SureLog SIEM Only Unique Use Cases

Not all SIEM solutions are equal and not all SIEM use cases are the Same. SureLog has the most powerful detection and correlation engine. Some unique use cases from the SureLog SIEM correlation library.

• If a user tries to log in to the same machine for at least three, four days without any successful login, at least four-five hours intervals (not to be detected by well-known and legacy SIEM rules like if there is three authentication failure within thirty minutes from the same user to the same machine), detect.
• If the same user from the same machine has 3 failed authentication within 5 minutes then after the 3rd authentication failure if there is successful authentication to one of the failed machine back within 5 minutes to the users’ machine, detect.
• A user wants to eliminate classic SIEM rules, such as detect if there are 3 unsuccessful sessions in 5 minutes or 10 minutes. He tries for authentication and fails then waits for 10 minutes, then he does one more, and again he waits for another 10 minutes and does one more.
• If the same virus detected on three different machines within fifteen minutes, and if one of these machines tries to a brıte force attack in the next five minutes, detect.
• If the same IP logs on to the Linux server and then logs on to the Windows server and then service is turned on / off on either server, detect.
• If the same user has failed logon attempts on two different machines within fifteen minutes, and within five minutes after the second unsuccessful session, one of these machines requests IP access to the threat intelligence list, detect.
• If any user failed to login at least three days a week and at least two times a day or more, detect.
• If any machine is blocked by the firewall at least 3 or more times at different hours during the day, detect.

Above use cases are specific to only SureLog Next-Gen SIEM. Also, those use cases depict the detection models. Users can create new correlation rules like the above ones with the SureLog unique structure.

Some other use cases that are detected in real-time by SureLog while search based SureLog competitors detect those use cases with delay. Other competitors can not detect those use cases because of the long term period -24 hours or more. Also detecting those use cases using search based tools like Elastic or Splunk needs too much system resources.

• The same user gets locked out twice or more within a day
• Detects when a user is still logged on but someone else logs on with a different IP using the same username to any machine.
• User Deleted Within 24hrs of Being Created