormal activity duration/session count
  • Abnormal amount of bytes transmitted
  • Abnormal amount of data egressed to competitor domains compared to past behavior
  • Abnormal amount of data egressed to non-business domains compared to past behavior
  • Abnormal amount of data egressed to personal email account compared to past behavior
  • Abnormal amount of data egressed to removable media compared to past behavior
  • Abnormal amount of login attempt detected on MFA
  • Abnormal Email counts
  • Abnormal session start time
  • Access to internal applications / servers/ peers
  • Account creation/ disable/ lockout / deletion rates
  • Activity duration/ session counts
  • Authentication anomaly-Country Mismatch
  • Aynı anda aynı kullanıcı bir makinaya VPN yaparken baska bir makinaya da RDP yaparsa uyar
  • Ayni kullanıcı aynı makinaya gün içerisinde hiç başarılı oturum açmadan iki den fazla basarisiz oturum açarsa tespit et
  • Bir kullanıcı daha önce şirkette kimsenin gitmediği bir domaine günde en az 1 kere ve haftada 2 den fazla erişirse uyar
  • New city access for the first time
  • Eger bir domain son 24 saate oluşturuldu ise ve bu domain Alexa 1 milyon ve Cisco Umbrella 1 milyon listesinde ve bizim White liste de değilse uyar
  • En az 15 gündür (20–30–40–365 gün) hiç VPN yapmamış bir kullanıcı kısa süre içerisinde 1 den fazla workstationda Remote interactive logon olmuşsa uyar
  • En az 30 gündür veya daha fazla süredir (40 gün-60 gün-90 gün-365 gün gibi) suskun olan bir makine veya kullanıcı tekrar ağda görülürse makinayı kapat ve kullanıcıyı disable et
  • Entropy Mismatch
  • Excessive user logons on hosts
  • First access to database mssql for user
  • First access to device for the user
  • First activity from ISP
  • First connection from Source IP
  • First time user is performing an activity from this device
  • First VPN connection from device for the user
  • High number of accounts from the same ipaddress for authentication failures or lockout events
  • High number of accounts from the same ipaddress for successful authentications or run as events
  • High number of accounts used on a workstation for authentication failures or lockout events
  • High number of accounts used on a workstation for successful authentications or run as events
  • High number of hosts accessed for authentication failures or lockout events
  • High number of hosts accessed for successful authentication events or run as events
  • High number of hosts accessed while enumerating critical ports
  • High number of redirected/blocked attempts
  • High number of run as activity across hosts
  • High number of server errors
  • If a user accesses sensitive files and at the same time the same user has a connection to file sharing sites then notify
  • If an account not used in at least the last 30 days (31–40–60–90–180 days etc.) notify/lock/delete the account automatically
  • Iki login arasindaki süre 1 dakikadan az ise uyar
  • Iki login failed arasindaki süre 1 dakikadan az ise uyar
  • Impossible Travel Detection in Real-Time (VPN Anomaly)
  • Kapanan bir sunucu 4 saattir ayağa kalkmadı ise uyar
  • Kullanıcı oluşturuldu ve 72 saattir kullanılmadı ise uyar
  • Landspeed Anomaly detected
  • Logon from a rare country
  • New host logins
  • New processes / Registry changes
  • Odd time of access (first and last access)
  • Odd time of email activity
  • Odd time of logins
  • Oracle veritabani kullanici arayüzünden (Oracle Management Studio) ve konsoldan (SQL*Plus) ayni anda kimlik dogrulama hatasi verirse uyar
  • Orijinal mail adresine benzer mail adreslerinden mail gelirse uyar
  • Password change rates
  • Successful/Failed login activity rates
  • Upload/download deviations
  • Virüs bulundu ve 8 saaten fazladir temizlenmedi ise uyar
  • VPN connection from a known anonymous proxy
  • Suspicious creation of new network ACL
  • Suspicious creation of security group
  • Suspicious deleting a rule from a network ACL
  • Suspicious deletion of customer gateway
  • Abnormal number of discover requests from a client

--

--

--

Entrepreneur,Security Analyst,Research.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Whatsapp Business Review, Release Date, Prices & Lies

{UPDATE} Diggy: Dig Hack Free Resources Generator

HTB: Brainfuck Writeup w/o Metasploit

Master Your Security Foundation: Know Your Software

{UPDATE} Crazy Drillers Hack Free Resources Generator

Houses of Worship, Faith-Based Organizations, Charities, and Other Non-Profits: Yes, This CAN…

How losing my phone made me a better product manager

How U2F security keys can eliminate phishing

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Ertugrul Akbas

Ertugrul Akbas

Entrepreneur,Security Analyst,Research.

More from Medium

Quiztime — Random OSINT Challenge 10

FalconFriday —Monitoring for public shares — 0xFF1A